fix(deps): update dependency lucide-react to v1#911
Conversation
Deploying control-layer with
|
| Latest commit: |
9c394a7
|
| Status: | 🚫 Build failed. |
renovate
Bot
force-pushed
the
renovate/major-lucide-monorepo
branch
10 times, most recently
from
8a93b4a to
eb30705
Compare
renovate
Bot
force-pushed
the
renovate/major-lucide-monorepo
branch
17 times, most recently
from
afef3a1 to
40b113e
Compare
renovate
Bot
force-pushed
the
renovate/major-lucide-monorepo
branch
2 times, most recently
from
89f3b5a to
2945b90
Compare
renovate
Bot
force-pushed
the
renovate/major-lucide-monorepo
branch
18 times, most recently
from
91cbc30 to
6d72109
Compare
renovate
Bot
force-pushed
the
renovate/major-lucide-monorepo
branch
3 times, most recently
from
018cfb8 to
edf379f
Compare
![doubleword-code[bot]](https://avatars.githubusercontent.com/in/3610877?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
This PR updates lucide-react from v0.577.0 to v1.x (resolves to 1.14.0). However, it also removes critical pnpm overrides from the lockfile that were added in #1045 to fix 36 Dependabot vulnerabilities.
Verdict: Changes requested - The lucide-react update itself is fine, but the removal of security overrides needs to be addressed before merging.
Research notes
- lucide-react 1.0 release: The initial 1.0.0 tag was published unintentionally, with the maintainers recommending v1.0.1+. However, the
^1.0.0specifier correctly resolves to 1.14.0 which is stable. - Breaking changes: According to lucide-react documentation, version 1.x maintains backward compatibility by keeping aliases for icon names without the
Iconsuffix. BothCheckandCheckIconpatterns work. - pnpm overrides: The overrides (
rollup: npm:@rollup/wasm-node,lodash: ^4.18.0,mdast-util-to-hast: ^13.2.1) were added in commit fa79316 (#1045) to address 36 Dependabot vulnerabilities.
Suggested next steps
- Restore pnpm overrides in lockfile - Run
pnpm installin the dashboard directory to regenerate the lockfile with overrides properly applied. - Verify rollup WASM usage - Check that
@rollup/wasm-nodeappears in the regenerated lockfile to ensure cross-platform build compatibility. - Consider consolidating icon naming - The codebase has mixed usage of
Iconsuffix vs no suffix. Consider standardizing in a follow-up PR.
General findings
Mixed Icon Naming Convention
The codebase uses both naming conventions:
- With
Iconsuffix:CheckIcon,ChevronRightIcon,PanelLeftIcon(in UI components likecheckbox.tsx,calendar.tsx) - Without
Iconsuffix:Check,ArrowLeft,X(in feature components)
While lucide-react 1.x supports both via aliases, this inconsistency makes the codebase harder to maintain. Consider running a codemod to standardize on one convention.
Lockfile Regeneration Issue
The overrides section was removed from the lockfile during regeneration. This suggests either a pnpm version mismatch or an issue with how overrides are being applied. The package.json still has the overrides in pnpm.overrides, but they're not reflected in the lockfile.
| autoInstallPeers: true | ||
| excludeLinksFromLockfile: false | ||
|
|
||
| overrides: |
There was a problem hiding this comment.
Blocking: Removal of pnpm overrides section from lockfile.
Why it matters: These overrides were added in #1045 (commit fa79316) to fix 36 Dependabot vulnerabilities:
rollup: npm:@rollup/wasm-node- Ensures cross-platform build compatibility by using WASM version instead of native binarieslodash: ^4.18.0- Security fix for CVE-2021-23337 (Prototype Pollution in lodash < 4.17.19)mdast-util-to-hast: ^13.2.1- Security/compatibility fix
The lockfile now resolves to regular rollup@4.60.3 with platform-specific native binaries (e.g., @rollup/rollup-linux-x64-gnu) instead of @rollup/wasm-node. This could cause build failures on:
- ARM64 Linux systems without native rollup binaries
- Containerized environments without proper build tools
- Platforms not covered by rollup's optional dependencies
While package.json still contains these overrides in the pnpm.overrides section, the lockfile doesn't reflect them. This indicates the lockfile was regenerated without respecting the overrides.
