From f68f8bf77b41ebb9b3d0089544d83cd51f710619 Mon Sep 17 00:00:00 2001 From: sarahxsanders Date: Wed, 10 Jun 2026 12:40:45 -0400 Subject: [PATCH] build(deps): use the published @posthog/warlock npm package Switch @posthog/warlock from the git dependency (git+https://github.com/PostHog/warlock.git) to the published registry release (^0.2.2): https://www.npmjs.com/package/@posthog/warlock Why now: the CI workflows install pnpm `version: latest`, which just became pnpm v11. v11 blocks install/build scripts for git-hosted dependencies unless they're allow-listed in a specific git-spec format. The warlock is pulled from git and runs a build step on install, so v11's gate broke `pnpm install` repo-wide. The published tarball ships pre-built (main: dist/index.js) with no install script, so installing from the registry runs no build step and v11 has nothing to gate. Also drops the now-unnecessary warlock build-script approvals from pnpm-workspace.yaml (onlyBuiltDependencies + allowBuilds). esbuild stays. Verified locally (pnpm v10): lockfile resolves 0.2.2 from the registry with no git refs; the package imports { scan, triageMatches, CATEGORIES }; the WASM scanner runs and returns { matched, matches: [{rule, metadata, matchedStrings}] }, matching what scripts/scan-warlock.js consumes; and npm test passes (58/58). CI's `scan-warlock.js dist/skills` step is the end-to-end check. Generated-By: PostHog Code Task-Id: 95407a79-1f13-4f1d-a37b-43fe4a62b857 --- package.json | 2 +- pnpm-lock.yaml | 11 +++++------ pnpm-workspace.yaml | 2 -- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index be1752f5..040e4944 100644 --- a/package.json +++ b/package.json @@ -25,7 +25,7 @@ }, "dependencies": { "@anthropic-ai/sdk": "^0.95.0", - "@posthog/warlock": "git+https://github.com/PostHog/warlock.git", + "@posthog/warlock": "^0.2.2", "gray-matter": "^4.0.3", "js-yaml": "^4.1.1" }, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 14d37fef..7bb3d4d5 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -12,8 +12,8 @@ importers: specifier: ^0.95.0 version: 0.95.0 '@posthog/warlock': - specifier: git+https://github.com/PostHog/warlock.git - version: git+https://github.com/PostHog/warlock.git#39957221e6225c4c8d00d26af522dab0dd3a951b + specifier: ^0.2.2 + version: 0.2.2 gray-matter: specifier: ^4.0.3 version: 4.0.3 @@ -195,9 +195,8 @@ packages: resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} engines: {node: '>=14'} - '@posthog/warlock@git+https://github.com/PostHog/warlock.git#39957221e6225c4c8d00d26af522dab0dd3a951b': - resolution: {commit: 39957221e6225c4c8d00d26af522dab0dd3a951b, repo: https://github.com/PostHog/warlock.git, type: git} - version: 0.0.0 + '@posthog/warlock@0.2.2': + resolution: {integrity: sha512-fpN9eZJ7JvOFej6gfsW1DETJTyo7S2xuu5NQsnBYl8C/cYCmGc8Q0IPiVfBGkIifF1Cic0fzkytFusImxzv4ww==} engines: {node: ^20.20.0 || >=22.22.0} '@rollup/rollup-android-arm-eabi@4.56.0': @@ -971,7 +970,7 @@ snapshots: '@pkgjs/parseargs@0.11.0': optional: true - '@posthog/warlock@git+https://github.com/PostHog/warlock.git#39957221e6225c4c8d00d26af522dab0dd3a951b': + '@posthog/warlock@0.2.2': dependencies: '@virustotal/yara-x': 1.15.0 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index c1126835..40b896b5 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,6 +1,4 @@ onlyBuiltDependencies: - - "@posthog/warlock" - esbuild allowBuilds: - "@posthog/warlock": true esbuild: true