Dependency Refresh — Eight Packages Bumped to Latest Within Current Major, Build Verified Clean
First pass on package hygiene since the project's last broad upgrade. Eight dependencies advanced to the latest version within their current major (obsidian 1.8 → 1.12, esbuild 0.25 → 0.28, fastify 5.3 → 5.8, MCP SDK 1.12 → 1.29, both @typescript-eslint packages, builtin-modules, and @types/node held to the 22.x line to match the local Node 22 runtime). Four major bumps held back for review. The full build (`tsc -noEmit -skipLibCheck && esbuild production`) passes cleanly on the new lockfile.
Why Care?
This project pre-dates the changelog habit established in the rest of the
monorepo, so prior dependency bumps (upgrade(packages): all packages are now up
to date, add(packages): add Fastify, MCP, and Zod) shipped without any written
record of what moved or why. That makes it impossible to attribute build
behavior to a specific upgrade after the fact.
This entry starts the habit here. The work itself is unglamorous — packages got
bumped, the build still passes — but the discipline matters: the next time
something breaks after a pnpm install, the changelog tells us which version
ranges shifted and which majors we deliberately did not cross.
The other reason to log this carefully: two majors held back here (zod 3 → 4,
typescript 5.8 → 6.0) carry breaking changes. Recording the deferral with the
reasoning means a future contributor (or future me) sees the deferral was
deliberate, not an oversight.
What Was Updated
Bumps applied — latest within current major
| Package | Was | Now | Notes |
obsidian (dev) | 1.8.7 | 1.12.3 | Plugin host typings; biggest functional bump |
esbuild (dev) | 0.25.5 | 0.28.0 | Bundler; minor version, no config change required |
fastify | 5.3.3 | 5.8.5 | Within v5; see open item — currently unused in plugin source |
@modelcontextprotocol/sdk | 1.12.1 | 1.29.0 | Within v1; see open item — currently unused in plugin source |
@typescript-eslint/eslint-plugin (dev) | 8.33.1 | 8.59.1 | Lint tooling, paired with parser |
@typescript-eslint/parser (dev) | 8.33.1 | 8.59.1 | Lint tooling, paired with plugin |
builtin-modules (dev) | 5.0.0 | 5.1.0 | esbuild externals helper |
@types/node (dev) | 22.15.30 | 22.19.17 | Pinned to 22.x to match local node v22.18.0 |
Bumps deliberately held back
| Package | Current | Latest | Reason for deferral |
typescript (dev) | 5.8.3 | 6.0.3 | Major; want to read 6.0 release notes and check tsc -noEmit cleanliness before crossing |
eslint (dev) | 9.28.0 | 10.3.0 | Major; flat-config nuances and rule deprecations between 9 → 10 |
zod | 3.25.56 | 4.4.1 | Major with documented API breakage (parse / safeParse / inference changes); not a drop-in upgrade |
@types/node (dev) | 22.19.17 | 25.6.0 | Intentionally pinned; should track the Node major actually in use (Node 22) |
Verification
> pnpm build
> tsc -noEmit -skipLibCheck && node esbuild.config.mjs production
(exit 0) main.js rebuilt at 31kb. No TypeScript diagnostics, no esbuild warnings beyond
a transitive pnpm peer-dep warning (see Open Items).
What Changed in Approach (the meta-lesson)
| Previous mode | This mode |
Bump packages with pnpm update --latest and call it done | Stage bumps in two phases — within-major first, majors held for review |
Pin @types/node to whatever --latest resolves | Pin @types/node to match the Node major actually running locally |
| Add new runtime dependencies and trust they're wired in | Audit imports before counting a dep as "in use" — added ≠ used |
Leave version drift undocumented; rely on git log -- package.json | Write a changelog entry per dependency operation so the why survives |
The lesson generalizing beyond cite-wide: package upgrades have a blast radius
proportional to the major-version delta, and the right pacing is "within-major
together, across-major one at a time with notes." pnpm update --latest flattens
that distinction and is the wrong default for a plugin that has to keep working
inside a third-party host (Obsidian).
Open Items
fastify,@modelcontextprotocol/sdk, andzodappear unused. A grep for imports acrosssrc/andmain.tsreturned zero matches for any of the three. They were added in commit644582d add(packages): add Fastify, MCP, and Zodand never wired into the plugin. An Obsidian plugin runs in Obsidian's Electron context and does not host an HTTP server, sofastifyis structurally unlikely to belong here. Decision pending: confirm and remove, or wire them into a feature that justifies their presence.zod 3 → 4deferred. If the unused-deps decision goes toward removal, this becomes moot. If we keepzod, the v4 migration is its own ticket — the API changes are non-trivial.typescript 5.8 → 6.0deferred. Plugin builds with-skipLibCheck; a TS 6 bump should be paired with a clean library-check pass to confirm no upstream type drift bites us.eslint 9 → 10deferred. No lint script is wired intopackage.json(scriptsonly hasdev,build,version), so the eslint deps exist but aren't running in CI/dev. Worth resolving the "is eslint actually part of this project's workflow?" question before chasing the major bump.Peer-dep warning, benign.
obsidian@1.12.3declares peer requirements on@codemirror/state@6.5.0and@codemirror/view@6.38.6; pnpm resolved6.5.2and6.37.1transitively. Build and typecheck both pass, so this is logged but not actioned.styles.cssshows modified ingit statusfrom before this work began. Not touched by the upgrade. Pre-existing change in the worktree, flagged so it isn't conflated with the dependency commit.
Files Touched
cite-wide/
├── package.json (modified — version specs for the 8 bumped packages)
├── pnpm-lock.yaml (modified — full lockfile refresh against the new specs)
└── changelog/ (originally created at context-v/changelogs/; relocated to repo-root changelog/ on 2026-05-17)
└── 2026-05-01_01.md (created — this file; bootstraps the changelog habit here) Reference
Format borrowed from:
astro-knots/sites/calmstorm-decks/context-v/changelogs/2026-05-01_01.mdPrior undocumented upgrade in this project: commit
424b787 upgrade(packages): all packages are now up to dateCommit that introduced the now-suspected-unused deps:
644582d add(packages): add Fastify, MCP, and ZodLocal Node runtime at time of upgrade:
node v22.18.0(drives the@types/node22.x pin)