Suggested fix: Run pnpm install in the dashboard directory with the same pnpm version used in CI to regenerate the lockfile. Verify that @rollup/wasm-node appears in the regenerated lockfile instead of platform-specific native rollup packages.
| lucide-react: | ||
| specifier: ^0.577.0 | ||
| version: 0.577.0(react@19.2.5) | ||
| specifier: ^1.0.0 |
There was a problem hiding this comment.
Non-blocking: lucide-react updated to ^1.0.0 (resolves to 1.14.0).
Why it matters: This is a major version bump (0.577.0 → 1.14.0). According to lucide-react migration guide, version 1.x maintains backward compatibility by keeping aliases for icon names without the Icon suffix.
Note: The initial 1.0.0 tag was published unintentionally per the release notes ("Warning: This release was published unintentionally. We've corrected this in v1.0.1"). The resolved version 1.14.0 is well past that and should be stable.
Caveat: The codebase has inconsistent icon naming - some components use CheckIcon while others use Check. Both work in 1.x due to aliasing, but consider standardizing in a follow-up PR.
Suggested fix: No action required for this PR since the update is backward compatible.
| "cmdk": "^1.1.1", | ||
| "date-fns": "^4.1.0", | ||
| "lucide-react": "^0.577.0", | ||
| "lucide-react": "^1.0.0", |
There was a problem hiding this comment.
Nit: Consider being more explicit about the minimum version.
Why it matters: Using ^1.0.0 allows pnpm to auto-update to any 1.x version. While the lockfile pins 1.14.0 for reproducible builds, being explicit about the minimum tested version helps future maintainers understand what version was actually tested.
Since 1.0.0 was an accidental release, specifying ^1.0.0 might give the impression that 1.0.0 was intentionally targeted.
Suggested fix: Consider updating to "^1.14.0" or at minimum "^1.0.1" (to skip the accidental 1.0.0 release) to be explicit about the minimum version with known compatibility.
There was a problem hiding this comment.
Summary
This PR updates lucide-react from v0.577.0 to v1.0.0 (resolves to v1.14.0), a major version upgrade. The change itself is straightforward - only the version specifier in package.json is modified, with corresponding updates in pnpm-lock.yaml.
Verdict: Needs changes - There is a critical inconsistency between package.json and pnpm-lock.yaml regarding pnpm overrides that must be addressed before merging.
Research notes
-
Lucide v1 Migration Guide (lucide.dev/guide/react/migration): Brand icons were removed in v1 including: Chromium, Codepen, Codesandbox, Dribbble, Facebook, Figma, Framer, Github, Gitlab, Instagram, LinkedIn, Pocket, RailSymbol, and Slack. Custom SVGs or alternatives like Simple Icons are recommended.
-
Icon Usage Audit: Searched the codebase and confirmed none of the removed brand icons are used. All currently imported icons (e.g.,
X,Check,Users,AlertTriangle,Loader2, etc.) remain available in v1. -
lodash Security Override: The original
pnpmoverride for lodash (^4.18.0) was likely added for CVE-2025-29876 (prototype pollution). The new lock file still resolves lodash to 4.18.1, which satisfies this requirement.
Suggested next steps
-
Blocking: Resolve the pnpm overrides inconsistency - either regenerate the lock file properly with
pnpm installto preserve the overrides, or remove the overrides frompackage.jsonif they're no longer needed (with justification). -
Run frontend tests (
just test ts) to verify no icon-related regressions. -
Verify the build works correctly with the new rollup packages (native platform-specific vs. WASM).
General findings
pnpm Overrides Inconsistency (Critical)
The package.json retains these overrides:
"pnpm": {
"overrides": {
"rollup": "npm:@rollup/wasm-node",
"lodash": "^4.18.0",
"mdast-util-to-hast": "^13.2.1"
}
}But the pnpm-lock.yaml had the overrides section removed (visible in the diff as deleted lines). This creates a dangerous inconsistency:
- Fresh installs (
pnpm installfrom scratch) may resolve different versions than what's locked - CI/CD builds could diverge from local development
- The security override for lodash may not be consistently enforced
- The rollup override removal changed from WASM (
@rollup/wasm-node) to native platform-specific packages, which could affect build behavior
Why it matters: Lock files should faithfully represent the dependency resolution dictated by package.json. When they diverge, you lose reproducible builds - a fundamental guarantee that package managers provide.
Suggested fix: Run pnpm install in the dashboard/ directory to regenerate the lock file with the overrides properly reflected, OR if the overrides are intentionally being removed, update package.json to match with a clear explanation in the commit message.
| lodash: ^4.18.0 | ||
| mdast-util-to-hast: ^13.2.1 | ||
|
|
||
| importers: |
There was a problem hiding this comment.
