build(deps): upgrade package dependencies (#2654)

Author: nperez0111

.github/workflows/build.yml

@@ -10,6 +10,7 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN: ${{ secrets.NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN }}
   NX_SELF_HOSTED_REMOTE_CACHE_SERVER: ${{ secrets.NX_SELF_HOSTED_REMOTE_CACHE_SERVER }}
+  pnpm_config_store_dir: ./node_modules/.pnpm-store
 
 jobs:
   build:

.github/workflows/fresh-install-tests.yml

@@ -1,21 +1,26 @@
 name: Fresh Install Tests
 
-# Periodically tests BlockNote with the latest versions of its dependencies
-# (within declared ranges), without a lockfile. This catches breakage when a
+# Periodically tests BlockNote with the latest versions of its production
+# dependencies (within declared semver ranges). This catches breakage when a
 # new release of a dep like @tiptap/* or prosemirror-* ships and conflicts
 # with BlockNote's declared ranges — the kind of failure a user would hit when
 # running `npm install @blocknote/react` in a fresh project.
 #
-# DevDependencies (vitest, vite, typescript, etc.) are still bounded by their
-# declared ranges in package.json; only prod/peer deps get freshly resolved.
+# Only production dependencies of published (non-private) packages are updated.
+# DevDependencies (vitest, vite, typescript, etc.) stay pinned to the lockfile,
+# so test tooling churn doesn't cause false positives.
 
 on:
+  push:
+    branches:
+      - package-upgrades
   schedule:
     - cron: "0 2 * * *" # Daily at 02:00 UTC
   workflow_dispatch: # Allow manual runs
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  pnpm_config_store_dir: ./node_modules/.pnpm-store
 
 jobs:
   fresh-install-unit-tests:
@@ -35,19 +40,32 @@ jobs:
         uses: actions/setup-node@v6
         with:
           node-version-file: ".nvmrc"
-          # Intentionally no pnpm cache — we want a genuinely fresh install
-
-      - id: remove_lockfile
-        name: Remove lockfile to force fresh dep resolution
-        # Removing pnpm-lock.yaml causes pnpm to resolve all dependencies to
-        # the latest versions that satisfy the ranges declared in package.json
-        # (including pnpm-workspace.yaml overrides). This is equivalent to what
-        # a new user experiences when installing BlockNote in a blank project.
-        run: rm pnpm-lock.yaml
+          # Intentionally no pnpm cache — we want fresh prod dep resolution
 
       - id: install_dependencies
         name: Install dependencies
-        run: pnpm install --no-frozen-lockfile
+        run: pnpm install
+
+      - id: update_prod_deps
+        name: Update prod deps of published packages
+        # Resolves production dependencies of every published (non-private)
+        # workspace package to the latest version within their declared semver
+        # ranges. This simulates what a user gets when running
+        # `npm install @blocknote/react` in a fresh project.
+        # DevDependencies are left at their lockfile versions.
+        run: |
+          FILTERS=$(node -e "
+            const fs = require('fs');
+            const path = require('path');
+            fs.readdirSync('packages').forEach(dir => {
+              try {
+                const pkg = JSON.parse(fs.readFileSync(path.join('packages', dir, 'package.json'), 'utf8'));
+                if (!pkg.private && pkg.name) process.stdout.write('--filter ' + pkg.name + ' ');
+              } catch {}
+            });
+          ")
+          echo "Updating prod deps for: $FILTERS"
+          eval pnpm update --prod $FILTERS
 
       - id: build_packages
         name: Build packages
@@ -84,10 +102,10 @@ jobs:
             failed_step="Install pnpm"
           elif [ "${{ steps.setup_node.outcome }}" = "failure" ]; then
             failed_step="Setup Node.js"
-          elif [ "${{ steps.remove_lockfile.outcome }}" = "failure" ]; then
-            failed_step="Remove lockfile to force fresh dep resolution"
           elif [ "${{ steps.install_dependencies.outcome }}" = "failure" ]; then
             failed_step="Install dependencies"
+          elif [ "${{ steps.update_prod_deps.outcome }}" = "failure" ]; then
+            failed_step="Update prod deps of published packages"
           elif [ "${{ steps.build_packages.outcome }}" = "failure" ]; then
             failed_step="Build packages"
           elif [ "${{ steps.run_unit_tests.outcome }}" = "failure" ]; then

