From f868ce1e1bf484e006f598a116af61a31dc6c3fc Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Tue, 14 Jul 2026 03:23:44 -0700 Subject: [PATCH] fix(release): stop node-workspace from clobbering manual dependency ranges release-please's node-workspace plugin defaults to always-link-local: true, which force-rewrites every workspace-internal dependency's semver range on every regeneration of a release branch -- even when the current range already satisfies the sibling's version. This has repeatedly clobbered deliberate, manually-set constraints on @loopover/miner's and @loopover/mcp's @loopover/engine dependency back to a bare "*" (most recently caught by the repo's security scanner on #5730, PR #5729 before that), and separately generated a string of "empty" release PRs (mcp-v0.8.1, mcp-v1.0.1, miner-v2.0.1) that exist purely to speculatively cross-bump a dependency range ahead of the sibling's actual publish, with no real content of their own. Setting always-link-local: false (a documented top-level manifest option, confirmed against release-please's own JSON schema) makes the plugin only touch a workspace dependency when the CURRENT range no longer covers the sibling's version -- i.e. only for a genuine breaking change, which is exactly when a deliberate, manually-verified bump is warranted anyway (the judgment call this session has been making by hand every time this came up). Also fixes apps/gittensory-ui/src/lib/mcp-package.ts's MCP_PACKAGE_KNOWN_LATEST_VERSION, stale against mcp's real just-published 0.9.0 (unrelated to the config change, but blocking this branch's own gate via ui:version-audit). --- apps/gittensory-ui/src/lib/mcp-package.ts | 2 +- release-please-config.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/gittensory-ui/src/lib/mcp-package.ts b/apps/gittensory-ui/src/lib/mcp-package.ts index 678983f0f..58dc510a1 100644 --- a/apps/gittensory-ui/src/lib/mcp-package.ts +++ b/apps/gittensory-ui/src/lib/mcp-package.ts @@ -8,7 +8,7 @@ export const MCP_PACKAGE_REGISTRY_URL = `https://registry.npmjs.org/${MCP_PACKAG export const MCP_PACKAGE_NPM_URL = `https://www.npmjs.com/package/${MCP_PACKAGE_NAME}`; // Tracks the latest PUBLISHED release: ui:version-audit requires this to equal npm dist-tags.latest, so it is // bumped to a new version only AFTER that version publishes (never ahead of npm). -export const MCP_PACKAGE_KNOWN_LATEST_VERSION = "0.7.1"; +export const MCP_PACKAGE_KNOWN_LATEST_VERSION = "0.9.0"; export const MCP_MINIMUM_SUPPORTED_VERSION = "0.5.0"; export type NpmPackageMetadata = { diff --git a/release-please-config.json b/release-please-config.json index 147bd48c4..38e829e13 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -25,6 +25,7 @@ "include-component-in-tag": true, "separate-pull-requests": true, "pull-request-title-pattern": "chore(release): cut${component} v${version}", + "always-link-local": false, "plugins": [ { "type": "node-workspace",