Upgrade npm-check-updates to v17 in build-cli#26732
Conversation
ncu@17 is fully bundled with zero dependencies, eliminating the transitive tar 6.x chain (ncu@16 → pacote → cacache → tar 6.x). Code changes: - Bump npm-check-updates from ^16.14.20 to ^17.1.18 - Remove deep type imports (build/src/types/) that no longer exist in v17 - Replace Index<VersionSpec> cast with equivalent Record<string, string> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Upgrades npm-check-updates to v17 for @fluid-tools/build-cli, updating the lockfile and adjusting the one call site that relied on v16’s internal type paths.
Changes:
- Bump
npm-check-updatesdependency from^16.14.20to^17.1.18for@fluid-tools/build-cli - Update the build-tools workspace lockfile to include
npm-check-updates@17.1.18 - Remove v16 deep type imports and update the result type assertion in
npmCheckUpdates
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| build-tools/pnpm-lock.yaml | Updates the lockfile to resolve npm-check-updates@17.1.18 for the build-cli importer. |
| build-tools/packages/build-cli/src/library/package.ts | Removes deep type imports from ncu v16 and adjusts the typing of the ncu.run() result. |
| build-tools/packages/build-cli/package.json | Bumps the npm-check-updates dependency to ^17.1.18. |
Files not reviewed (1)
- build-tools/pnpm-lock.yaml: Language not supported
You can also share your feedback on Copilot code review. Take the survey.
| silent: true, | ||
| peer: true, | ||
| })) as Index<VersionSpec>; | ||
| })) as Record<string, string>; |
There was a problem hiding this comment.
Good catch — the old Index<VersionSpec> types were equally loose (both just string-based records), but since we're touching this line anyway there's no reason not to improve it. Fixed: result is now typed as unknown and narrowed to the correct shape in each branch (Record<string, Record<string, string>> for glob, Record<string, string> for single-package).
Type the result as unknown and narrow to the correct shape in each branch: Record<string, Record<string, string>> for glob patterns, Record<string, string> for single-package lookups. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
npm-check-updatesfrom v16 to v17 in@fluid-tools/build-clitar 6.xchain (ncu@16 → pacote → cacache → tar 6.x)build/src/types/) that no longer exist in v17ncu.run()result: typed asunknownand narrowed per branch (Record<string, Record<string, string>>for glob patterns,Record<string, string>for single-package)Context
Split from #26707. The tar override fix is in #26731 (pure config, no code changes). This PR contains the ncu upgrade with a code change in
build-cli/src/library/package.ts.Once published in the next build-cli release, the tar overrides in non-root workspaces (which exist because they depend on published
@fluid-tools/build-cli@0.63.0that still ships ncu@16) can be removed.Test plan
flub check policy) still work correctly🤖 Generated with Claude Code