fix: pin dependency versions and remove unused core-js

[shabaraba]

Why

The OSS packages currently published to the npm registry have their dependency versions specified with ^ in package.json. This notation locks only the major version and installs the latest compatible versions for minor and patch, meaning that when installing without a pnpm-lock.yaml (i.e., installing directly from the npm registry), there is a high risk of unintended package versions being installed.

Additionally, core-js was listed in dependencies for both @kintone/rest-api-client and @kintone/rest, but investigation revealed:

• rest-api-client: core-js is only used during the UMD build via Babel's useBuiltIns: "usage". The lib/ and esm/ outputs (used by bundlers and Node.js) contain zero references to core-js. It is effectively a build-time dependency.
• rest: core-js is not referenced anywhere — not in source code, not in built output (lib/), and not even in the UMD bundle (which uses Vite's target: "modules" instead of Babel polyfills). It is completely unused.

What

• Pin all dependencies versions across all packages (remove ^ prefixes)
• Add package-json/restrict-dependency-ranges ESLint rule to enforce pinned versions in dependencies going forward
• Exclude templates/ package.json files from the pinning rule (end-user scaffolds)
• Move core-js from dependencies to devDependencies in @kintone/rest-api-client
• Remove core-js from dependencies in @kintone/rest
• Add pnpm lint:package-json command
• Update renovate.json5:
  • Set rangeStrategy: "bump" for dependencies to keep pinned versions up to date
  • Group related packages to update together (axios + form-data, openapi ecosystem, ajv ecosystem) to avoid version mismatch issues

How to test

• pnpm install && pnpm build succeeds
• pnpm --filter @kintone/rest-api-client test — all 423 tests pass
• pnpm --filter @kintone/rest test — all tests pass
• pnpm lint:package-json passes with no errors
• UMD build sizes are unchanged:
  • rest-api-client: KintoneRestAPIClient.min.js = 245KB

Checklist

• Read CONTRIBUTING.md
• Updated documentation if it is required.
• Added tests if it is required.
• Passed pnpm lint and pnpm test on the root directory.

[Copilot]

Pull request overview

This PR reduces dependency drift risk for published npm packages by pinning runtime dependency versions (removing ^ ranges) and cleaning up unused core-js, while adding tooling/config to keep dependencies pinned going forward.

Changes:

• Pin all dependencies versions across packages (remove ^ / ~ ranges for runtime deps).
• Remove unused core-js from @kintone/rest, and move core-js to devDependencies in @kintone/rest-api-client.
• Add lint:package-json and ESLint config to enforce pinned dependencies, plus Renovate grouping/bump settings.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
renovate.json5	Adds Renovate rules intended to bump/group pinned runtime dependencies.
pnpm-lock.yaml	Updates lockfile to reflect pinned specifiers and core-js dependency changes.
package.json	Adds lint:package-json script for package manifest linting.
eslint.config.mjs	Enforces pinned ranges for dependencies via package-json/restrict-dependency-ranges, with a templates override.
packages/webpack-plugin-kintone-plugin/package.json	Pins mkdirp in runtime dependencies.
packages/rest/package.json	Removes core-js and pins runtime dependency versions.
packages/rest-api-client/package.json	Moves core-js to devDependencies and pins runtime dependency versions.
packages/profile-loader/package.json	Pins toml in runtime dependencies.
packages/plugin-uploader/package.json	Pins runtime dependency versions.
packages/plugin-packer/package.json	Pins runtime dependency versions (including node-rsa).
packages/plugin-manifest-validator/package.json	Pins runtime dependency versions.
packages/eslint-plugin/package.json	Pins runtime dependency versions.
packages/dts-gen/package.json	Pins runtime dependency versions.
packages/customize-uploader/package.json	Pins runtime dependency versions.
packages/create-plugin/package.json	Pins runtime dependency versions.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new Renovate rules for bumping/grouping runtime dependencies are added under npm.packageRules, but this npm manager is configured with a very narrow fileMatch (only packages/create-plugin/templates/**/with-plugin-uploader\.json). As a result, these rules won’t apply to the actual packages/*/package.json dependencies you just pinned. Consider moving these rules to top-level packageRules (or broadening npm.fileMatch to include normal package.json patterns) so Renovate updates pinned runtime deps in published packages as intended.

[Copilot]

lint:package-json only targets packages/*/package.json, but this PR also adds an ESLint override for **/templates/**/package.json (and the PR description calls out excluding templates). If templates are intended to be linted too, expand the glob(s) here to include template package.json files; otherwise the templates override is dead code and template manifests won’t be checked by this lint task.

Suggested change

	"lint:package-json": "eslint 'packages/*/package.json' --max-warnings 0",
	"lint:package-json": "eslint 'packages/*/package.json' '**/templates/**/package.json' --max-warnings 0",

[nameless-mc]

packages/create-plugin/templates/**/package.json も対応してください

[nameless-mc]

多分不要