fix(deps): Resolve immutable to 4.3.8

[jfox-box]

Summary by CodeRabbit

• Chores
  • Updated dependency resolution to improve package compatibility.

[coderabbitai]

Walkthrough

Adds a new dependency resolution for immutable@^4.3.0 in package.json. This pins the immutable package version within the project's resolution configuration, alongside existing resolutions for qs and tar.

Changes

Cohort / File(s)	Summary
Dependency Resolution package.json	Added immutable ^4.3.0 to resolutions field to pin the dependency version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: bump node-forge version #4386: Modifies the top-level "resolutions" field in package.json to pin dependency versions, using the same configuration pattern.

Suggested labels

ready-to-merge

Suggested reviewers

• tjuanitas
• jpan-box
• tjiang-box

Poem

🐰 A hop, a skip, a version locked,
Immutable now, dependency docked,
In resolutions we trust with glee,
One line of code, harmoniously! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description contains only the repository's merge process template with no custom context explaining the purpose or rationale for the immutable dependency resolution.	Add a custom description explaining why the immutable dependency is being resolved to 4.3.8, any related issues, and the impact of this change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): Resolve immutable to 4.3.8' clearly describes the main change: updating the immutable dependency resolution to version 4.3.8.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch resolve-immutable-4.3.8

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 361: Update the package.json dependency entry for the "immutable" package
to tighten the minimum allowed version from "^4.3.0" to "^4.3.8" so fresh
installs cannot resolve to 4.3.1–4.3.7; locate the "immutable" dependency line
in package.json (the dependency key "immutable") and change its version string
to "^4.3.8", then regenerate or verify the lockfile is consistent with 4.3.8.
- Line 361: Update package.json to eliminate the version contract mismatch for
the "immutable" package: either change the devDependencies and peerDependencies
entries that currently declare immutable as ^3.7.4 to ^4.3.0 to match the
resolutions override, or remove the resolutions override ("immutable": "^4.3.0")
and instead upgrade code to be v3-compatible; specifically edit the immutable
entries under devDependencies and peerDependencies or the resolutions block so
all three (devDependencies, peerDependencies, resolutions) consistently
reference the same major version, and then run install and test to verify APIs
(Record, Set, Range, List, OrderedMap, OrderedSet) work with the chosen version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e5f2cfd3-4d6c-476c-9832-218ae407aeb6

📥 Commits

Reviewing files that changed from the base of the PR and between df7c1af and e77f3fa.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check the package.json around line 361
echo "=== Checking package.json around line 361 ==="
sed -n '355,370p' package.json

echo ""
echo "=== All immutable declarations in package.json ==="
rg -n '"immutable"\s*:' package.json

echo ""
echo "=== Check for lockfile ==="
if [ -f yarn.lock ]; then
  echo "Found yarn.lock"
  LOCKFILE="yarn.lock"
elif [ -f package-lock.json ]; then
  echo "Found package-lock.json"
  LOCKFILE="package-lock.json"
else
  echo "No lockfile found"
  exit 1
fi

echo ""
echo "=== Checking actual immutable resolution in lockfile ==="
if [[ "$LOCKFILE" == "yarn.lock" ]]; then
  rg -n '^immutable@' yarn.lock -A5 | head -50
else
  jq -r '.dependencies.immutable // .devDependencies.immutable // empty' package-lock.json
fi

Repository: box/box-ui-elements

Length of output: 1325

---

Tighten the immutable version floor to ^4.3.8 for consistency.

Line 361 sets immutable to ^4.3.0. While the lockfile currently resolves to 4.3.8, the semver range allows 4.3.1–4.3.7 in fresh installs. To match the stated target and prevent accidental downgrades, change the lower bound to ^4.3.8.

Suggested change

-        "immutable": "^4.3.0",
+        "immutable": "^4.3.8",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"immutable": "^4.3.0",
	"immutable": "^4.3.8",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 361, Update the package.json dependency entry for the
"immutable" package to tighten the minimum allowed version from "^4.3.0" to
"^4.3.8" so fresh installs cannot resolve to 4.3.1–4.3.7; locate the "immutable"
dependency line in package.json (the dependency key "immutable") and change its
version string to "^4.3.8", then regenerate or verify the lockfile is consistent
with 4.3.8.