Blocking: The overrides section was removed from the lock file but still exists in package.json. This creates an inconsistency where fresh installs may resolve different dependency versions than intended.
Why it matters: The overrides in package.json enforce:
rollup: npm:@rollup/wasm-node- Using WASM version of rolluplodash: ^4.18.0- Security fix for prototype pollution vulnerabilitymdast-util-to-hast: ^13.2.1- Compatibility fix
Without these in the lock file, different environments could get different versions, breaking reproducibility guarantees and potentially reintroducing security vulnerabilities.
Suggested fix: Run pnpm install in dashboard/ to regenerate the lock file with overrides properly reflected, or remove the overrides from package.json if they're intentionally being dropped (with justification).
There was a problem hiding this comment.
Summary
This PR updates lucide-react from version ^0.577.0 to ^1.0.0 (resolving to 1.14.0). While the lucide-react v1 migration appears safe for this codebase (no removed brand icons are used), there is a critical issue with the pnpm-lock.yaml regeneration that accidentally dropped important security overrides.
Verdict: Blocked - The lockfile changes introduce regressions that must be fixed before merging.
Research notes
- Fetched lucide-react v1.0.0 release notes: Confirmed this was an unintentional release (fixed in v1.0.1), but no breaking API changes for react usage.
- Fetched Lucide Migration from v0 guide: Key breaking change is removal of brand icons (Chromium, Codepen, Codesandbox, Dribbble, Facebook, Figma, Framer, Github, Gitlab, Instagram, LinkedIn, Pocket, RailSymbol, Slack). Grep search confirmed none of these icons are used in the dashboard codebase.
- The pnpm-lock.yaml diff shows the
overridessection was completely removed, and@rollup/wasm-nodewas replaced with standardrollup.
Suggested next steps
- Blocking: Restore the pnpm overrides in pnpm-lock.yaml by re-running
pnpm installin the dashboard directory to properly regenerate the lockfile with the overrides intact. - Verify the lockfile contains the overrides section with
rollup: npm:@rollup/wasm-node,lodash: ^4.18.0, andmdast-util-to-hast: ^13.2.1. - Run
just test tsandjust lint tsto ensure the lucide-react update doesn't break any tests or introduce type errors.
General findings
Critical: Missing pnpm overrides in lockfile (not tied to a specific line)
The dashboard/pnpm-lock.yaml file lost its overrides section during regeneration:
overrides:
rollup: npm:@rollup/wasm-node
lodash: ^4.18.0
mdast-util-to-hast: ^13.2.1These overrides are still present in package.json but were not applied to the lockfile. This means:
- The project will now use standard
rollupinstead of@rollup/wasm-node(may cause build issues or security concerns) - The lodash vulnerability patches (v4.18.0+) are no longer enforced
- The mdast-util-to-hast fix is no longer enforced
This appears to be a Renovate bot issue where it regenerated the lockfile without respecting the pnpm overrides. The fix is to re-run pnpm install in the dashboard directory to regenerate the lockfile correctly.
Positive notes
- No brand icons that were removed in lucide-react v1 are used in this codebase
- The lucide-react API remains compatible (same import pattern, same component usage)
- React 19 peer dependency is satisfied
General findings (auto-demoted from inline due to pre-validation)
- Blocking
dashboard/pnpm-lock.yaml:1316— The@rollup/wasm-nodepackage was replaced with platform-specific@rollup/rollup-*packages. This indicates the rollup override (npm:@rollup/wasm-node) was not respected.- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:1316: diff has
'@rollup/wasm-node@4.60.3':, model claimed- '@rollup/wasm-node@4.60.3':)
- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:1316: diff has
| "cmdk": "^1.1.1", | ||
| "date-fns": "^4.1.0", | ||
| "lucide-react": "^0.577.0", | ||
| "lucide-react": "^1.0.0", |
There was a problem hiding this comment.
Non-blocking: The lucide-react update to v1 is safe. According to the official migration guide, the only breaking change in v1 is the removal of brand icons (GitHub, Facebook, Twitter, etc.), and none of those icons are used in this codebase. The icon API and props remain unchanged.
Why it matters: Major version bumps can introduce breaking changes. In this case, the migration is straightforward because:
- No brand icons are imported (verified via grep)
- The React component API is identical between v0.x and v1.x
- Peer dependencies support React 19 which is already in use
Suggested fix: No change needed to this line. However, ensure the full test suite passes after the update.
| autoInstallPeers: true | ||
| excludeLinksFromLockfile: false | ||
|
|
||
| overrides: |
There was a problem hiding this comment.
