Enforce exact dependency versions

[mattinannt]

Summary

• enforce exact dependency versions across the workspace by pinning root dependencies and pnpm overrides
• configure future dependency updates to stay exact via save-exact=true, .ncurc.json, and a workspace validator in scripts/check-exact-deps.mjs
• fix the react-native package lint pipeline by correcting the ESLint config, adding the missing Vitest ESLint plugin, and cleaning up the remaining source/test lint violations
• refresh the lockfile and resolve branch conflicts so the PR is ready to merge

Testing

• pnpm install
• node scripts/check-exact-deps.mjs
• pnpm lint

Notes

• peerDependencies remain ranged intentionally so the published SDK stays compatible for consumers
• I did not run the test suite

[coderabbitai]

Walkthrough

This pull request introduces infrastructure to enforce exact dependency version pinning across the monorepo. New configuration files (.ncurc.json, .npmrc, apps/playground/.npmrc) are added to control version handling. A new validation script (scripts/check-exact-deps.mjs) recursively checks all package.json files for exact semver specifications in dependencies and pnpm overrides, with configurable exceptions for workspace and file protocols. Existing dependencies and overrides are updated to use exact versions, the lint script is modified to run the validation before linting, and pnpm is upgraded to version 10.32.1.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Enforce exact dependency versions' is clear, specific, and directly summarizes the main change in the changeset.
Description check	✅ Passed	The pull request description clearly describes the changeset: enforcing exact dependency versions, configuring tools for exact versions, adding a validator script, and fixing ESLint issues in the react-native package.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use your project's `biome` configuration to improve the quality of JS/TS/CSS/JSON code reviews.

Add a configuration file to your project to customize how CodeRabbit runs biome.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/check-exact-deps.mjs`:
- Line 57: The directory traversal using for (const entry of
fs.readdirSync(dirPath, { withFileTypes: true })) is non-deterministic; call
fs.readdirSync into a variable (e.g., entries), sort the Dirent objects by their
name (entries.sort((a,b) => a.name.localeCompare(b.name))) and then iterate over
the sorted list so the violation lists produced by the script
(scripts/check-exact-deps.mjs) are stable and deterministic across runs and CI.
- Around line 25-27: The JSON read/parse of each manifest is unwrapped and will
throw without indicating which file failed; wrap the fs.readFileSync/JSON.parse
for each manifestPath in a try/catch, and on error log or print the failing
manifestPath (manifestPath) along with the error before exiting; update the loop
that reads manifestPaths and the code around JSON.parse(fs.readFileSync(...)) to
catch errors and include manifestPath context in the error message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8133ed50-9826-4ea4-bb65-383f9d4092db

📥 Commits

Reviewing files that changed from the base of the PR and between bfce8a0 and fa056e9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• .ncurc.json
• .npmrc
• apps/playground/.npmrc
• package.json
• packages/react-native/.eslintrc.cjs
• packages/react-native/package.json
• scripts/check-exact-deps.mjs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fa056e99a4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".