Skip to content

fix(deps): roll back dependabot major bumps and pin frozen majors#45

Merged
WhiteMuush merged 2 commits into
mainfrom
fix/deps-dependabot-fallout
Jun 16, 2026
Merged

fix(deps): roll back dependabot major bumps and pin frozen majors#45
WhiteMuush merged 2 commits into
mainfrom
fix/deps-dependabot-fallout

Conversation

@WhiteMuush

@WhiteMuush WhiteMuush commented Jun 16, 2026

Copy link
Copy Markdown
Owner

What

  • Roll next, tailwindcss, typescript and eslint back to their pinned majors (15, 3, 5, 9) and realign eslint-config-next to 15.
  • Rewrite check-frozen-deps to enforce a canonical major baseline instead of a differential.

Why

Dependabot landed next 16, tailwindcss 4, typescript 6 and eslint 10 on main. These are breaking majors that were never migrated, so lint and build were red:

  • eslint 10 is incompatible with the eslint-plugin-react bundled by eslint-config-next.
  • tailwindcss 4 moves the PostCSS plugin and changes the CSS entry syntax.
  • next 16 changes the middleware export contract.

The frozen-deps policy was meant to prevent exactly this, but it only blocked diffs that changed a major. Once a bump reached the baseline branch it was no longer flagged. The new canonical-baseline check rejects any frozen dependency whose major differs from the pin, so a stray major bump is caught even after it lands.

Verification

npm run lint -- --max-warnings 0, npx tsc --noEmit and npm run build all pass locally on the rolled-back stack.

Merge order

Merge this first. It turns main green. chore/db-migrate-guardrail branched off the broken main and must be rebased on top of this before its CI can pass.

@WhiteMuush
fix(deps): roll back dependabot major bumps and pin frozen majors
5e44a37 
Dependabot landed next 16, tailwindcss 4, typescript 6 and eslint 10 on
main. These are breaking majors that were never migrated, so CI (lint
and build) was red. The frozen-deps policy was meant to prevent exactly
this but only blocked diffs that changed a major, so a bump that reached
the baseline branch was no longer flagged.

- Roll next, tailwindcss, typescript and eslint back to their pinned
  majors (15, 3, 5, 9) and realign eslint-config-next to 15.
- Rewrite check-frozen-deps to enforce a canonical major baseline
  instead of a differential, so a stray major bump is rejected even
  after it lands on the baseline branch.
@WhiteMuush
ci(dependabot): ignore major updates for frozen dependencies
83b1f8d 
Stop Dependabot from opening major-bump PRs for next, eslint-config-next,
tailwindcss, typescript and eslint, which check-frozen-deps now rejects.
Avoids recurring red PRs for upgrades that are intentionally pinned.
@WhiteMuush WhiteMuush merged commit ae05b42 into main Jun 16, 2026
11 checks passed
@WhiteMuush WhiteMuush deleted the fix/deps-dependabot-fallout branch June 16, 2026 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WhiteMuush