Skip to content

Bump dependencies (non-major)#2210

Closed
stipsan wants to merge 3 commits into
mainfrom
cursor/bump-deps-f692
Closed

Bump dependencies (non-major)#2210
stipsan wants to merge 3 commits into
mainfrom
cursor/bump-deps-f692

Conversation

@stipsan

@stipsan stipsan commented Jul 1, 2026

Copy link
Copy Markdown
Member

Update: merged with main

main underwent a full monorepo restructuring after this PR was opened (monorepo migration + Changesets, prettieroxfmt, ESLintoxlint, jest/cypressvitest, workshop folded into apps/storybook). This PR now includes a merge commit resolving the resulting conflicts. See "Merge conflict resolution" below for the full classification of simple vs. complicated conflicts and how each was handled. Everything (pnpm lint, pnpm build, pnpm test, oxfmt --check) passes after the merge, using a clean pnpm install --frozen-lockfile.

Merge conflict resolution

Simple (mechanical, no conflicting intent) — fixed:

  • figma/package.json (deleted-by-them): main moved this to packages/figma/package.json with an otherwise-unrelated rewrite (new tsdown build, dropped the old pkg/babel tooling). Took main's file and re-applied our @figma/plugin-typings^1.130.0 bump there, since main hadn't independently touched that dependency.
  • packages/ui/src/core/hooks/useClickOutside.ts and .../utils/virtualList/virtualList.tsx: auto-merged cleanly by git, no action needed.
  • pnpm-lock.yaml: not hand-mergeable (pnpm 9→11, full dependency graph reshuffle), so regenerated via pnpm install against main's pinned pnpm@11.9.0 after resolving all manifest files.
  • Root package.json: textually conflicting, but unambiguous — main replaced the entire @sanity/ui manifest with a minimal monorepo root (scripts moved to packages/ui/packages/figma/apps/storybook). Took main's version as-is.

Complicated (conflicting intent) — resolved with explicit judgment calls, flagged for review:

  • packages/ui/package.jsonnot even flagged as a conflict by git (silent data loss risk): since this is a "new path" from git's perspective, a plain merge would have silently dropped every dependency bump from this PR. I manually reconciled it:
    • Re-applied bumps main hadn't already picked up: @floating-ui/react-dom^2.1.8, csstype^3.2.3, motion^12.42.2, @testing-library/jest-dom^6.9.1, @testing-library/react^16.3.2, styled-components (@sanity/styled-components) → ^6.1.24.
    • Left untouched (main already had equal/newer): @types/react, @types/react-dom, react, react-dom, react-is.
    • Deliberately did NOT re-add: babel-plugin-styled-components, commitizen, eslint-plugin-react-hooks, jest, jest-environment-jsdom, module-alias, typescript-eslint. Main removed all of these repo-wide as part of the tooling migration (verified via git grep across origin/main — zero remaining references). Bumping their versions would resurrect dependencies the migration deliberately deleted.
  • packages/ui/src/core/primitives/avatar/avatar.tsx — genuine same-line conflict: this PR removed a stale eslint-disable-next-line react-hooks/set-state-in-effect (no longer needed under eslint-plugin-react-hooks@7.1.1), while main's ESLint→oxlint migration replaced that exact comment with oxlint-disable-next-line react-compiler. These are two different lint tools' suppressions for the same line, not a trivial textual overlap. Kept main's oxlint suppression — confirmed still necessary by running oxlint directly on the file (removing it reintroduces the warning), and it's consistent with AGENTS.md's note that suppressions now use oxlint-disable-next-line.

None of the version-bump reconciliations above could be verified against the original PR's own CI (which no longer exists — pnpm ts:check, eslint, jest, prettier are all gone from main), so I re-validated everything against the new toolchain instead (oxlint with type-aware checking via oxlint-tsgolint, tsdown build, vitest, oxfmt).


