-
Notifications
You must be signed in to change notification settings - Fork 82
Auto-bump @openfn/cli and @openfn/ws-worker via Dependabot#4761
Auto-bump @openfn/cli and @openfn/ws-worker via Dependabot #4761elias-ba wants to merge 1 commit into
Conversation
...ions Three orthogonal hygiene fixes: * `.github/dependabot.yml`: the existing `/assets` entry was set to `ecosystem: "mix"`, which silently matched nothing. Fix it to `npm` and scope to `@openfn/*` so Dependabot opens a daily auto-PR when either package ships a release. * `assets/package.json` + `lib/mix/tasks/install_runtime.ex`: move the `@cli_version` constant out of Elixir source and into `package.json` as a regular devDependency. The Mix task reads the pin at compile time via `File.read!` + `Jason.decode!`, with `@external_resource` so recompiles trip on JSON changes. Single source of truth for both pins; Dependabot can track the CLI now. * `test/integration/web_and_worker_test.exs`: the version assertions pinned exact builds for `language-http`, `worker`, `node.js`, and `language-common`. Each new upstream release turned the test red for reasons unrelated to Lightning. Loosen to `\d+\.\d+`.
Security Review ✅
- S0 (project scoping): N/A, no changes touch project-scoped queries or web entrypoints — diff is limited to
.github/dependabot.yml,assets/package.json, a Mix install task, and a test file. - S1 (authorization): N/A, no new controller actions, LiveView events, or Bodyguard policy changes.
- S2 (audit trail): N/A, no writes to project or instance configuration resources;
lib/mix/tasks/install_runtime.ex:14-25only readspackage.jsonat compile time.
josephjclark
commented
May 18, 2026
Thank you for raising this @elias-ba ! The dependabot update is cool.
Looking at this stuff makes me want to rethink install_runtime and Lightning's relationship to the CLI.
I think this script is a hangover from long ago, before we had the worker, when the CLI was the runtime engine that executed jobs.
I think that Lightning's only dependencies on the CLI now are:
- Integration tests
- Metadata loading
The fact is that this quite complex install_runtime script is just installing 2 npm packages (and I'm not even sure what common is used for).
The script is also installing the CLI globally, which I don't think I love.
This is all too big to address here, but I'm feeling a compulsion to do something
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm. I liked this at first, but these are dependencies of the app frontend. The CLI isn't a dependency of that at all. So I'm not sure this is the right place.
And actually, given that lightning depends on the CLI in production, shouldn't it be a prod dependency?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh wait - also, install_runtime will install the CLI globally. But npm install --prefix assets will install a local CLI in this folder. I'm not actually sure which bin will get used when running openfn (probably the global one).
Description
Three orthogonal hygiene fixes around the
@openfn/cliand@openfn/ws-workerruntime pins:.github/dependabot.yml. The existing/assetsentry was set toecosystem: "mix", which silently matched nothing. Change it to"npm"and scope it to@openfn/*so Dependabot opens a daily auto-PR when either package ships a release.@openfn/clipin intoassets/package.json. The version was previously a hardcoded Elixir constant (@cli_versioninlib/mix/tasks/install_runtime.ex), which Dependabot can't track. The Mix task now reads the pin at compile time frompackage.jsonviaFile.read!+Jason.decode!, with@external_resourceso recompiles trip when the JSON changes. Single source of truth for both pins.web_and_worker_test. The test pinned exact builds forlanguage-http,worker,node.js, andlanguage-common. Each upstream release turned the test red for reasons unrelated to Lightning. Asserts each version key is present and looks like a version (\d+\.\d+) instead.Pairs with #4760 (which removes the per-PR runtime checks entirely). These three changes stand on their own — they pay off whether or not those checks ever return.
Validation steps
mix lightning.install_runtimeafter changing@openfn/cliinassets/package.jsonand confirm the new version is installed underpriv/openfn.@openfn/*release.Additional notes for the reviewer
AI Usage
You can read more details in our
Responsible AI Policy
Pre-submission checklist
/reviewwith Claude Code)
(e.g.,
:owner,:admin,:editor,:viewer)