fix(#471): bump @package-json/types

[SukkaW]

Fixes #471, Fixes #476, Fixes #477

Summary by CodeRabbit

• Chores
  • Bumped a development dependency to a newer patch version to keep tooling up to date.
  • Added a changeset entry to schedule a patch release; no functional changes to the product.

[changeset-bot]

🦋 Changeset detected

Latest commit: 6849912

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
eslint-plugin-import-x	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9143c3a2-e58b-4c84-8814-30f40dc618fa

📥 Commits

Reviewing files that changed from the base of the PR and between 8777fa2 and c05c0d9.

📒 Files selected for processing (1)

• .changeset/good-kings-sniff.md

---

📝 Walkthrough

Walkthrough

Updated @package-json/types from ^0.0.12 to ^0.0.13 in package.json and added a changeset entry indicating a patch release; no source code or public API changes.

Changes

Cohort / File(s)	Summary
Dependency manifest package.json	Bumped @package-json/types dependency from ^0.0.12 to ^0.0.13.
Release metadata .changeset/good-kings-sniff.md	Added/updated changeset describing a patch release and the dependency version bump.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix(deps): replace type-fest w/ @package-json/types #434 — Introduced @package-json/types as a dependency (directly related to this dependency change).
• (linked issue) #476 — Proposal to remove @package-json/types and replace with an inline PackageJson type; directly concerns this dependency.
• (linked issue) #477 — Refactor to remove dependency and implement local PackageJson interface; directly concerns this dependency.

Suggested labels

dependencies

Suggested reviewers

• JounQin
• 43081j

Poem

🐰 A small hop from twelve to thirteen,
A nudge in JSON types, tidy and clean,
No code disturbed, just versions aligned,
The rabbit smiles — release is refined.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR only bumps the dependency version but does not implement the core requirements from linked issues #471, #476, and #477 to remove the external dependency and create an inline type.	Implement the full solution: remove @package-json/types from dependencies, create a local PackageJson interface in src/utils/package-json.ts, update all rule files to use the local type, and update package.json and lockfile accordingly.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change - bumping the @package-json/types dependency version in package.json.
Out of Scope Changes check	✅ Passed	The changeset entry references a patch release for eslint-plugin-import-x and a version bump, which is appropriate for dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​package-json/​types@​0.0.12 ⏵ 0.0.13	+1		+2	+7

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-import-x@478

commit: 6849912

[Copilot]

Pull request overview

Bumps @package-json/types to a newer patch version and adds a changeset to publish a patch release, aiming to resolve downstream TypeScript issues tied to that dependency.

Changes:

• Update @package-json/types from ^0.0.12 to ^0.0.13 in package.json.
• Update yarn.lock to reflect the new resolved version.
• Add a patch changeset entry for the release.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
package.json	Bumps @package-json/types version requirement.
yarn.lock	Updates lockfile resolution/checksum for @package-json/types@0.0.13.
.changeset/good-kings-sniff.md	Adds a changeset to publish the dependency bump as a patch release.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[JounQin]

Personally I think we only need a subset of the type #476 🤔.

[SukkaW]

Personally I think we only need a subset of the type #476 🤔.

@package-json/types is code generated from the official package.json JSON schema, which ensures correctness. Our self-maintained typing may be outdated and incorrect.

[silverwind]

Not a fan of forcing unnecessary type-only dependencies onto consumers personally, unless there is a good reason.

[nbouvrette]

While I would recommend #476 even if I also am behind the @package-json/types update.

I'm not a fan of extra dependencies unless explicitely required (especialy with all the dependency hacks these days) but if we can get one of the 2 PRs merged, at least we can remove "skipLibCheck": true in tsconfig.json

[SukkaW]

@silverwind @nbouvrette

The sole reason PackageJson is a deps, not a devDeps, is that it is shipped with epxorted readPkgUp. Run yarn build then check /lib/utils/read-pkg-up.d.ts, or just use any npm CDN to check this: https://cdn.jsdelivr.net/npm/eslint-plugin-import-x@4.16.2/lib/utils/read-pkg-up.d.ts

If we remove readPkgUp export, we can safely move to devDeps.

Technically, no one would ever import readPkgUp from eslint-plugin-import-x, but removing that export would be a breaking change nonetheless.

[silverwind]

I'd just remove the read-pkg-up dependency and use something like this to discover the closest package.json:

function findUp(filename: string): string | undefined {
  let dir = cwd();
  while (true) {
    const filePath = join(dir, filename);
    try {
      statSync(filePath);
      return filePath;
    } catch {}
    const parent = dirname(dir);
    if (parent === dir) break;
    dir = parent;
  }
  return undefined;
}

If you really must do this with a dependency, use https://github.com/sindresorhus/find-up-simple, but I find such dependencies not warranted given that it can be implemented in ~10 lines of code.

[silverwind]

Technically, no one would ever import readPkgUp from eslint-plugin-import-x, but removing that export would be a breaking change nonetheless.

Go for it, it's unlikely to break anyone so I would not consider it a real breaking change.

[nbouvrette]

@SukkaW @JounQin

I did some research on the history of this issue and thought I'd share my findings to help decide the best path forward.

How we got here

The root cause isn't @package-json/types itself — it's that readPkgUp (an internal utility) is publicly exported, which forces its PackageJson return type to be a production
dependency.

Here's the chain of events:

1. 2024-03 — During the TypeScript migration, PackageJson was imported from type-fest (devDep) and readPkgUp was barrel-exported from src/utils/index.ts. The broken .d.ts
   reference was masked by skipLibCheck.
2. 2025-03 — The ESM migration added "./utils" to the package exports field, officially making the utils barrel (including readPkgUp) a public API entry point.
3. 2025-10 — PR fix(deps): replace type-fest w/ @package-json/types #434 tried to fix the type-fest leak by switching to @package-json/types as a production dependency.
4. 2026-03 — v4.16.2 shipped with @package-json/types@0.0.12, which had strict-mode TS2411 errors, immediately breaking consumers like
   JHipster.

Who actually uses ./utils?

A GitHub code search found only 3 repos importing from eslint-plugin-import-x/utils — and none of them use readPkgUp or PackageJson. They use other utilities like createRule,
resolve, etc.

Recommendation

I think the cleanest fix is a breaking change that addresses the root cause rather than continuing to patch around it:

1. Stop exporting readPkgUp from src/utils/index.ts — no real consumer uses it, and it's the sole reason PackageJson needs to be a production dependency
2. Inline the PackageJson type in src/types.ts covering only the fields the plugin uses (as done in fix(deps): replace @package-json/types with an inline minimal type #476) — this eliminates the external dependency entirely
3. Move @package-json/types removal to this same release

This avoids the recurring pattern of one type-only dependency breaking consumers (first type-fest, now @package-json/types), and removes unnecessary public API surface that was never
intentionally designed — it was just an artifact of barrel-exporting everything during the TS migration.

The "breaking change" is theoretical — readPkgUp was never meant to be consumed externally, nobody does, and the 3 repos that import from ./utils use entirely different utilities that
would remain exported.

If there's concern about semver strictness, this could ship as a major version bump, but given the zero real-world impact, a minor or even patch feels reasonable (similar to how @silverwind
suggested above).

If you agree, I am happy to remove readPkgUp from #476.