fix(deps): revert TS6/ESLint10/webpack-cli7 majors and gate future majors
Three Renovate-driven major bumps that landed via `nx affected` passing trivially (deps-only change → no project flagged as affected) have been silently breaking the build since they merged: - **TypeScript 5→6** (#33) — TS6 deprecates `baseUrl`; every lib's `tsconfig.lib.json` now fails with `TS5101: Option 'baseUrl' is deprecated and will stop functioning in TypeScript 7.0`. Revert to TypeScript 5.9.x; we'll revisit when the broader Angular/Nx ecosystem aligns on TS6. - **ESLint 9→10** (#36) — `@nx/eslint@22.7.1` was built against ESLint 9 and fails project-graph extraction with `Unable to find eslint`. Revert to ESLint 9.x; bring `@eslint/js`, `eslint-plugin-playwright`, and `jsonc-eslint-parser` back to their ESLint-9-compatible versions in the same revert. - **webpack-cli 5→7** (#34) — webpack-cli 7 removed the `--node-env=production` flag that Nx's webpack target generates, breaking `portal-bff:build`. Revert to webpack-cli 5.x; revisit when Nx's webpack executor is updated. The `ajv@<8.18.0` override added in #42 was over-broad: it forced ESLint's transitively-bundled ajv to v8, which doesn't accept the legacy options ESLint 9 passes. Narrow the override to `@angular-devkit/core>ajv@<8.18.0` so only the targeted chain (nestjs-prisma > @angular-devkit/core > ajv) is bumped, leaving ESLint's ajv alone. Verified locally: `pnpm exec nx run-many -t lint test build` is green on all 8 projects; `pnpm audit --audit-level=moderate` reports zero vulnerabilities. To prevent future silent breakages, add a Renovate package rule that gates **all major updates** behind the dependency dashboard (`dependencyDashboardApproval: true`). Renovate stops creating PRs for majors automatically — they appear as checkboxes in the dashboard, and only get a PR when a human ticks the box. Patch and minor bumps still flow on the daily cron. `docs/development.md` "Reviewing Renovate PRs" is updated to explain the gate and why it exists, citing the three offenders we caught the hard way.
This commit is contained in:
@@ -246,6 +246,7 @@ Repo → Actions → "Renovate" workflow → Run workflow. Useful when you've ju
|
||||
|
||||
- Renovate PRs run a leaner CI pipeline than human PRs — `check`, `scan`, `a11y` only. The `perf` and `commits` gates are skipped (per [ADR-0017](decisions/0017-performance-budgets-lighthouse-ci.md) — Lighthouse signal on a dep bump is essentially zero, commitlint on bot-generated messages is tautological). The full `perf` gate still runs on `push` to `main` post-merge, so regressions are caught seconds after merge rather than before.
|
||||
- Don't merge until the remaining gates are green.
|
||||
- **Major bumps are gated behind the dependency dashboard.** Renovate does not auto-create PRs for major updates; instead, they appear in the "Renovate Dependency Dashboard" issue with a checkbox. Tick the box only after reading the upstream changelog and confirming the rest of our toolchain (Nx plugins, Angular CLI, NestJS, etc.) supports the new major. This guard exists because `nx affected` sees a deps-only change as not affecting any project — so a major that breaks the build can pass CI silently and only surface days later. Past offenders we caught the hard way: TypeScript 5→6 (deprecated `baseUrl`), ESLint 9→10 (Nx eslint plugin not yet compatible), webpack-cli 5→7 (removed `--node-env` flag).
|
||||
- The "Renovate Dependency Dashboard" issue (auto-created on first run) lists every pending update grouped by status. Use it to triage which PRs to expedite.
|
||||
- For a major bump that introduces breaking changes, **don't reflexively merge**: read the changelog, then either accept the work or close the PR with a "rejected" label. Renovate respects that label and won't keep re-opening the same major.
|
||||
- **Adding or removing** a dependency belongs in a feature PR, not in Renovate's scope. Renovate only updates _versions_ of existing deps.
|
||||
|
||||
Reference in New Issue
Block a user