fix(deps): revert TS6/ESLint10/webpack-cli7 majors and gate future majors
CI / commits (pull_request) Successful in 2m6s
CI / check (pull_request) Successful in 2m33s
CI / a11y (pull_request) Successful in 1m32s
CI / perf (pull_request) Successful in 2m32s
CI / scan (pull_request) Failing after 5m58s

Three Renovate-driven major bumps that landed via `nx affected`
passing trivially (deps-only change → no project flagged as
affected) have been silently breaking the build since they merged:

- **TypeScript 5→6** (#33) — TS6 deprecates `baseUrl`; every lib's
  `tsconfig.lib.json` now fails with `TS5101: Option 'baseUrl' is
  deprecated and will stop functioning in TypeScript 7.0`. Revert
  to TypeScript 5.9.x; we'll revisit when the broader Angular/Nx
  ecosystem aligns on TS6.
- **ESLint 9→10** (#36) — `@nx/eslint@22.7.1` was built against
  ESLint 9 and fails project-graph extraction with `Unable to find
  eslint`. Revert to ESLint 9.x; bring `@eslint/js`,
  `eslint-plugin-playwright`, and `jsonc-eslint-parser` back to
  their ESLint-9-compatible versions in the same revert.
- **webpack-cli 5→7** (#34) — webpack-cli 7 removed the
  `--node-env=production` flag that Nx's webpack target generates,
  breaking `portal-bff:build`. Revert to webpack-cli 5.x; revisit
  when Nx's webpack executor is updated.

The `ajv@<8.18.0` override added in #42 was over-broad: it forced
ESLint's transitively-bundled ajv to v8, which doesn't accept the
legacy options ESLint 9 passes. Narrow the override to
`@angular-devkit/core>ajv@<8.18.0` so only the targeted chain
(nestjs-prisma > @angular-devkit/core > ajv) is bumped, leaving
ESLint's ajv alone.

Verified locally: `pnpm exec nx run-many -t lint test build` is
green on all 8 projects; `pnpm audit --audit-level=moderate`
reports zero vulnerabilities.

To prevent future silent breakages, add a Renovate package rule
that gates **all major updates** behind the dependency dashboard
(`dependencyDashboardApproval: true`). Renovate stops creating PRs
for majors automatically — they appear as checkboxes in the
dashboard, and only get a PR when a human ticks the box. Patch
and minor bumps still flow on the daily cron.

`docs/development.md` "Reviewing Renovate PRs" is updated to
explain the gate and why it exists, citing the three offenders we
caught the hard way.
This commit is contained in:
Julien Gautier
2026-05-06 22:01:44 +02:00
parent 25bfba97cb
commit a0ee9fb3ca
4 changed files with 1132 additions and 1095 deletions
+1
View File
@@ -246,6 +246,7 @@ Repo → Actions → "Renovate" workflow → Run workflow. Useful when you've ju
- Renovate PRs run a leaner CI pipeline than human PRs — `check`, `scan`, `a11y` only. The `perf` and `commits` gates are skipped (per [ADR-0017](decisions/0017-performance-budgets-lighthouse-ci.md) — Lighthouse signal on a dep bump is essentially zero, commitlint on bot-generated messages is tautological). The full `perf` gate still runs on `push` to `main` post-merge, so regressions are caught seconds after merge rather than before.
- Don't merge until the remaining gates are green.
- **Major bumps are gated behind the dependency dashboard.** Renovate does not auto-create PRs for major updates; instead, they appear in the "Renovate Dependency Dashboard" issue with a checkbox. Tick the box only after reading the upstream changelog and confirming the rest of our toolchain (Nx plugins, Angular CLI, NestJS, etc.) supports the new major. This guard exists because `nx affected` sees a deps-only change as not affecting any project — so a major that breaks the build can pass CI silently and only surface days later. Past offenders we caught the hard way: TypeScript 5→6 (deprecated `baseUrl`), ESLint 9→10 (Nx eslint plugin not yet compatible), webpack-cli 5→7 (removed `--node-env` flag).
- The "Renovate Dependency Dashboard" issue (auto-created on first run) lists every pending update grouped by status. Use it to triage which PRs to expedite.
- For a major bump that introduces breaking changes, **don't reflexively merge**: read the changelog, then either accept the work or close the PR with a "rejected" label. Renovate respects that label and won't keep re-opening the same major.
- **Adding or removing** a dependency belongs in a feature PR, not in Renovate's scope. Renovate only updates _versions_ of existing deps.
+7 -7
View File
@@ -33,7 +33,7 @@
],
"overrides": {
"axios@<1.15.2": ">=1.15.2",
"ajv@<8.18.0": ">=8.18.0",
"@angular-devkit/core>ajv@<8.18.0": ">=8.18.0",
"brace-expansion@<5.0.5": ">=5.0.5",
"follow-redirects@<1.16.0": ">=1.16.0",
"ip-address@<10.1.1": ">=10.1.1",
@@ -55,7 +55,7 @@
"@angular/language-service": "~21.2.0",
"@commitlint/cli": "^20.5.3",
"@commitlint/config-conventional": "^20.5.3",
"@eslint/js": "^10.0.0",
"@eslint/js": "^9.8.0",
"@lhci/cli": "^0.15.1",
"@nestjs/schematics": "^11.0.0",
"@nestjs/testing": "^11.0.0",
@@ -85,15 +85,15 @@
"@vitest/coverage-v8": "~4.1.0",
"@vitest/ui": "~4.1.0",
"angular-eslint": "^21.2.0",
"eslint": "^10.0.0",
"eslint": "^9.8.0",
"eslint-config-prettier": "^10.0.0",
"eslint-plugin-playwright": "^2.0.0",
"eslint-plugin-playwright": "^1.6.2",
"husky": "^9.1.7",
"jest": "^30.0.2",
"jest-environment-node": "^30.0.2",
"jest-util": "^30.0.2",
"jsdom": "^29.0.0",
"jsonc-eslint-parser": "^3.0.0",
"jsonc-eslint-parser": "^2.1.0",
"lint-staged": "^17.0.0",
"nx": "22.7.1",
"postcss": "^8.5.12",
@@ -103,11 +103,11 @@
"ts-jest": "^29.4.0",
"ts-node": "10.9.2",
"tslib": "^2.3.0",
"typescript": "~6.0.0",
"typescript": "~5.9.2",
"typescript-eslint": "^8.40.0",
"vite": "^8.0.0",
"vitest": "^4.0.8",
"webpack-cli": "^7.0.0"
"webpack-cli": "^5.1.4"
},
"dependencies": {
"@angular/common": "~21.2.0",
+1119 -1088
View File
File diff suppressed because it is too large Load Diff
+5
View File
@@ -16,6 +16,11 @@
"labels": ["security", "dependencies"]
},
"packageRules": [
{
"matchUpdateTypes": ["major"],
"dependencyDashboardApproval": true,
"description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically."
},
{
"groupName": "Angular",
"matchPackageNames": [