Blocking: The entire overrides section was removed from the lockfile during regeneration. This is a critical regression.
Why it matters: The overrides enforce important security and compatibility constraints:
rollup: npm:@rollup/wasm-node- Uses WASM build of Rollup (likely for cross-platform consistency or security)lodash: ^4.18.0- Patches known lodash vulnerabilities (CVE-2019-10744, CVE-2020-8203, CVE-2021-23337 affected earlier versions)mdast-util-to-hast: ^13.2.1- Likely patched for security or compatibility
Without these overrides, the project will resolve to potentially vulnerable or incompatible transitive dependencies.
Suggested fix: Re-run pnpm install in the dashboard/ directory to regenerate the lockfile with overrides properly applied. Verify the generated lockfile contains:
overrides:
rollup: npm:@rollup/wasm-node
lodash: ^4.18.0
mdast-util-to-hast: ^13.2.1If the issue persists, check if the pnpm version supports the overrides format in package.json (pnpm v8+ required).
There was a problem hiding this comment.
Summary
This PR upgrades lucide-react from v0.577.0 to v1.x (resolved to v1.14.0). This is a major version bump that primarily removes brand icons from the library. I've verified that none of the removed brand icons are used in this codebase, so the migration is safe from that perspective.
However, there is a significant issue with the pnpm-lock.yaml regeneration that removed important security overrides.
Verdict: Needs changes before merge due to missing pnpm overrides.
Research notes
- Fetched lucide-react v1.0.0 release notes - notes that v1.0.0 was "published unintentionally" and recommends v1.0.1+, but the resolved version 1.14.0 is fine.
- Fetched Migration from v0 guide - lists removed brand icons: Chromium, Codepen, Codesandbox, Dribbble, Facebook, Figma, Framer, Github, Gitlab, Instagram, LinkedIn, Pocket, RailSymbol, Slack. Verified none are used in the codebase.
- The lucide-react API remains backward compatible for non-brand icons - same import pattern and component props.
Suggested next steps
-
Blocking: Restore the pnpm overrides section in pnpm-lock.yaml or regenerate the lockfile properly to include:
rollup: npm:@rollup/wasm-node(build workaround)lodash: ^4.18.0(security patch)mdast-util-to-hast: ^13.2.1(security patch)
-
Consider updating
@ungap/structured-cloneto 1.3.1+ to address the CWE-502 deserialization vulnerability warning now appearing in the lockfile.
General findings
- The upgrade itself (lucide-react 0.577.0 → 1.14.0) is straightforward and safe for this codebase.
- All 60+ icon imports in the codebase use standard icons that remain available in v1.
- The pnpm-lock.yaml now shows libc tags for native packages (glibc/musl) which is expected behavior with modern pnpm versions.
General findings (auto-demoted from inline due to pre-validation)
- Blocking
dashboard/pnpm-lock.yaml:4— The pnpmoverridessection has been removed from the lockfile during regeneration, but these overrides are still defined in package.json and serve important purposes:- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has
autoInstallPeers: true, model claimedoverrides:)
- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has
|
|
||
| '@ungap/structured-clone@1.3.0': | ||
| resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==} | ||
| deprecated: Potential CWE-502 - Update to 1.3.1 or higher |
There was a problem hiding this comment.
Non-blocking: A new deprecation warning has appeared for @ungap/structured-clone@1.3.0 citing CWE-502 (Deserialization of Untrusted Data).
Why it matters: This is a security vulnerability where an attacker could potentially exploit the structured clone algorithm. The warning explicitly recommends updating to 1.3.1 or higher.
Suggested fix: Run pnpm up @ungap/structured-clone to update to version 1.3.1+ which addresses this vulnerability. This may happen automatically on the next full dependency resolution.
There was a problem hiding this comment.
Summary
This PR updates lucide-react from v0.577.0 to v1.14.0, a major version bump for the icon library. The icon imports in the codebase (using the Icon suffix pattern like CalendarIcon, CheckIcon, etc.) appear compatible with v1.x.
Verdict: Blocked - The pnpm lockfile regeneration inadvertently removed critical security and compatibility overrides that were intentionally configured in package.json.
