cite-wide 0.0.1.1 Published

Dependency Refresh — Eight Packages Bumped to Latest Within Current Major, Build Verified Clean

First pass on package hygiene since the project's last broad upgrade. Eight dependencies advanced to the latest version within their current major (obsidian 1.8 → 1.12, esbuild 0.25 → 0.28, fastify 5.3 → 5.8, MCP SDK 1.12 → 1.29, both @typescript-eslint packages, builtin-modules, and @types/node held to the 22.x line to match the local Node 22 runtime). Four major bumps held back for review. The full build (`tsc -noEmit -skipLibCheck && esbuild production`) passes cleanly on the new lockfile.

Why Care?

This project pre-dates the changelog habit established in the rest of the monorepo, so prior dependency bumps (upgrade(packages): all packages are now up to date, add(packages): add Fastify, MCP, and Zod) shipped without any written record of what moved or why. That makes it impossible to attribute build behavior to a specific upgrade after the fact.

This entry starts the habit here. The work itself is unglamorous — packages got bumped, the build still passes — but the discipline matters: the next time something breaks after a pnpm install, the changelog tells us which version ranges shifted and which majors we deliberately did not cross.

The other reason to log this carefully: two majors held back here (zod 3 → 4, typescript 5.8 → 6.0) carry breaking changes. Recording the deferral with the reasoning means a future contributor (or future me) sees the deferral was deliberate, not an oversight.

What Was Updated

Bumps applied — latest within current major

PackageWasNowNotes
obsidian (dev)1.8.71.12.3Plugin host typings; biggest functional bump
esbuild (dev)0.25.50.28.0Bundler; minor version, no config change required
fastify5.3.35.8.5Within v5; see open item — currently unused in plugin source
@modelcontextprotocol/sdk1.12.11.29.0Within v1; see open item — currently unused in plugin source
@typescript-eslint/eslint-plugin (dev)8.33.18.59.1Lint tooling, paired with parser
@typescript-eslint/parser (dev)8.33.18.59.1Lint tooling, paired with plugin
builtin-modules (dev)5.0.05.1.0esbuild externals helper
@types/node (dev)22.15.3022.19.17Pinned to 22.x to match local node v22.18.0

Bumps deliberately held back

PackageCurrentLatestReason for deferral
typescript (dev)5.8.36.0.3Major; want to read 6.0 release notes and check tsc -noEmit cleanliness before crossing
eslint (dev)9.28.010.3.0Major; flat-config nuances and rule deprecations between 9 → 10
zod3.25.564.4.1Major with documented API breakage (parse / safeParse / inference changes); not a drop-in upgrade
@types/node (dev)22.19.1725.6.0Intentionally pinned; should track the Node major actually in use (Node 22)

Verification

> pnpm build
> tsc -noEmit -skipLibCheck && node esbuild.config.mjs production
(exit 0)

main.js rebuilt at 31kb. No TypeScript diagnostics, no esbuild warnings beyond a transitive pnpm peer-dep warning (see Open Items).

What Changed in Approach (the meta-lesson)

Previous modeThis mode
Bump packages with pnpm update --latest and call it doneStage bumps in two phases — within-major first, majors held for review
Pin @types/node to whatever --latest resolvesPin @types/node to match the Node major actually running locally
Add new runtime dependencies and trust they're wired inAudit imports before counting a dep as "in use" — added ≠ used
Leave version drift undocumented; rely on git log -- package.jsonWrite a changelog entry per dependency operation so the why survives

The lesson generalizing beyond cite-wide: package upgrades have a blast radius proportional to the major-version delta, and the right pacing is "within-major together, across-major one at a time with notes." pnpm update --latest flattens that distinction and is the wrong default for a plugin that has to keep working inside a third-party host (Obsidian).

Open Items

  • fastify, @modelcontextprotocol/sdk, and zod appear unused. A grep for imports across src/ and main.ts returned zero matches for any of the three. They were added in commit 644582d add(packages): add Fastify, MCP, and Zod and never wired into the plugin. An Obsidian plugin runs in Obsidian's Electron context and does not host an HTTP server, so fastify is structurally unlikely to belong here. Decision pending: confirm and remove, or wire them into a feature that justifies their presence.

  • zod 3 → 4 deferred. If the unused-deps decision goes toward removal, this becomes moot. If we keep zod, the v4 migration is its own ticket — the API changes are non-trivial.

  • typescript 5.8 → 6.0 deferred. Plugin builds with -skipLibCheck; a TS 6 bump should be paired with a clean library-check pass to confirm no upstream type drift bites us.

  • eslint 9 → 10 deferred. No lint script is wired into package.json (scripts only has dev, build, version), so the eslint deps exist but aren't running in CI/dev. Worth resolving the "is eslint actually part of this project's workflow?" question before chasing the major bump.

  • Peer-dep warning, benign. obsidian@1.12.3 declares peer requirements on @codemirror/state@6.5.0 and @codemirror/view@6.38.6; pnpm resolved 6.5.2 and 6.37.1 transitively. Build and typecheck both pass, so this is logged but not actioned.

  • styles.css shows modified in git status from before this work began. Not touched by the upgrade. Pre-existing change in the worktree, flagged so it isn't conflated with the dependency commit.

Files Touched

cite-wide/
├── package.json         (modified — version specs for the 8 bumped packages)
├── pnpm-lock.yaml       (modified — full lockfile refresh against the new specs)
└── changelog/                                       (originally created at context-v/changelogs/; relocated to repo-root changelog/ on 2026-05-17)
    └── 2026-05-01_01.md       (created — this file; bootstraps the changelog habit here)

Reference

  • Format borrowed from: astro-knots/sites/calmstorm-decks/context-v/changelogs/2026-05-01_01.md

  • Prior undocumented upgrade in this project: commit 424b787 upgrade(packages): all packages are now up to date

  • Commit that introduced the now-suspected-unused deps: 644582d add(packages): add Fastify, MCP, and Zod

  • Local Node runtime at time of upgrade: node v22.18.0 (drives the @types/node 22.x pin)