Original PR: bump dependencies (non-major)

Bumps dependencies to their latest versions within the current major version (i.e. the kind of update Renovate would normally open individually). Split into two commits to match this repo's semantic-release commit conventions (fix(deps) for runtime dependencies, chore(deps) for devDependencies):

fix(deps): production dependencies

  • @floating-ui/react-dom^2.1.8
  • csstype^3.2.3
  • motion^12.42.2

chore(deps): development dependencies

  • @figma/plugin-typings (figma workspace) → ^1.130.0
  • @testing-library/jest-dom^6.9.1
  • @testing-library/react^16.3.2
  • @types/react^19.2.17
  • @types/react-dom^19.2.3
  • babel-plugin-styled-components^2.3.0
  • commitizen^4.3.2
  • eslint-plugin-react-hooks7.1.1
  • jest^30.4.2
  • jest-environment-jsdom^30.4.1
  • module-alias^2.3.4
  • react / react-dom / react-is (dev) → ^19.2.7
  • styled-components (@sanity/styled-components) → ^6.1.24
  • typescript-eslint^8.62.1

The eslint-plugin-react-hooks bump refined the react-hooks/set-state-in-effect rule, which made three existing eslint-disable-next-line comments unnecessary (useClickOutside.ts, avatar.tsx, virtualList.tsx). Those were removed in the same commit so the tree stayed lint-clean. (Note: after the merge above, the avatar.tsx suppression comment is back, but as an oxlint suppression — see "Merge conflict resolution".)

What was intentionally left alone (pre-merge; now largely moot, see above)

  • Major version bumps (e.g. typescript 5→6, eslint/@eslint/js 9→10, vite 7→8, @vitejs/plugin-react 5→6, cypress 13→15, husky 8→9, @babel/* 7→8, @sanity/pkg-utils 8→10, @sanity/prettier-config 2→3, @sanity/semantic-release-preset 5→6, @commitlint/* 19→21, rimraf 5→6, semantic-release 24→25, lint-staged 14→17, npm-run-all2 8→9, start-server-and-test 2→3, globals 16→17, eslint-plugin-boundaries 5→6, eslint-plugin-simple-import-sort 12→13, eslint-formatter-gha 1→2, @types/node 22→26, vite-tsconfig-paths 5→6, and the pre-1.0 "breaking-equivalent" bump eslint-plugin-react-refresh 0.4→0.5). These needed dedicated migration/testing effort and were out of scope for a routine bump.
  • Storybook family (storybook, @storybook/*, eslint-plugin-storybook) was kept at 8.6.14/0.12.0 on purpose — .github/renovate.json explicitly pinned these to <=8 on main/v2 since the Storybook major upgrade was being handled separately on the v4 branch. (Main has since merged that Storybook v10 upgrade in as part of the monorepo restructuring.)
  • prettier3.9.4 was tried and reverted: the then-pinned @sanity/prettier-config@^2.0.1 depended on @prettier/plugin-oxc@0.0.4, which crashed under prettier 3.9.4. Moot now that main has replaced prettier with oxfmt entirely.
  • @babel/plugin-transform-object-rest-spread (figma workspace) was left at 7.28.4 for the same reason as the other @babel/* 7→8 majors. Moot now that main's packages/figma no longer uses Babel at all.

Testing (pre-merge)

Ran locally after a clean pnpm install --frozen-lockfile:

  • pnpm ts:check
  • pnpm lint -f gha --max-warnings 0
  • pnpm build
  • pnpm test (42 suites / 125 tests passing)
  • pnpm format (no diffs)
Open in Web Open in Cursor 

