Skip to content

Lock file maintenance #3405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Lock file maintenance #3405

renovate wants to merge 2 commits into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 4, 2025

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 04:59 AM, on day 4 of the month ( * 0-4 4 * * ) in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Update of dependencies. label Dec 4, 2025
@renovate renovate bot added the dependencies Update of dependencies. label Dec 4, 2025
@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 4, 2025
edited
Loading

  • vite-css-base-ui-example

    pnpm add https://pkg.pr.new/mui/base-ui/@base-ui-components/react@3405

    pnpm add https://pkg.pr.new/mui/base-ui/@base-ui-components/utils@3405

commit: fe1a165

@netlify
Copy link

netlify bot commented Dec 4, 2025
edited
Loading

Deploy Preview for base-ui ready!

Name Link
🔨 Latest commit fe1a165
🔍 Latest deploy log https://app.netlify.com/projects/base-ui/deploys/6934ccdd5143010008fe2673
😎 Deploy Preview https://deploy-preview-3405--base-ui.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@mui-bot
Copy link

mui-bot commented Dec 4, 2025
edited
Loading

Bundle size report

Bundle Parsed size Gzip size
@base-ui-components/react 0B(0.00%) 0B(0.00%)

Details of bundle changes

Check out the code infra dashboard for more information about this PR.

@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged. label Dec 4, 2025
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from aff0f8b to d1b56f6 Compare December 4, 2025 07:31
@github-actions github-actions bot added PR: out-of-date The pull request has merge conflicts and can't be merged. and removed PR: out-of-date The pull request has merge conflicts and can't be merged. labels Dec 4, 2025
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from d1b56f6 to 0e632bf Compare December 6, 2025 04:13
@github-actions github-actions bot added PR: out-of-date The pull request has merge conflicts and can't be merged. and removed PR: out-of-date The pull request has merge conflicts and can't be merged. labels Dec 6, 2025
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from 0e632bf to 8d1e916 Compare December 6, 2025 09:37
@github-actions github-actions bot removed the PR: out-of-date The pull request has merge conflicts and can't be merged. label Dec 6, 2025
@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged. label Dec 6, 2025
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from 8d1e916 to 41ca35b Compare December 6, 2025 10:11
@github-actions github-actions bot removed the PR: out-of-date The pull request has merge conflicts and can't be merged. label Dec 6, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Dec 6, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@oliviertassinari oliviertassinari force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from 44240d0 to 7b4af3d Compare December 7, 2025 00:30
@oliviertassinari
Copy link
Member

oliviertassinari commented Dec 7, 2025
edited
Loading

Ok, so in theory, this PR solves all the security warnings in https://github.com/mui/base-ui/security/dependabot.

SCR-20251207-cgpz

@mui/infra It feel like the way we manage our version ranges is wrong. We have stuff like this:

base-ui/package.json

Line 64 in 9b48f11

"@mui/internal-code-infra": "^0.0.3-canary.53",

but we can easily have breaking changes between two patch versions with our @mui/internal- packages. We don't have to support millions of developers with our internal packages, so we don't have to pay for the full overhead of caring about breaking changes. So breaking changes can easily slip inside patches (I would argue we should try to minimize them, but it's not worth going above and beyond; it feels much better for the person to spend that time updating all the repositories as soon as they merge something a bit risky.)

So when https://docs.renovatebot.com/configuration-options/#lockfilemaintenance runs once a month, which does this:

When Renovate performs lockFileMaintenance it deletes the lock file and runs the relevant package manager. That package manager creates a new lock file, where all dependency versions are updated to the latest version. Renovate then commits that lock file to the update branch and creates the lock file update PR.

It's a mess (this PR, a load of stuff was breaking on breaking changes from internal packages). So how about we manage this problem like this, here and in the other repositories:

diff --git a/package.json b/package.json
index 9cdc21263..4424d537c 100644
--- a/package.json
+++ b/package.json
@@ -60,9 +60,9 @@
     "@arethetypeswrong/cli": "^0.18.2",
     "@babel/plugin-transform-react-constant-elements": "^7.27.1",
     "@base-ui-components/monorepo-tests": "workspace:*",
-    "@mui/internal-code-infra": "^0.0.3-canary.53",
-    "@mui/internal-netlify-cache": "^0.0.2-canary.1",
-    "@mui/internal-test-utils": "^2.0.15",
+    "@mui/internal-code-infra": "0.0.3-canary.53",
+    "@mui/internal-netlify-cache": "0.0.2-canary.1",
+    "@mui/internal-test-utils": "2.0.15",
     "@next/eslint-plugin-next": "15.5.6",
     "@octokit/rest": "^22.0.1",
     "@playwright/test": "1.57.0",
@@ -86,7 +86,7 @@
     "globby": "^16.0.0",
     "lerna": "^9.0.1",
     "markdownlint-cli2": "^0.19.1",
-    "prettier": "^3.6.2",
+    "prettier": "~3.6.2",
     "pretty-quick": "^4.2.2",
     "publint": "^0.3.15",
     "react": "^19.2.1",

@oliviertassinari oliviertassinari force-pushed the renovate/lock-file-maintenance branch from 7b4af3d to fe1a165 Compare December 7, 2025 00:39
@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged. label Dec 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaldudak michaldudak Awaiting requested review from michaldudak michaldudak is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Update of dependencies. PR: out-of-date The pull request has merge conflicts and can't be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mui-bot @oliviertassinari