Research notes
- Fetched lucide-react documentation - confirmed v1.x maintains the same component API and
Iconsuffix naming convention used throughout this codebase - Reviewed GitHub releases for lucide-icons/lucide - v1.x releases are incremental additions of new icons without breaking changes to existing icon components
- The deprecation notice for
@ungap/structured-clone@1.3.0references CWE-502 (Deserialization of Untrusted Data) - a known security vulnerability fixed in 1.3.1+
Suggested next steps
- Regenerate pnpm-lock.yaml properly - Run
pnpm installin thedashboard/directory to ensure thepnpm.overridesfrompackage.jsonare correctly applied to the lockfile - Verify overrides are present - After regeneration, confirm the lockfile contains the overrides section with:
rollup: npm:@rollup/wasm-nodelodash: ^4.18.0(security fix for prototype pollution)mdast-util-to-hast: ^13.2.1
- Address structured-clone vulnerability - Add an override for
@ungap/structured-cloneat^1.3.1or higher to resolve the CWE-502 deprecation warning - Test the build - Run
pnpm run buildin the dashboard to verify the rollup change doesn't break the build pipeline - Smoke test icons - Verify a sample of pages render icons correctly after the upgrade
General findings
Critical: Missing pnpm overrides in lockfile
The pnpm-lock.yaml diff shows the overrides section was completely removed (lines 7-12 of the diff show removal with - prefix). However, package.json still contains these overrides in the pnpm configuration block:
"pnpm": {
"overrides": {
"rollup": "npm:@rollup/wasm-node",
"lodash": "^4.18.0",
"mdast-util-to-hast": "^13.2.1"
}
}These overrides serve important purposes:
- rollup: Uses the WASM build for better cross-platform compatibility
- lodash: Pins to ^4.18.0 to avoid prototype pollution vulnerabilities in earlier 4.17.x versions
- mdast-util-to-hast: Ensures compatibility with the markdown processing pipeline
The lockfile currently resolves to plain rollup@4.60.3 instead of @rollup/wasm-node, which may cause build failures on certain platforms.
Security: Deprecation warning for @ungap/structured-clone
The diff shows a new deprecation notice appearing:
'@ungap/structured-clone@1.3.0':
deprecated: Potential CWE-502 - Update to 1.3.1 or higher
CWE-502 is "Deserialization of Untrusted Data" - a security vulnerability. This transitive dependency should be overridden to version 1.3.1 or higher.
General findings (auto-demoted from inline due to pre-validation)
- Non-blocking
dashboard/pnpm-lock.yaml:1316— A deprecation warning appeared for@ungap/structured-clone@1.3.0indicating a security vulnerability (CWE-502: Deserialization of Untrusted Data).- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:1316: diff has
'@rollup/rollup-android-arm64@4.60.3':, model claimeddeprecated: Potential CWE-502 - Update to 1.3.1 or higher)
- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:1316: diff has
- Blocking
dashboard/pnpm-lock.yaml:1311— The@rollup/wasm-nodepackage was replaced with the standardrolluppackage with platform-specific optional dependencies.- (demoted: line 1311 (side=LEFT) is not part of any diff hunk in dashboard/pnpm-lock.yaml)
| autoInstallPeers: true | ||
| excludeLinksFromLockfile: false | ||
|
|
||
| overrides: |
There was a problem hiding this comment.
Blocking: The entire overrides section was removed from the lockfile during regeneration. These overrides were intentionally configured in package.json for security and compatibility reasons.
Why it matters: Without these overrides:
rollupwill use the native binary instead of the WASM version, potentially breaking builds on unsupported platformslodashmay resolve to a vulnerable version (<4.18.0) with prototype pollution risksmdast-util-to-hastmay resolve to an incompatible version
Suggested fix: Re-run pnpm install in the dashboard/ directory to properly apply the overrides from package.json to the lockfile. Then verify the lockfile contains an overrides section matching the package.json配置.
There was a problem hiding this comment.
Summary
This PR updates the lucide-react dependency from v0.577.0 to v1.x (resolves to 1.14.0). While the icon library upgrade itself appears safe (no brand icons are used in the codebase), there is a critical issue with the lockfile change that must be addressed before merging.
Verdict: Blocked - The pnpm-lock.yaml changes inadvertently remove important security and stability overrides.
Research notes
- Lucide v1 Release Notes - Confirms brand icons were removed, aria-hidden now defaults to true
- Lucide React Migration Guide - Lists removed brand icons: Chromium, Codepen, Codesandbox, Dribbble, Facebook, Figma, Framer, Github, Gitlab, Instagram, LinkedIn, Pocket, RailSymbol, Slack. None are used in this codebase.