- @floating-ui/react-dom to ^2.1.8
- csstype to ^3.2.3
- motion to ^12.42.2
- @figma/plugin-typings to ^1.130.0
- @testing-library/jest-dom to ^6.9.1
- @testing-library/react to ^16.3.2
- @types/react to ^19.2.17
- @types/react-dom to ^19.2.3
- babel-plugin-styled-components to ^2.3.0
- commitizen to ^4.3.2
- eslint-plugin-react-hooks to 7.1.1
- jest to ^30.4.2
- jest-environment-jsdom to ^30.4.1
- module-alias to ^2.3.4
- react/react-dom/react-is (dev) to ^19.2.7
- styled-components (@sanity/styled-components) to ^6.1.24
- typescript-eslint to ^8.62.1

Also removes three now-unused react-hooks/set-state-in-effect
eslint-disable directives surfaced by the eslint-plugin-react-hooks
bump, since the rule no longer flags those patterns.
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
sanity-ui-storybook Ready Ready Preview, Comment Jul 5, 2026 8:18pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
sanity-ui-workshop Ignored Ignored Preview Jul 5, 2026 8:18pm

Request Review

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​floating-ui/​react-dom@​2.1.81001007384100
Addednpm/​@​sanity/​styled-components@​6.1.24951007387100
Addednpm/​@​figma/​plugin-typings@​1.130.01001008599100
Addednpm/​@​testing-library/​react@​16.3.210010010087100
Addednpm/​motion@​12.42.210010010097100

View full report

main underwent a full monorepo restructuring since this branch was cut
(refactor: structure as a monorepo and migrate to Changesets, #2216) plus
several tooling migrations (prettier -> oxfmt, ESLint -> oxlint, jest/cypress
-> vitest, workshop folded into apps/storybook). Conflict resolution:

- figma/package.json: accepted main's move to packages/figma/package.json,
  then re-applied our @figma/plugin-typings ^1.130.0 bump there (main hadn't
  independently bumped it).
- package.json (root): accepted main's version wholesale, since the old
  root package.json (the @sanity/ui manifest) was replaced by a minimal
  monorepo root and its contents moved to packages/ui/package.json.
- packages/ui/package.json (not flagged as a conflict by git, but silently
  dropped all of this branch's bumps since it's a new path): re-applied the
  still-applicable bumps that main had not already picked up independently
  (@floating-ui/react-dom ^2.1.8, csstype ^3.2.3, motion ^12.42.2,
  @testing-library/jest-dom ^6.9.1, @testing-library/react ^16.3.2,
  styled-components/@sanity/styled-components ^6.1.24). @types/react,
  @types/react-dom, react, react-dom and react-is were already at or above
  our target versions on main, so left untouched. Intentionally did NOT
  re-add babel-plugin-styled-components, commitizen, eslint-plugin-react-hooks,
  jest, jest-environment-jsdom, module-alias or typescript-eslint: main
  removed these tools entirely as part of the oxlint/oxfmt/vitest/tsdown/
  Changesets migration, so bumping their versions would conflict with that
  migration's intent.
- packages/ui/src/core/primitives/avatar/avatar.tsx: kept main's
  oxlint-disable-next-line react-compiler comment (added by the ESLint to
  oxlint migration) over this branch's removal of the old
  eslint-disable-next-line react-hooks/set-state-in-effect comment. Both
  changes touched the same suppression for the same line, but for two
  different lint tools with different rule behavior; since main has fully
  moved to oxlint, its suppression is the one that matters now, and oxlint
  confirms it is still required (removing it reintroduces the warning).
- pnpm-lock.yaml: regenerated via pnpm install against pnpm@11.9.0 (main's
  pinned package manager) rather than hand-merging, since the lockfile
  format/content changed too extensively (pnpm 9 to 11, full dependency
  graph reshuffle) for a textual merge to be meaningful.

Verified after resolution: pnpm lint (oxlint, type-aware), pnpm build
(tsdown, both packages), pnpm test (vitest, 42 files / 125 tests), and
oxfmt --check all pass.

Co-authored-by: Cody Olsen <stipsan@users.noreply.github.com>
@changeset-bot

changeset-bot Bot commented Jul 5, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 5a4406b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants