fix(deps): unpin all dependencies

[serhalp]

Summary

We were pinning deps to partially mimic the published npm-shrinkwrap.json for package managers like yarn and pnpm that don't support it.

Since we stopped shipping the shrinkwrap in #8163, the pinning is no longer relevant.

This will help users' dependency trees get deduped much further.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d28e7239-9999-4d25-a121-7c105e8cbe0d

📥 Commits

Reviewing files that changed from the base of the PR and between 07fa4d1 and 52f6266.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• renovate.json5

💤 Files with no reviewable changes (1)

• renovate.json5

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated all dependency and development dependency version specifications from fixed exact versions to semantic versioning ranges, enabling more flexible version resolution for compatible releases.
  • Modified dependency management configuration to apply version constraint rules selectively across test files.

Walkthrough

This PR updates dependency version management by relaxing root package.json version specifiers from exact pins to semver ranges (predominantly ^ prefixes with some ~), while reconfiguring Renovate automation to pin versions in test package.json files instead of the root package.json. This allows root dependencies to accept minor and patch updates, while test dependencies remain strictly pinned.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: converting pinned dependency versions to semver ranges across the package.json file.
Description check	✅ Passed	The description is related to the changeset, explaining the rationale for unpinning dependencies (removal of npm-shrinkwrap.json) and the intended benefit for users.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/unpin-all

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📊 Benchmark results

Comparing with 07fa4d1

• Dependency count: 1,134 ⬆️ 6.44% increase vs. 07fa4d1
• Package size: 378 MB ⬆️ 5.64% increase vs. 07fa4d1
• Number of ts-expect-error directives: 355 (no change)

[XhmikosR]

This would need to happen in the other netlify packages too. It's clear that the duplicate packages increase by a lot...

But assuming you guys really want to reduce your deps tree, this is a must change. Next, you'd need to start finding other places that deps need deduplication. v25.0.0 has ~100 duplicate packages. With this PR the number will increase, as it seems. Remember, updating deps blindly to the latest version, is not the right approach all the time, if one cares about the deps tree/count. Unless you can do it across all your dependencies, which isn't realistic...

• https://npmgraph.js.org/?q=netlify-cli@24.11.3
• https://npmgraph.js.org/?q=netlify-cli@25.0.0

Just my 2 cents as a netlify-cli user who has reported the issue for years :)

That is exactly the reason why I started contributing to dependents (precinct dependency, etc) packages in the first place.

• https://npmgraph.js.org/?q=precinct@8.3.1
• https://npmgraph.js.org/?q=precinct
• https://arve0.github.io/npm-download-size/#precinct@8.3.1
• https://arve0.github.io/npm-download-size/#precinct

[G-Rath]

❤️

[serhalp]

📊 Benchmark results

Comparing with 07fa4d1

* **Dependency count**: 1,134 ⬆️ **6.44% increase** vs. [07fa4d1](https://github.com/netlify/cli/commit/07fa4d1b72ba07aa53e75d82aaffa62b42e70286)

* **Package size**: 378 MB ⬆️ **5.64% increase** vs. [07fa4d1](https://github.com/netlify/cli/commit/07fa4d1b72ba07aa53e75d82aaffa62b42e70286)

For the record, this is somewhat misleading. Actual users will see a decrease in count and size. We're seeing an increase due to our own package-lock and the fact that I tried to keep the scope of change in this PR limited (we can follow up to do a deep upgrade of our dep tree in this repo).