Auto-bump @openfn/cli and @openfn/ws-worker via Dependabot#4761
Auto-bump @openfn/cli and @openfn/ws-worker via Dependabot#4761elias-ba wants to merge 1 commit into
Conversation
…ions
Three orthogonal hygiene fixes:
* `.github/dependabot.yml`: the existing `/assets` entry was set to
`ecosystem: "mix"`, which silently matched nothing. Fix it to `npm`
and scope to `@openfn/*` so Dependabot opens a daily auto-PR when
either package ships a release.
* `assets/package.json` + `lib/mix/tasks/install_runtime.ex`: move
the `@cli_version` constant out of Elixir source and into
`package.json` as a regular devDependency. The Mix task reads the
pin at compile time via `File.read!` + `Jason.decode!`, with
`@external_resource` so recompiles trip on JSON changes. Single
source of truth for both pins; Dependabot can track the CLI now.
* `test/integration/web_and_worker_test.exs`: the version assertions
pinned exact builds for `language-http`, `worker`, `node.js`, and
`language-common`. Each new upstream release turned the test red
for reasons unrelated to Lightning. Loosen to `\d+\.\d+`.
Security Review ✅
|
elias-ba
changed the title
|
Thank you for raising this @elias-ba ! The dependabot update is cool. Looking at this stuff makes me want to rethink install_runtime and Lightning's relationship to the CLI. I think this script is a hangover from long ago, before we had the worker, when the CLI was the runtime engine that executed jobs. I think that Lightning's only dependencies on the CLI now are:
The fact is that this quite complex install_runtime script is just installing 2 npm packages (and I'm not even sure what The script is also installing the CLI globally, which I don't think I love. This is all too big to address here, but I'm feeling a compulsion to do something |
| "devDependencies": { | ||
| "@eslint-community/eslint-plugin-eslint-comments": "^4.4.1", | ||
| "@eslint/js": "^9.21.0", | ||
| "@openfn/cli": "1.35.3", |
There was a problem hiding this comment.
hmm. I liked this at first, but these are dependencies of the app frontend. The CLI isn't a dependency of that at all. So I'm not sure this is the right place.
And actually, given that lightning depends on the CLI in production, shouldn't it be a prod dependency?
There was a problem hiding this comment.
Oh wait - also, install_runtime will install the CLI globally. But npm install --prefix assets will install a local CLI in this folder. I'm not actually sure which bin will get used when running openfn (probably the global one).
2 participants
Description
Three orthogonal hygiene fixes around the
@openfn/cliand@openfn/ws-workerruntime pins:.github/dependabot.yml. The existing/assetsentry was set toecosystem: "mix", which silently matched nothing. Change it to"npm"and scope it to@openfn/*so Dependabot opens a daily auto-PR when either package ships a release.@openfn/clipin intoassets/package.json. The version was previously a hardcoded Elixir constant (@cli_versioninlib/mix/tasks/install_runtime.ex), which Dependabot can't track. The Mix task now reads the pin at compile time frompackage.jsonviaFile.read!+Jason.decode!, with@external_resourceso recompiles trip when the JSON changes. Single source of truth for both pins.web_and_worker_test. The test pinned exact builds forlanguage-http,worker,node.js, andlanguage-common. Each upstream release turned the test red for reasons unrelated to Lightning. Asserts each version key is present and looks like a version (\d+\.\d+) instead.Pairs with #4760 (which removes the per-PR runtime checks entirely). These three changes stand on their own — they pay off whether or not those checks ever return.
Validation steps
mix lightning.install_runtimeafter changing@openfn/cliinassets/package.jsonand confirm the new version is installed underpriv/openfn.@openfn/*release.Additional notes for the reviewer
AI Usage
You can read more details in our
Responsible AI Policy
Pre-submission checklist
/reviewwith Claude Code)
(e.g.,
:owner,:admin,:editor,:viewer)