Skip to content
NexisChat Docs

Caret Dependency Check

This workflow scans every package.json (excluding caches and build outputs) for dependencies using caret (^) ranges and fails if any are found.

Infrastructure

Section titled “Infrastructure”
  • Runner: Self-hosted dokploy runner
  • Permissions: contents: read, pull-requests: write, issues: write, checks: write

What it scans

Section titled “What it scans”
  • dependencies, devDependencies, peerDependencies, optionalDependencies

Enhanced reporting system

Section titled “Enhanced reporting system”

The workflow generates two types of reports:

  1. Preview report (PR comment): Shows first 5 dependencies per file with truncation message
  2. Full report (artifact): Complete list of all caret dependencies

Output behavior

Section titled “Output behavior”
  • PR comments: Automatically cleaned up (deletes previous comments before posting new ones)
  • Artifacts: Both preview and full reports uploaded with 30-day retention
    • caret-dependency-report (preview)
    • caret-dependency-report-full (complete list)
  • Logs: Full dependency list printed to workflow logs for immediate visibility

Why it fails the build

Section titled “Why it fails the build”

Caret ranges create non-reproducible builds and can unexpectedly pull breaking updates. Pin exact versions instead.

Example fix

Section titled “Example fix”
{
  "dependencies": {
   "react": "^18.2.0",
   "react": "18.2.0"
  }
}

Implementation notes

Section titled “Implementation notes”
  • Improved JSON processing: Uses jq -c with proper JSON array handling for more reliable parsing
  • Fallback handling: Gracefully handles jq failures with empty array fallbacks
  • Noise reduction: PR comments limited to first 5 per file, with “…and N more” indicators
  • Comment cleanup: Automatically removes previous workflow comments to prevent spam
  • Dual reporting: Full details available in logs and artifacts while keeping PR comments concise