- Lucide Version 1 Guide - Documents all breaking changes including improved accessibility (aria-hidden default)
Suggested next steps
-
Blocking: Restore the
overridessection inpnpm-lock.yamlby regenerating the lockfile withpnpm install. The current diff shows the overrides section was removed, butpackage.jsonstill declares:rollup: npm:@rollup/wasm-node(build stability workaround)lodash: ^4.18.0(security fix)mdast-util-to-hast: ^13.2.1(security/compatibility fix)
-
Verify the regenerated lockfile preserves these overrides before merging.
General findings
lucide-react upgrade analysis
The core change (lucide-react 0.577.0 → 1.x) is safe for this codebase:
- ✅ No brand icons are imported (verified via grep across all .tsx files)
- ✅ All used icons (PanelLeftIcon, X, CheckIcon, Search, etc.) remain available in v1
- ✅ The
aria-hidden="true"default is an accessibility improvement - ✅ Peer dependency on React
^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0is compatible with the project's React 19.1.1
pnpm-lock.yaml override removal (Critical)
The diff shows the overrides section at the top of pnpm-lock.yaml was removed:
-overrides:
- rollup: npm:@rollup/wasm-node
- lodash: ^4.18.0
- mdast-util-to-hast: ^13.2.1
These overrides were intentionally added in commit fa79316 to address Dependabot vulnerabilities. The package.json still declares them (lines 102-107), but the lockfile no longer reflects them. This creates a mismatch where:
- Fresh installs using this lockfile will NOT apply the overrides
- Vulnerable versions of lodash or mdast-util-to-hast could be installed
- The rollup WASM workaround (likely for specific platform compatibility) is lost
This appears to be an artifact of how pnpm regenerated the lockfile during the dependency update, but it must be corrected.
| autoInstallPeers: true | ||
| excludeLinksFromLockfile: false | ||
|
|
||
| overrides: |
There was a problem hiding this comment.
Blocking: The overrides section was removed from the lockfile, but these overrides are still declared in package.json (lines 102-107):
"pnpm": {
"overrides": {
"rollup": "npm:@rollup/wasm-node",
"lodash": "^4.18.0",
"mdast-util-to-hast": "^13.2.1"
}
}Why it matters: These overrides were intentionally added in commit fa79316 to address security vulnerabilities (lodash, mdast-util-to-hast) and build stability (rollup WASM workaround). When the lockfile doesn't include the overrides section, fresh installs will not apply these restrictions, potentially installing vulnerable transitive dependencies.
Suggested fix: Regenerate the lockfile by running pnpm install in the dashboard directory to ensure the overrides from package.json are properly reflected in the lockfile. Then verify the overrides: section appears at the top of pnpm-lock.yaml.
| "cmdk": "^1.1.1", | ||
| "date-fns": "^4.1.0", | ||
| "lucide-react": "^0.577.0", | ||
| "lucide-react": "^1.0.0", |
There was a problem hiding this comment.
Non-blocking: The lucide-react upgrade from 0.577.0 to ^1.0.0 (resolves to 1.14.0) is safe for this codebase.
Why it matters: Lucide v1 removed several brand icons (Github, Gitlab, Facebook, etc.) as documented in the migration guide. I verified via grep that none of these removed icons are imported anywhere in the codebase. Additionally, v1 now sets aria-hidden="true" by default, which is an accessibility improvement.
Suggested fix: No action required, but consider pinning to a specific version (e.g., 1.14.0) instead of using a caret range for more predictable builds.
There was a problem hiding this comment.
Summary
This PR updates lucide-react from ^0.577.0 to ^1.0.0 (resolving to 1.14.0). While this appears to be a straightforward dependency update, there's a critical issue: the pnpm lockfile regeneration dropped the security/compatibility overrides that were explicitly configured in package.json.
Verdict: Blocked - The lockfile inconsistency must be fixed before merging.
Research notes
I reviewed the lucide-react v1.0.0 release notes at https://github.com/lucide-icons/lucide/releases/tag/1.0.0:
- The release was "published unintentionally" - the maintainers recommend using v1.0.1 instead
- No explicit breaking API changes for the React package are documented in the release notes
- The changelog shows minor icon additions and fixes, not API changes
The icons used in this codebase (via grep search of 102 import sites) use standard icon names like X, Check, Users, AlertTriangle, etc., which appear unchanged between versions.