.github/workflows/publish.yaml

@@ -17,6 +17,7 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN: ${{ secrets.NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN }}
   NX_SELF_HOSTED_REMOTE_CACHE_SERVER: ${{ secrets.NX_SELF_HOSTED_REMOTE_CACHE_SERVER }}
+  pnpm_config_store_dir: ./node_modules/.pnpm-store
 
 jobs:
   publish:

docs/package.json

@@ -52,11 +52,11 @@
     "@react-email/render": "^2.0.4",
     "@react-pdf/renderer": "^4.3.0",
     "@sentry/nextjs": "^10.34.0",
-    "@shikijs/core": "^3.19.0",
-    "@shikijs/engine-javascript": "^3.19.0",
-    "@shikijs/langs-precompiled": "^3.19.0",
-    "@shikijs/themes": "^3.19.0",
-    "@shikijs/types": "^3.19.0",
+    "@shikijs/core": "^4",
+    "@shikijs/engine-javascript": "^4",
+    "@shikijs/langs-precompiled": "^4",
+    "@shikijs/themes": "^4",
+    "@shikijs/types": "^4",
     "@tiptap/core": "^3.13.0",
     "@uppy/core": "^3.13.1",
     "@uppy/dashboard": "^3.9.1",
@@ -94,7 +94,7 @@
     "react-icons": "^5.5.0",
     "react-use-measure": "^2.1.7",
     "scroll-into-view-if-needed": "^3.1.0",
-    "shiki": "^3.21.0",
+    "shiki": "^4",
     "tailwind-merge": "^3.4.0",
     "y-partykit": "^0.0.25",
     "yjs": "^13.6.27",
@@ -131,4 +131,4 @@
     "tw-animate-css": "^1.4.0",
     "typescript": "^5.9.3"
   }
-}
+}

examples/01-basic/01-minimal/package.json

@@ -26,6 +26,6 @@
     "@types/react": "^19.2.3",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
-    "vite": "^8.0.3"
+    "vite": "^8.0.8"
   }
 }

examples/01-basic/02-block-objects/package.json

@@ -26,6 +26,6 @@
     "@types/react": "^19.2.3",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
-    "vite": "^8.0.3"
+    "vite": "^8.0.8"
   }
 }

examples/01-basic/03-multi-column/package.json

@@ -16,17 +16,17 @@
     "@blocknote/mantine": "latest",
     "@blocknote/react": "latest",
     "@blocknote/shadcn": "latest",
+    "@blocknote/xl-multi-column": "latest",
     "@mantine/core": "^8.3.11",
     "@mantine/hooks": "^8.3.11",
     "@mantine/utils": "^6.0.22",
     "react": "^19.2.3",
-    "react-dom": "^19.2.3",
-    "@blocknote/xl-multi-column": "latest"
+    "react-dom": "^19.2.3"
   },
   "devDependencies": {
     "@types/react": "^19.2.3",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
-    "vite": "^8.0.3"
+    "vite": "^8.0.8"
   }
 }

examples/01-basic/04-default-blocks/package.json

@@ -26,6 +26,6 @@
     "@types/react": "^19.2.3",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
-    "vite": "^8.0.3"
+    "vite": "^8.0.8"
   }
 }

examples/01-basic/05-removing-default-blocks/package.json

@@ -26,6 +26,6 @@
     "@types/react": "^19.2.3",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
-    "vite": "^8.0.3"
+    "vite": "^8.0.8"
   }
 }

examples/01-basic/06-block-manipulation/package.json

@@ -26,6 +26,6 @@
     "@types/react": "^19.2.3",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
-    "vite": "^8.0.3"
+    "vite": "^8.0.8"
   }
 }