Skip to content

fix: pin @mediapipe/* to the versions already in the lockfile#979

Open
Anexus5919 wants to merge 1 commit into
Somil450:mainfrom
Anexus5919:fix/pin-mediapipe-versions
Open

fix: pin @mediapipe/* to the versions already in the lockfile#979
Anexus5919 wants to merge 1 commit into
Somil450:mainfrom
Anexus5919:fix/pin-mediapipe-versions

Conversation

@Anexus5919

Copy link
Copy Markdown
Contributor

📌 Related Issue

Fixes #896


📝 Description

The three @mediapipe/* dependencies were set to "latest", so every install could resolve a different version of the core pose pipeline (non-deterministic builds), while CHANGELOG.md already claims these are "pinned to specific versions."

🔹 What has been changed?

  • Pinned the three deps to the exact versions already resolved in the lockfile:
    • @mediapipe/camera_utils@0.3.1675466862
    • @mediapipe/drawing_utils@0.3.1675466124
    • @mediapipe/pose@0.5.1675469404
  • Updated package-lock.json's root dependency specifiers to match.

🔹 Why are these changes needed?

  • "latest" makes installs non-deterministic for the most critical dependency in the app. Pinning to the versions already in the lockfile removes the non-determinism with no change to the installed code, and makes the changelog claim accurate. The resolved tree and integrity (SRI) hashes are unchanged.

🛠️ Type of Change

  • 🐛 Bug Fix

🧪 Testing

✅ Tests Performed

  • Tested locally
  • Validated that for each package, package.json spec == lockfile spec == resolved version, and all are exact x.y.z (no latest/caret); both files parse as valid JSON.
  • Confirmed the pinned versions equal the versions currently resolved on main, so this is a no-op for the installed tree.

🔹 Note on automated tests

Done manually rather than via npm install, so the rest of the lockfile is untouched.

🌐 Browsers Tested

Not applicable (dependency/build configuration).


📷 Screenshots / Demo (if applicable)

Not applicable.


📋 Checklist

  • I have read the project's CONTRIBUTING guidelines
  • My code follows the project style guidelines
  • I have performed a self-review of my code
  • I have tested my changes locally
  • I have added/updated documentation where necessary (not applicable)
  • My changes do not introduce new warnings or errors
  • This PR is linked to an existing issue

💬 Additional Notes

Branched from upstream/main; merges cleanly with the current base (which still pins these to "latest" and resolves the same versions). This is the npm-package pin, distinct from the earlier CDN <script> SRI pinning (#385/#386).

The three @mediapipe dependencies were set to "latest", so every install
could resolve a different version, making builds non-deterministic — and
the CHANGELOG already claims these are pinned to specific versions. Pin
them to the exact versions already resolved in the lockfile
(camera_utils 0.3.1675466862, drawing_utils 0.3.1675466124,
pose 0.5.1675469404) and update the lockfile's dependency specifiers to
match. The resolved tree and integrity hashes are unchanged.
@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown

@Anexus5919 is attempting to deploy a commit to the somiljain2024-4175's projects Team on Vercel.

A member of the Team first needs to authorize it.

@Anexus5919

Copy link
Copy Markdown
Contributor Author

@Somil450 @diksha78dev Kindly have a review on this pr. Thanks!

1 similar comment
@Anexus5919

Copy link
Copy Markdown
Contributor Author

@Somil450 @diksha78dev Kindly have a review on this pr. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

@mediapipe/* dependencies pinned to "latest" make builds non-deterministic (CHANGELOG claims they are pinned)

1 participant