feat: make dependency versions be fixed

[wilsonrivera]

Summary by CodeRabbit

• Chores
  • Locked all dependencies and devDependencies to exact versions instead of flexible version ranges. This significantly improves build reproducibility, ensures consistent behavior across different environments and development team members, and prevents unintended automatic updates to transitive dependencies between installations.
  • Updated undici and zod packages to incorporate latest security and stability improvements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The cli/package.json file updates dependency version specifiers from caret-prefixed ranges to exact pinned versions for both dependencies and devDependencies. Minor patch version updates are applied to undici and zod, while other dependencies retain their major/minor versions but transition to exact version constraints.

Changes

Cohort / File(s)	Summary
Dependency version pinning cli/package.json	Converted caret-prefixed version ranges (e.g., "^1.9.0") to exact versions across dependencies and devDependencies. Updated undici from 6.21.1 to 6.21.2 and zod from 3.22.4 to 3.24.2. Remaining dependencies maintain their major/minor versions but lock to exact pins.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Minor complexity due to repetitive nature of version pin conversions across multiple dependencies
• Verify specific version bumps for undici and zod are intentional
• Confirm no breaking changes introduced by zod version jump from 3.22.4 to 3.24.2

Possibly related PRs

• fix: prevent vulnerable peer dependencies #2195: Implements complementary dependency management changes (pnpm.overrides with zod@3.24.2) that align with the zod update in this PR.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: converting dependency versions from caret-prefixed ranges to fixed/exact versions in cli/package.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-79f7830156145dd4813d9e5e3552fcf0c5400585

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0a4517a and cf21fa4.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• cli/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: StarpTech
Repo: wundergraph/cosmo PR: 2142
File: helm/cosmo/Chart.yaml:0-0
Timestamp: 2025-08-15T10:21:45.838Z
Learning: In the WunderGraph Cosmo project, helm chart version upgrades and README badge synchronization are handled in separate helm release PRs, not in the initial version bump PRs.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build_test
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: build_test
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_push_image
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

[StarpTech]

LGTM

[ggarnier]

@wilsonrivera perfect timing for that change; posthog-node versions 4.18.1 are known to be infected: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24