Upgrade nanoid to 3.3.8

[gonzaloriestra]

WHY are these changes introduced?

Fixes https://github.com/Shopify/cli/security/dependabot/126

WHAT is this pull request doing?

Pins nanoid to 3.3.8

How to test your changes?

CI

Measuring impact

How do we know this change was effective? Please choose one:

• n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
• Existing analytics will cater for this addition
• PR includes analytics changes to measure impact

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟡	Statements	75.45% (+0.01% 🔼)	8965/11882
🟡	Branches	70.63% (+0.02% 🔼)	4365/6180
🟡	Functions	75.3%	2353/3125
🟡	Lines	75.96% (+0.02% 🔼)	8469/11150

Show files with reduced coverage 🔻

St.❔	File	Statements	Branches	Functions	Lines
🟢	... / app-event-watcher.ts	95.18% (-1.2% 🔻)	86.49% (-2.7% 🔻)	95.45%	100%

Test suite run success

2024 tests passing in 907 suites.

Report generated by 🧪jest coverage report action from 295d8ba

[isaacroldan]

Is this safe? nanoid seems to be a transitive dependency, if we force the resolution to a specific version we could break the dependency that actually uses it no?

[gonzaloriestra]

❯ pnpm why nanoid
devDependencies:
@shopify/eslint-plugin-cli file:packages/eslint-plugin-cli([email protected])([email protected])([email protected])([email protected])
└─┬ eslint-plugin-vitest 0.5.4
  └─┬ vitest 1.6.0 peer
    ├─┬ vite 5.4.12
    │ └─┬ postcss 8.4.49
    │   └── nanoid 3.3.7
    └─┬ vite-node 1.6.0
      └─┬ vite 5.4.12
        └─┬ postcss 8.4.49
          └── nanoid 3.3.7
vitest 1.6.0
├─┬ vite 5.4.12
│ └─┬ postcss 8.4.49
│   └── nanoid 3.3.7
└─┬ vite-node 1.6.0
  └─┬ vite 5.4.12
    └─┬ postcss 8.4.49
      └── nanoid 3.3.7

The nanoid dependency comes from [email protected], which requires ^3.3.7. So it should be compatible with 3.3.8.

They started requiring ^3.3.8 on [email protected], but the latest version of vite is still requiring 8.4.

So the only way I can think of to update nanoid is to add the resolution from this PR, or alternatively a resolution to force postcss to ^8.5.0. Any other idea?

[isaacroldan]

Umm, if this is all because of vitest, we should definitely upgrade it, just checked and they are on version 3.0.2 now 😬

[gonzaloriestra]

I'm doing that it in #5317, but that doesn't update nanoid, because the latest version of vite is not using yet the latest version of postcss.

[isaacroldan]

ahg, I guess they'll fix it at some point, but yeah, this is the problem with transitive dependencies 😢