totopo 3.8.0 → 3.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/templates/Dockerfile +16 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "totopo",
3
- "version": "3.8.0",
3
+ "version": "3.8.1",
4
4
  "description": "Run AI coding agents safely in your local codebase",
5
5
  "type": "module",
6
6
  "bin": {
package/templates/Dockerfile CHANGED
@@ -8,6 +8,15 @@
8
8
  # dockerfile_hook in totopo.yaml profiles.
9
9
  # =============================================================================
10
10
 
11
+ # ---------------------------------------------------------------------------
12
+ # Version pinning policy
13
+ # Infra tools whose major versions can change behavior are pinned exact so that
14
+ # fresh and --no-cache builds stay reproducible; bumping a pin edits this file,
15
+ # busts the build hash, and auto-prompts a rebuild. Deliberately left floating:
16
+ # apt packages (pinned by the Debian trixie release), Node (major-pinned via
17
+ # setup_24.x; minors carry security fixes), and the AI CLIs (always latest).
18
+ # ---------------------------------------------------------------------------
19
+
11
20
  FROM debian:trixie-slim
12
21
  LABEL totopo.managed=true
13
22
 
@@ -39,10 +48,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
39
48
  RUN ln -sf "$(command -v fdfind)" /usr/local/bin/fd
40
49
 
41
50
  # ---------------------------------------------------------------------------
42
- # Layer 3 — yq (GitHub release)
51
+ # Layer 3 — yq (GitHub release, pinned)
43
52
  # ---------------------------------------------------------------------------
44
53
  RUN ARCH=$(dpkg --print-architecture) && \
45
- curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" \
54
+ curl -fsSL "https://github.com/mikefarah/yq/releases/download/v4.53.3/yq_linux_${ARCH}" \
46
55
  -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
47
56
 
48
57
  # ---------------------------------------------------------------------------
@@ -69,10 +78,13 @@ RUN git config --system protocol.allow never && \
69
78
  git config --system protocol.file.allow always
70
79
 
71
80
  # ---------------------------------------------------------------------------
72
- # Layer 7 — Global npm tools (AI CLIs)
81
+ # Layer 7 — Global npm tools (pnpm pinned; AI CLIs always latest)
82
+ # pnpm is pinned exact: pnpm 11 changed where global settings are read from
83
+ # (~/.config/pnpm/config.yaml, no longer ~/.npmrc), so an unpinned major bump
84
+ # can silently break the baked store-dir config.
73
85
  # ---------------------------------------------------------------------------
74
86
  RUN npm install -g \
75
- pnpm \
87
+ pnpm@11.6.0 \
76
88
  opencode-ai \
77
89
  @anthropic-ai/claude-code \
78
90
  @openai/codex \