chore(deps): bump @swc/core in hogvm to unblock pnpm update#68700
Conversation
common/hogvm/typescript pinned @swc/core at 1.11.4, which swc published without npm provenance (they dropped attestations between ~1.5.19 and 1.15.1). Under the workspace trustPolicy: no-downgrade, that version permanently fails validation, so any pnpm command that re-resolves the workspace (pnpm update, pnpm add) aborts with a trust-downgrade error for everyone. Bump to ^1.15.18, matching the provenance-attested version the rest of the workspace already resolves. The lockfile dedupes onto the existing 1.15.18 entry and drops the 1.11.4 subtree. Generated-By: PostHog Code Task-Id: 4d0808dc-4703-4fe7-b26e-4ece499fbb6d
|
Hey @MattPua! 👋 It looks like your git author email on this PR isn't your
You can fix it for this repo with: git config user.email "you@posthog.com"Or set it globally with |
|
Reviews (1): Last reviewed commit: "chore(deps): bump @swc/core in hogvm to ..." | Re-trigger Greptile |
🤖 CI report✅ Bundle size — no changeUncompressed size of every built Total: 76.96 MiB · no change No file changed by more than 1000 B. Posted automatically by build-bundle-size-report · uncompressed bytes from dist-report ✅ Eager graph — within budgetHow much code each root ships on the eager path — downloaded and parsed before the surface is interactive. Measured from the esbuild output chunks (post-tree-shake, static imports only); lazy
🟢 Largest files eagerly shipped from
|
| Size | File |
|---|---|
| 126.8 KiB | ../node_modules/.pnpm/react-dom@18.3.1_react@18.3.1/node_modules/react-dom/cjs/react-dom.production.min.js |
| 24.6 KiB | ../node_modules/.pnpm/buffer@6.0.3/node_modules/buffer/index.js |
| 6.3 KiB | ../node_modules/.pnpm/react@18.3.1/node_modules/react/cjs/react.production.min.js |
| 4.5 KiB | ../node_modules/.pnpm/@jspm+core@2.1.0/node_modules/@jspm/core/nodelibs/browser/process.js |
| 3.9 KiB | ../node_modules/.pnpm/scheduler@0.23.2/node_modules/scheduler/cjs/scheduler.production.min.js |
| 1.4 KiB | ../node_modules/.pnpm/base64-js@1.5.1/node_modules/base64-js/index.js |
| 1.3 KiB | src/RootErrorBoundary.tsx |
| 912 B | ../node_modules/.pnpm/ieee754@1.2.1/node_modules/ieee754/index.js |
| 789 B | src/scenes/ChunkLoadErrorBoundary.tsx |
| 668 B | src/index.tsx |
Largest files eagerly shipped from src/scenes/AuthenticatedShell.tsx
| Size | File |
|---|---|
| 458.3 KiB | ../node_modules/.pnpm/@posthog+brand@0.3.0_react@18.3.1/node_modules/@posthog/brand/dist/generated/hoggies/svg/driving-hogzilla.mjs |
| 302.9 KiB | ../node_modules/.pnpm/@posthog+brand@0.3.0_react@18.3.1/node_modules/@posthog/brand/dist/generated/hoggies/svg/coffee-run.mjs |
| 275.2 KiB | ../node_modules/.pnpm/posthog-js@1.396.6/node_modules/posthog-js/dist/rrweb.js |
| 266.9 KiB | ../node_modules/.pnpm/@posthog+icons@0.37.4_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/@posthog/icons/dist/posthog-icons.es.js |
| 253.2 KiB | ../node_modules/.pnpm/@posthog+brand@0.3.0_react@18.3.1/node_modules/@posthog/brand/dist/generated/hoggies/svg/chart-hog.mjs |
| 239.2 KiB | ../node_modules/.pnpm/@posthog+brand@0.3.0_react@18.3.1/node_modules/@posthog/brand/dist/generated/hoggies/svg/x-ray.mjs |
| 224.6 KiB | src/taxonomy/core-filter-definitions-by-group.json |
| 211.9 KiB | ../node_modules/.pnpm/posthog-js@1.396.6/node_modules/posthog-js/dist/module.js |
| 211.6 KiB | ../node_modules/.pnpm/@posthog+brand@0.3.0_react@18.3.1/node_modules/@posthog/brand/dist/generated/hoggies/svg/money.mjs |
| 185.9 KiB | ../node_modules/.pnpm/@posthog+brand@0.3.0_react@18.3.1/node_modules/@posthog/brand/dist/generated/hoggies/svg/hogpatch.mjs |
Posted automatically by check-eager-graph · sizes are eager output bytes (shipped, post-tree-shake) from the esbuild metafile · part of #32479
✅ Dist folder size — no change
Total size of the built frontend/dist folder (all assets), compared against the base branch.
Total: 1465.36 MiB · no change
⚠️ Playwright — 1 flaky
🎭 Playwright report · View test results →
- Early access feature new and list (chromium)
These issues are not necessarily caused by your changes.
Annoyed by this section? Help fix flakies and failures and it will go green!
|
Note 🤖 stamphog reviewed Gates denied this PR: it hit the dependency/toolchain deny-list and was classified as never-auto-approvable, and there's also an in-flight review (👀) that hasn't finished. |
Problem
pnpm updatefails workspace-wide withERR_PNPM_TRUST_DOWNGRADEon@swc/core@1.11.4. Our pnpm security policy rejects package versions that lack npm's publish verification (proof the package was built and published from the project's own CI) once any older version had it. swc stopped publishing with that verification for a while, and 1.11.4 falls in that window, so pnpm flags it as a possible package takeover on every re-resolution. Regularpnpm installis unaffected. Hit while working on #68679.Changes
Bump
@swc/coreincommon/hogvm/typescript(devDependency, test tooling only) from^1.11.4to^1.15.18, a version published with the verification restored. Not a new version for the repo:common/replay-headlessandcommon/replay-sharedalready resolve to exactly 1.15.18, so hogvm just joins the existing entry and the odd-one-out 1.11.4 copy (plus its per-platform binaries) drops out of the lockfile. That's the large negative diff. Incidental:unlayer-types1.441.0 → 1.445.0 refreshed during resolution.How did you test this code?
pnpm updateno longer errorsAutomatic notifications
Docs update
None needed.
🤖 Agent context
Autonomy: Human-driven (agent-assisted)
Authored with Claude Code; root cause traced via @swc/core's npm publish history.
🤖 Generated with Claude Code