Dependency Management

Relevant source files

Purpose and Scope

This document details the dependency management strategy for git-merged-branches, including the package manager choice (pnpm), dependency categories, and the pnpm.overrides mechanism for replacing polyfills with @nolyfill alternatives. For build tooling configuration, see Build System. For CI/CD dependency installation, see CI/CD Pipeline.

The project maintains zero runtime dependencies, relying exclusively on Node.js built-ins and Git CLI commands. All dependencies are development-time tools for building, testing, and linting.

Package Manager: pnpm

git-merged-branches uses pnpm as its package manager, specifically version 10.34.1 as defined in package.json10 The project includes a pnpm-lock.yaml file using lockfile version 9.0 pnpm-lock.yaml1

Key Characteristics

Aspect	Implementation
Package Manager	`pnpm@10.34.1` package.json10
Lock file	`pnpm-lock.yaml` (Version 9.0) pnpm-lock.yaml1
Override mechanism	`pnpm.overrides` field in `package.json` package.json57-78
Engine Requirements	`node >=22.18.0` package.json36

Sources: package.json10-37 pnpm-lock.yaml1-6

Dependency Categories

Development Dependencies Only

The project has no production dependencies. All dependencies are declared as devDependencies in package.json47-56

Diagram: Development dependency categories in package.json

Sources: package.json47-56

Dependency Breakdown

Package	Version	Purpose
`@types/node`	`^25.9.1`	TypeScript type definitions for Node.js APIs package.json48
`commit-and-tag-version`	`^12.7.3`	Automated versioning and changelog generation package.json49
`eslint`	`~9.39.4`	JavaScript/TypeScript linting engine package.json50
`neostandard`	`^0.13.0`	Modern ESLint configuration preset package.json51
`publint`	`^0.3.21`	Package.json validation for npm publishing package.json52
`tsdown`	`^0.22.2`	TypeScript bundler for Node.js packages package.json53
`typescript`	`^6.0.3`	TypeScript compiler package.json54
`vitest`	`^4.1.8`	Test framework for unit tests package.json55

Sources: package.json47-56 pnpm-lock.yaml29-55

pnpm Overrides Strategy

The project uses pnpm.overrides to replace common polyfill packages with @nolyfill alternatives. These alternatives provide minimal implementations for features already available in modern JavaScript runtimes, which is appropriate given the project's requirement for Node.js ^22.18.0 package.json36

Override Mechanism

The pnpm.overrides field in package.json57-78 redirects dependency resolution for specific packages. This configuration is mirrored in pnpm-lock.yaml7-25

Diagram: pnpm.overrides redirects standard polyfills to @nolyfill packages

Sources: package.json57-78 pnpm-lock.yaml7-25

Complete Override List

The following 18 packages are overridden to use @nolyfill equivalents:

Original Package	Override Target
`array-includes`	`npm:@nolyfill/array-includes@^1`
`array.prototype.findlast`	`npm:@nolyfill/array.prototype.findlast@^1`
`array.prototype.flat`	`npm:@nolyfill/array.prototype.flat@^1`
`array.prototype.flatmap`	`npm:@nolyfill/array.prototype.flatmap@^1`
`array.prototype.tosorted`	`npm:@nolyfill/array.prototype.tosorted@^1`
`es-iterator-helpers`	`npm:@nolyfill/es-iterator-helpers@^1`
`hasown`	`npm:@nolyfill/hasown@^1`
`is-core-module`	`npm:@nolyfill/is-core-module@^1`
`isarray`	`npm:@nolyfill/isarray@^1`
`object-keys`	`npm:@nolyfill/object-keys@^1`
`object.assign`	`npm:@nolyfill/object.assign@^1`
`object.entries`	`npm:@nolyfill/object.entries@^1`
`object.fromentries`	`npm:@nolyfill/object.fromentries@^1`
`object.values`	`npm:@nolyfill/object.values@^1`
`safe-buffer`	`npm:@nolyfill/safe-buffer@^1`
`string.prototype.matchall`	`npm:@nolyfill/string.prototype.matchall@^1`
`string.prototype.repeat`	`npm:@nolyfill/string.prototype.repeat@^1`
`typedarray`	`npm:@nolyfill/typedarray@^1`

Sources: package.json59-76 pnpm-lock.yaml8-25

Lock File Management

The pnpm-lock.yaml file serves as the authoritative source for exact dependency versions and integrity hashes, ensuring reproducible builds.

Lock File Settings

The lockfile configuration in pnpm-lock.yaml3-5 includes:

autoInstallPeers: true: Automatically installs peer dependencies.
excludeLinksFromLockfile: false: Includes symlinks in the lockfile.

Resolution and Importers

The importers section in pnpm-lock.yaml27-55 maps the local development environment to specific resolved versions:

eslint resolves to 9.39.4 pnpm-lock.yaml39
typescript resolves to 6.0.3 pnpm-lock.yaml51
vitest resolves to 4.1.8 with its specific peer dependency tree pnpm-lock.yaml54

Sources: pnpm-lock.yaml1-55

Dependency Update Control

The project uses .ncurc.yaml to manage how npm-check-updates (NCU) interacts with the codebase.

Setting	Value	Purpose
`enginesNode`	`true`	Check engine requirements .ncurc.yaml1
`reject`	`pnpm`, `eslint`	Prevents automatic updates of these packages to avoid breaking changes or known issues .ncurc.yaml3-5

Specifically, eslint is rejected from automatic updates due to compatibility issues with neostandard .ncurc.yaml5

Sources: .ncurc.yaml1-6

Runtime Dependency Absence

A critical aspect of this project's dependency management is the complete absence of runtime dependencies. The package.json file has no dependencies field.

Why No Runtime Dependencies?

Diagram: Runtime dependency architecture

This design choice provides:

Minimal Installation Footprint: Users install only the bundled CLI.
No Version Conflicts: Eliminates runtime dependency resolution issues.
Security: Reduces attack surface by eliminating third-party runtime code.

Sources: package.json1-79 pnpm-lock.yaml27-55