testing should be quite simple. Apply the pr. then npm ci

There should be no new files to commit

then run npm outdated and the output will be

Vue should be updated as well as it is only a patch shift.

@laoneo thanks - vue was locked to a specific patch release. Its not any more

Then I'm wondering why it got locked. It was done in #36295. @dgrammatiko any reason you locked vue to a specific release?

@dgrammatiko any reason you locked vue to a specific release?

Yes, the reason is security and assuring that the person in charge of releases will NOT accidentally distribute a version that was not tested/peer reviewed/etc. FWIW for years I kept asking for an automated solution for both npm+composer but gloriously ignored. Anyways, both package.json and composer.json SHOULD point to specific versions for the dependencies (joomla is not a weekend project, so maintainers should treat it respectively).

An implementation of renovate bot in this repo will apply this before start doing any PRs for updating any of the dependencies (you can check it in one of my many repos where I use it for quite some time, eg: package.josn renovate.josn ).

The lock file does the job of pointing to a specific version. There is no need to do that in the config file as well, except when there is a bug/incompatibility/whatever in the library and we have to stick to a specific version.

@laoneo sure but everybody is using specific version on their package.json, eg: https://github.com/WordPress/wordpress-develop/blob/40c4f11a81ee28b1ec1869c9842064ac0bf137c2/package.json#L78-L156

if everybody was doing that then there would be zero point in the ^ or ~ functionality existing.

closed. i'm not wasting my time resolving conflicts