Locking framer-motion dependencies

[TheCodeDestroyer]

Today, I encountered a weird bug, and I had no clue what was wrong with my component library HeroUI, which uses framer-motion for animations, where all modals stopped working.
After some research, the only thing I noticed was that there was a bump in framer-motion. My Renovate configuration waits for 5 days of stability before merging the PR, and here is where the trick lies.

After researching, I found out that it created a PR with a bump from v12.23.6 to v12.23.7, and while doing that, it also installed the latest motion-dom v12.23.9, which was installed due to the package.json specification in framer-motion:

"dependencies": {
  "motion-dom": "^12.23.9",
  "motion-utils": "^12.23.6",
  "tslib": "^2.4.0"
},

Since you guys use Turborepo and the libraries are tightly coupled together, is there a specific reason why you are not using version locking with workspace:*?
Example:

"dependencies": {
  "motion-dom": "workspace:*",
  "motion-utils": "workspace:*",
  "tslib": "^2.4.0"
},

[mattgperry]

Doesn’t this fuck things up when publishing on npm?

[TheCodeDestroyer]

Package managers are smart enough to replace this with the actual current version of the package.
(If you set the proper path to packages via workspaces.)
Example my monorepo one package.json
And package.json of that package on npm
Since you use yarn you can find more info here