JS: pin transitive deps with overrides

[MananTank]

---

PR-Codex overview

This PR focuses on updating dependencies in the package.json and pnpm-lock.yaml files, including the addition of the error-ex package and various updates to the chalk and is-core-module packages.

Detailed summary

• Added error-ex dependency with version 1.3.2.
• Updated chalk from 5.4.1 to 5.3.0, then to 5.6.2.
• Updated is-core-module from 2.16.1 to 2.13.1.
• Maintained version constraints for xml2js.
• Adjusted dependencies for @aws-sdk/client-sso-oidc and @aws-sdk/credential-provider-node.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• Chores
  • Updated dependency override entries to ensure compatible dependency resolutions.
  • Added support for an additional override entry to allow future dependency adjustments.
  • No user-facing changes or impact to existing functionality or workflows.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b743636

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Ready	Preview	Comment	Sep 8, 2025 8:09pm
nebula	Ready	Preview	Comment	Sep 8, 2025 8:09pm
thirdweb_playground	Ready	Preview	Comment	Sep 8, 2025 8:09pm
thirdweb-www	Ready	Preview	Comment	Sep 8, 2025 8:09pm
wallet-ui	Ready	Preview	Comment	Sep 8, 2025 8:09pm

[coderabbitai]

Walkthrough

Adjusted pnpm overrides in package.json: fixed xml2js@<0.5.0 entry formatting (added trailing comma) and added a new override for [email protected]. No source code or API changes.

Changes

Cohort / File(s)	Summary of Changes
pnpm overrides (package.json) package.json	- Added trailing comma to pnpm.overrides entry for xml2js@<0.5.0 to allow subsequent entries. - Added new override: [email protected]. - No other dependency overrides or source files were modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  - Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.
  - Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bcb9769 and b743636.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Size
• GitHub Check: Lint Packages
• GitHub Check: Unit Tests
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Build Packages
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: Analyze (javascript)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 09-09-js_pin_transitive_deps_with_overrides

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MananTank]

• JS: pin transitive deps with overrides #8009 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	63.96 KB (0%)	1.3 s (0%)	419 ms (+58.34% 🔺)	1.7 s
thirdweb (cjs)	356.86 KB (0%)	7.2 s (0%)	2.3 s (+6.92% 🔺)	9.4 s
thirdweb (minimal + tree-shaking)	5.73 KB (0%)	115 ms (0%)	108 ms (+530.43% 🔺)	223 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	98 ms (+711.27% 🔺)	108 ms
thirdweb/react (minimal + tree-shaking)	19.15 KB (-0.15% 🔽)	383 ms (-0.15% 🔽)	96 ms (+168.15% 🔺)	479 ms

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

package.json (1)

49-55: Add/verify bundle budgets (size-limit) per guidelines.

Top-level package.json lacks a size-limit config. Please add budgets (or confirm they live in each workspace package).

Example (adjust paths to your entry points):

{
  "size-limit": [
    { "path": "packages/thirdweb/dist/index.js", "limit": "100 KB" },
    { "path": "packages/insight/dist/index.js", "limit": "80 KB" }
  ],
  "scripts": {
    "size": "size-limit"
  },
  "devDependencies": {
    "size-limit": "^11.0.0",
    "@size-limit/preset-small-lib": "^11.0.0"
  }
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff1cf7 and bcb9769.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

package.json

📄 CodeRabbit inference engine (CLAUDE.md)

Track bundle budgets via package.json#size-limit

Files:

• package.json

**/package.json

📄 CodeRabbit inference engine (AGENTS.md)

Track bundle budgets via package.json#size-limit

Files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Size
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: Build Packages
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Lint Packages
• GitHub Check: Unit Tests
• GitHub Check: Analyze (javascript)

🔇 Additional comments (3)

package.json (3)

48-48: LGTM: trailing comma to extend overrides list is correct.

The xml2js override remains the same; the added comma is valid JSON and enables the following entries.

---

49-55: Confirm intent to hard-pin exact versions vs caret ranges.

If the goal is security pinning, exact pins are fine; otherwise consider caret pins for patch uptake (for example, is-core-module latest is 2.16.1 as of ~5 months ago vs 2.13.1 here). (npmjs.com)

---

49-55: Verify CJS consumption of ESM-only overrides

• Search for any require('chalk') or require('strip-ansi') calls across your workspace and its dependencies; if you find CJS consumers, either scope your pnpm overrides to only ESM-ready packages or pin CJS-compatible versions (e.g., [email protected], [email protected]).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.63%. Comparing base (4ff1cf7) to head (b743636).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8009      +/-   ##
==========================================
- Coverage   56.65%   56.63%   -0.02%     
==========================================
  Files         904      904              
  Lines       58677    58677              
  Branches     4165     4161       -4     
==========================================
- Hits        33241    33232       -9     
- Misses      25330    25340      +10     
+ Partials      106      105       -1     

Flag	Coverage Δ
packages	56.63% <ø> (-0.02%)	⬇️
see 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.