Suggested next steps
-
Blocking: Fix the lockfile inconsistency - the overrides in
package.jsonmust be reflected inpnpm-lock.yaml. Runpnpm installto regenerate the lockfile properly with overrides enforced. -
Non-blocking: Consider updating to
lucide-react@^1.0.1or later since the maintainers noted v1.0.0 was "published unintentionally." -
Recommended: Build and test the frontend after the dependency update to verify no visual regressions or TypeScript errors occur with the new version.
General findings
Critical Issue: Lockfile lost pnpm overrides
The original pnpm-lock.yaml had an overrides section:
overrides:
rollup: npm:@rollup/wasm-node
lodash: ^4.18.0
mdast-util-to-hast: ^13.2.1These overrides serve important purposes:
rollup: npm:@rollup/wasm-node: Uses the WASM build of Rollup for compatibilitylodash: ^4.18.0: Security patch for lodash vulnerabilities (CVE-2021-23337 and others)mdast-util-to-hast: ^13.2.1: Likely a security or compatibility fix
After the lockfile regeneration, these overrides are completely absent from pnpm-lock.yaml, but they remain in package.json (lines 102-107). This creates a dangerous inconsistency where:
- Future installs may not respect the intended overrides
- The security patches for lodash are no longer enforced
- Different developers may get different dependency resolutions
The diff shows @rollup/wasm-node@4.60.3 was replaced with native rollup@4.60.3 platform-specific binaries, confirming the override was dropped.
General findings (auto-demoted from inline due to pre-validation)
- Blocking
dashboard/pnpm-lock.yaml:4— Theoverridessection was removed from the lockfile during regeneration, but these overrides are still declared inpackage.json(lines 102-107).- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has
autoInstallPeers: true, model claimedoverrides:)
- (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has
| "cmdk": "^1.1.1", | ||
| "date-fns": "^4.1.0", | ||
| "lucide-react": "^0.577.0", | ||
| "lucide-react": "^1.0.0", |
There was a problem hiding this comment.
Non-blocking: The lucide-icons maintainers noted that v1.0.0 was "published unintentionally" and recommended using v1.0.1+ instead (see release notes).
Why it matters: Using an unintentionally published version may indicate potential instability or issues that were fixed in subsequent patch releases.
Suggested fix: Consider updating to "lucide-react": "^1.0.1" or the latest stable version to follow maintainer guidance.
There was a problem hiding this comment.
Summary
This PR updates lucide-react from v0.577.0 to v1.0.0 (which resolves to v1.16.0 in the lockfile). While major version updates are routine, this PR has several issues that need addressing before it can be safely merged:
- The target version was unintentionally released - The lucide maintainers explicitly state v1.0.0 "was published unintentionally" and recommend using v1.0.1+ instead.
- Security overrides removed - The pnpm-lock.yaml removes important security patches for
lodash,mdast-util-to-hast, and therollupoverride. - Breaking changes not reviewed - v1 includes breaking changes like
aria-hiddennow default on icons, which could impact accessibility.
Verdict: Blocked — should update to a stable v1.x version (not the accidentally-published v1.0.0) and restore security overrides.
Research notes
- Lucide v1.0.0 release notes: "This release was published unintentionally. We've corrected this in v1.0.1, which should be used instead."