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Manifest version contracts ==="
rg -n '"immutable"\s*:|"react-immutable-proptypes"\s*:' package.json

LOCKFILE="$(fd '^yarn\.lock$' | head -n1)"
if [[ -n "${LOCKFILE}" ]]; then
  echo ""
  echo "=== Immutable majors present in lockfile ==="
  rg -n '^immutable@|^\s{2}version "(3|4)\.' "$LOCKFILE" -A1 -B0
fi

echo ""
echo "=== Immutable callsites to review for v4 compatibility risk ==="
rg -nP --type=js --type=ts "from ['\"]immutable['\"]|\bnew\s+Range\s*\(|\bRecord\s*\(\s*\{" src 2>/dev/null || echo "(No matches found or src/ not present)"

Repository: box/box-ui-elements

Length of output: 50376

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Package.json lines 220-240 (around line 227) ==="
sed -n '220,240p' package.json

echo ""
echo "=== Package.json lines 320-330 (around line 326) ==="
sed -n '320,330p' package.json

echo ""
echo "=== Package.json lines 355-365 (around line 361) ==="
sed -n '355,365p' package.json

echo ""
echo "=== Checking for resolutions/overrides sections ==="
rg -n '(resolutions|overrides)\s*:' package.json

Repository: box/box-ui-elements

Length of output: 1597

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking package.json section structure ==="
rg -n '^\s{2}"(dependencies|devDependencies|peerDependencies|optionalDependencies)"\s*:' package.json

echo ""
echo "=== Verifying immutable declarations and their sections ==="
rg -B 15 '"immutable"' package.json | head -80

Repository: box/box-ui-elements

Length of output: 110

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Full package.json structure (head) ==="
head -20 package.json

echo ""
echo "=== All immutable entries with context ==="
grep -n -B 5 -A 2 '"immutable"' package.json

Repository: box/box-ui-elements

Length of output: 1584

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Identifying which dependency section each line belongs to ==="
sed -n '100,230p' package.json | grep -n 'dependencies\|immutable' | head -20

echo ""
echo "=== Searching for immutable usage in source code ==="
rg -l 'immutable' src --type js --type ts 2>/dev/null | head -10

echo ""
echo "=== Sample immutable usage patterns ==="
rg "from ['\"]immutable['\"]|import.*immutable" src --type js --type ts 2>/dev/null | head -20

Repository: box/box-ui-elements

Length of output: 2141

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking which section each immutable declaration belongs to ==="
sed -n '1,365p' package.json | grep -n 'dependencies\|resolutions' | tail -20

echo ""
echo "=== Summary: identifying section headers before each immutable declaration ==="
awk '/^[[:space:]]*"(dependencies|devDependencies|peerDependencies|resolutions)"/ {section=$0; line=NR} /immutable/ {print "Line " NR ": " section " (at line " line ")"}' package.json

Repository: box/box-ui-elements

Length of output: 479

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking immutable major versions available in lockfile ==="
rg '^immutable@' yarn.lock -A 2

echo ""
echo "=== Verify actual resolved version of immutable in lockfile ==="
grep -A 3 '^immutable@.*:$' yarn.lock | head -20

Repository: box/box-ui-elements

Length of output: 1089

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking react-immutable-proptypes compatibility with immutable versions ==="
rg 'react-immutable-proptypes' yarn.lock -A 5 | head -40

echo ""
echo "=== Checking if there are breaking changes between immutable v3 and v4 ==="
web_search "immutable.js v3 v4 breaking changes migration"

Repository: box/box-ui-elements

Length of output: 653

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking test results with current immutable override ==="
rg 'Record\|List\|Set\|Range' src --type js --type ts | wc -l

echo ""
echo "=== Counting immutable usage across codebase ==="
rg "from ['\"]immutable['\"]" src --type js --type ts | wc -l

echo ""
echo "=== Checking if react-immutable-proptypes versions match immutable expectations ==="
grep -A 5 'react-immutable-proptypes' yarn.lock | head -20

Repository: box/box-ui-elements

Length of output: 126

---

Resolve the immutable version contract mismatch between declared v3 and overridden v4 resolutions.

Lines 227 and 326 declare immutable: ^3.7.4 (in devDependencies and peerDependencies respectively), while line 361's resolutions override forces immutable: ^4.3.0 globally. This creates a version contract conflict: yarn's lockfile consolidates to v4.3.8 via the override, but the declared specifications remain at v3, causing a mismatch between declared contracts and actual resolution. The codebase actively uses immutable APIs (Record, Set, Range, List, OrderedMap, OrderedSet), making this inconsistency problematic for type safety and peer dependency expectations.

Either update lines 227 and 326 to ^4.3.0 to align with the resolution override, or remove the override and address v4 incompatibilities if remaining on v3 is required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 361, Update package.json to eliminate the version
contract mismatch for the "immutable" package: either change the devDependencies
and peerDependencies entries that currently declare immutable as ^3.7.4 to
^4.3.0 to match the resolutions override, or remove the resolutions override
("immutable": "^4.3.0") and instead upgrade code to be v3-compatible;
specifically edit the immutable entries under devDependencies and
peerDependencies or the resolutions block so all three (devDependencies,
peerDependencies, resolutions) consistently reference the same major version,
and then run install and test to verify APIs (Record, Set, Range, List,
OrderedMap, OrderedSet) work with the chosen version.

[jfox-box]

Will be fixed in #4471