Skip to content

chore: pin exact versions for internal dependencies#283

Merged
sameerank merged 3 commits into
mainfrom
sameerank/pin-internal-versions
May 15, 2026
Merged

chore: pin exact versions for internal dependencies#283
sameerank merged 3 commits into
mainfrom
sameerank/pin-internal-versions

Conversation

@sameerank
Copy link
Copy Markdown
Contributor

@sameerank sameerank commented May 14, 2026

Motivation

Ensure consumers always get the tested combination of package versions rather than potentially mismatched versions due to semver ranges.

With caret (^) versions, npm could resolve @datadog/flagging-core@^1.2.1 to a newer version (e.g., 1.3.0) while @datadog/openfeature-browser was built against 1.2.1, potentially causing subtle incompatibilities.

Changes

  • Add command.version.exact: true to lerna.json - future yarn release will use exact versions
  • Remove caret from existing @datadog/flagging-core dependencies in browser and node-server packages
  • Add scripts/internal-deps-validate.sh - validates internal deps use exact versions
  • Add CI step to run the validation on every PR

Test instructions

  1. Verify CI passes
  2. Test that yarn release (dry-run) produces exact versions: 
    yarn lerna version --no-push --no-git-tag-version minor
# Check that package.json files show "1.3.0" not "^1.3.0"
git checkout -- .
  3. Verify the linter catches carets: 
    # Temporarily add caret to test
sed -i '' 's/"@datadog\/flagging-core": "1.2.1"/"@datadog\/flagging-core": "^1.2.1"/' packages/browser/package.json
./scripts/internal-deps-validate.sh  # Should fail
git checkout -- packages/browser/package.json

Checklist

  • Updated Documentation
  • Tested locally
  • Tested on staging
  • Added unit tests for this change.
  • Added e2e/integration tests for this change.

@sameerank
chore: pin exact versions for internal dependencies
9a771a6 
Configure lerna to use exact versions (no caret) for inter-package
dependencies and add CI validation to enforce it.

Changes:
- Add `command.version.exact: true` to lerna.json
- Remove caret from existing @datadog/flagging-core dependencies
- Add scripts/internal-deps-validate.sh to catch version ranges
- Add CI step to run the validation
@sameerank sameerank marked this pull request as ready for review May 14, 2026 19:05
@sameerank sameerank requested a review from a team as a code owner May 14, 2026 19:05
@sameerank sameerank requested review from dd-oleksii and leoromanovsky and removed request for a team May 14, 2026 19:05
dd-oleksii
dd-oleksii approved these changes May 15, 2026
View reviewed changes
Comment thread lerna.json
"version": "1.2.1",
"command": {
"version": {
"exact": true
Copy link
Copy Markdown
Member

@dd-oleksii dd-oleksii May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 oh, I thinks that's why it converted references to carets in the last bump — I forgot --exact 😢

fwiw, I think this is the only change that we actually need. lerna will pin versions on the next release, so it doesn't matter what we currently have in package.json and ci validation is checking irrelevant code.

If you do want to keep validation, I'd put it in pre-release workflow instead, so it checks the source we attempt to release

Copy link
Copy Markdown
Member

@dd-oleksii dd-oleksii May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, because we already published a version with caret dependencies, the safest move is to do a major bump, so that released version doesn't start picking up unmatched dependency versions

Copy link
Copy Markdown
Contributor Author

@sameerank sameerank May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lerna will pin versions on the next release, so it doesn't matter what we currently have in package.json

Removed the package.json changes in 5357491 we should see the version get pinned exactly when we run through the release process next time

ci validation is checking irrelevant code

Moved to the pre-release workflow in bc8b6cd

we already published a version with caret dependencies, the safest move is to do a major bump

A major bump makes sense. Safer to establish a clean baseline with exact pinning in 2.0.0

@sameerank sameerank merged commit 35c21a5 into main May 15, 2026
4 of 5 checks passed
@sameerank sameerank deleted the sameerank/pin-internal-versions branch May 15, 2026 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dd-oleksii dd-oleksii dd-oleksii approved these changes

@leoromanovsky leoromanovsky Awaiting requested review from leoromanovsky leoromanovsky is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

Assignees

No one assigned

Labels

mergequeue-status: rejected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sameerank @dd-oleksii