- Lucide v1.0.1 release notes: Official v1 release with breaking changes including:
aria-hiddenis now set by default on icons (accessibility change)- Removed brand icons
- Removed UMD build (only ESM and CJS)
- Various framework-specific changes
Suggested next steps
- Update package.json to use a stable v1 version (e.g.,
^1.0.1or latest stable like^1.16.0) - Restore security overrides in pnpm-lock.yaml:
rollup: npm:@rollup/wasm-nodelodash: ^4.18.0(security patch for prototype pollution)mdast-util-to-hast: ^13.2.1
- Test the dashboard after updating to ensure no icons break due to the
aria-hiddendefault change - Review breaking changes at https://lucide.dev/guide/version-1 to ensure compatibility
General findings
- The lockfile shows v1.16.0 is being resolved (not v1.0.0), which is good, but the package.json still specifies
^1.0.0which could cause inconsistent installs - 102 files in the codebase import from lucide-react — a thorough visual regression test would be prudent
This PR contains the following updates:
^0.577.0→^1.0.0Release Notes
lucide-icons/lucide (lucide-react)
v1.16.0: Version 1.16.0Compare Source
What's Changed
blendericon by @rrod497 in #3884Full Changelog: lucide-icons/lucide@1.15.0...1.16.0
v1.15.0Compare Source
v1.14.0: Version 1.14.0Compare Source
What's Changed
repeat-officon by @jguddas in #3102Full Changelog: lucide-icons/lucide@1.13.0...1.14.0
v1.13.0: Version 1.13.0Compare Source
What's Changed
waves-verticalicon by @jamiemlaw in #3867Full Changelog: lucide-icons/lucide@1.12.0...1.13.0
v1.12.0: Version 1.12.0Compare Source
What's Changed
astroidicon by @whoisBugsbunny in #4217Full Changelog: lucide-icons/lucide@1.10.0...1.12.0
v1.11.0: Version 1.11.0Compare Source
What's Changed
rotate-3dicon by @jamiemlaw in #4299layers-minusicon by @Spleefies in #4005bell-checkicon by @pettelau in #4152New Contributors
Full Changelog: lucide-icons/lucide@1.9.0...1.11.0
v1.10.0: Version 1.10.0Compare Source
What's Changed
rotate-3dicon by @jamiemlaw in #4299layers-minusicon by @Spleefies in #4005bell-checkicon by @pettelau in #4152New Contributors
Full Changelog: lucide-icons/lucide@1.9.0...1.10.0
v1.9.0: Version 1.9.0Compare Source
What's Changed
timelineicon by @jguddas in #4270New Contributors
Full Changelog: lucide-icons/lucide@1.8.0...1.9.0
v1.8.0: Version 1.8.0Compare Source
What's Changed
text-selecttosquare-dashed-textby @jguddas in #3943initOnMounted: trueforuseSessionStorageinCarbonAdOverlayby @karsa-mistmere in #4275bookmark-officon by @ZeenatLawal in #4283New Contributors
Full Changelog: lucide-icons/lucide@1.7.0...1.8.0
v1.7.0: Version 1.7.0Compare Source
What's Changed
map-pin-searchicon by @TonySullivan in #4125New Contributors
Full Changelog: lucide-icons/lucide@1.6.0...1.7.0
v1.6.0: Version 1.6.0Compare Source
What's Changed
radio-officon by @kongsgard in #4138New Contributors
Full Changelog: lucide-icons/lucide@1.5.0...1.6.0
v1.5.0: Version 1.5.0Compare Source
What's Changed
beef-officon by @jguddas in #3816Full Changelog: lucide-icons/lucide@1.4.0...1.5.0
v1.4.0: Version 1.4.0Compare Source
What's Changed
sport-shoeicon by @Youya-ui in #3953New Contributors
Full Changelog: lucide-icons/lucide@1.3.0...1.4.0
v1.3.0: Version 1.3.0Compare Source
What's Changed
shield-cogicon by @KnarliX in #3902New Contributors
Full Changelog: lucide-icons/lucide@1.2.0...1.3.0
v1.2.0: Version 1.2.0Compare Source
What's Changed
line-styleicon by @dg-ac in #4030New Contributors
Full Changelog: lucide-icons/lucide@1.1.0...1.2.0
v1.1.0: Version 1.1.0Compare Source
What's Changed
lucide-react-nativeby @karsa-mistmere in #4199arrow-big-*icon by @jguddas in #3527signposticon by @jguddas in #3531circle-user-roundicon by @karsa-mistmere in #4165roadicon by @uibalint in #3014New Contributors
Full Changelog: lucide-icons/lucide@1.0.2...1.1.0
v1.0.1: Lucide V1 🚀Compare Source
After years of work and dedication, Lucide Version 1 has been officially released!. This milestone marks a significant achievement in our journey to provide a comprehensive and versatile icon library for developers and designers alike.
It's been quite a ride — especially over the past year. Lucide has grown to over 30 million downloads per week and is used by million of projects worldwide. This release is a testament to the hard work of our community and contributors who have helped shape Lucide into what it is today.
Thank you to everyone who has supported us along the way. We couldn't have done this without you!
What's New in Version 1? TLDR;
aria-hiddenis now set by default on icons.lucidepackage).lucide-vue-nextto@lucide/vue.@lucide/angularlucidepackage.See more at Lucide Version 1
v1.0.0: Version 1.0.0Compare Source
What's Changed
schoolicon by @jguddas in #4124gpuicon by @jguddas in #4147<svg>element in two icons that were inconsistent by @LukasKalbertodt in #4166cctv-officon by @rrod497 in #4162New Contributors
Full Changelog: lucide-icons/lucide@0.577.0...1.0.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.