build(deps): use the published @posthog/warlock npm package#182
Merged
Conversation
Switch @posthog/warlock from the git dependency (git+https://github.com/PostHog/warlock.git) to the published registry release (^0.2.2): https://www.npmjs.com/package/@posthog/warlock Why now: the CI workflows install pnpm `version: latest`, which just became pnpm v11. v11 blocks install/build scripts for git-hosted dependencies unless they're allow-listed in a specific git-spec format. The warlock is pulled from git and runs a build step on install, so v11's gate broke `pnpm install` repo-wide. The published tarball ships pre-built (main: dist/index.js) with no install script, so installing from the registry runs no build step and v11 has nothing to gate. Also drops the now-unnecessary warlock build-script approvals from pnpm-workspace.yaml (onlyBuiltDependencies + allowBuilds). esbuild stays. Verified locally (pnpm v10): lockfile resolves 0.2.2 from the registry with no git refs; the package imports { scan, triageMatches, CATEGORIES }; the WASM scanner runs and returns { matched, matches: [{rule, metadata, matchedStrings}] }, matching what scripts/scan-warlock.js consumes; and npm test passes (58/58). CI's `scan-warlock.js dist/skills` step is the end-to-end check. Generated-By: PostHog Code Task-Id: 95407a79-1f13-4f1d-a37b-43fe4a62b857
🧙 Wizard CIRun the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands: Test all apps:
Test all apps in a directory:
Test an individual app:
Show more apps
Results will be posted here when complete. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Switches
@posthog/warlockfrom the git dependency (git+https://github.com/PostHog/warlock.git) to the published npm package^0.2.2, and drops the warlock build-script approvals that the git install needed.Why now
The CI workflows install pnpm with
version: latest. That just rolled over to pnpm v11, which tightened supply-chain safety: it blocks install/build scripts for git-hosted dependencies unless they're explicitly allow-listed in a specific git-spec format. The warlock is pulled from git and runs a build step on install, so v11's gate brokepnpm installrepo-wide (ERR_PNPM_GIT_DEP_PREPARE_NOT_ALLOWED).The published tarball ships pre-built (
main: dist/index.js) with no install script, and its only dependency (@virustotal/yara-x) is a prebuilt WASM package with no install script either. So installing from the registry runs no build step at all, and v11 has nothing to gate. This fixes the failure at the root instead of pinning pnpm or hand-maintaining a SHA-pinned allowlist.Changes
package.json— warlock depgit+...→^0.2.2.pnpm-workspace.yaml— removed the now-unnecessary@posthog/warlockentries fromonlyBuiltDependenciesandallowBuilds(keptesbuild).pnpm-lock.yaml— regenerated; warlock now resolves to0.2.2from the registry, no git refs remain.Verification (local, pnpm v10)
pnpm installresolves0.2.2from the registry, lockfile has zerowarlock.gitrefs.{ scan, triageMatches, CATEGORIES }— exactly whatscripts/scan-warlock.jsuses.{ matched, matches: [{ rule, metadata, matchedStrings }] }, the shapescan-warlock.jsconsumes (confirmed against a real shipped rule).npm testpasses (58/58).node scripts/scan-warlock.js dist/skillsstep (inbuild.yml) is the end-to-end integration check.Heads-up for the reviewer
0.2.2declaresengines: node ^20.20.0 || >=22.22.0, slightly newer than this repo's>=20.11.0. CI usesnode-version: lts/*, which satisfies it, but if anyone runs an older Node locally they may see an engines warning.maindirectly so it can land and unblock CI for everyone.Created with PostHog Code