audit: monorepo audit findings — 2026-03-01 #164
Description
Monorepo Audit Report — 2026-03-01
Skills Audited
- pnpm (best practices from
.agents/skills/pnpm/) - Workleap React Best Practices (best practices from
.agents/skills/workleap-react-best-practices/)
Note: No
.agents/skills/turborepo/directory was found; Turborepo was not audited.
Summary
| # | Severity | Skill | Finding | File |
|---|---|---|---|---|
| 1 | Low | pnpm | workspace:* in peerDependencies publishes as an exact version pin instead of a ^ range |
packages/mixpanel/package.json |
Details
1. @workleap/mixpanel uses workspace:* for its @workleap/logrocket peer dependency
Severity: Low
Skill: pnpm
File: packages/mixpanel/package.json
Issue: @workleap/mixpanel declares "@workleap/logrocket": "workspace:*" in its peerDependencies. When published, pnpm replaces workspace:* with an exact version (e.g. 3.0.0) rather than a semver range. This means consumers who install @workleap/logrocket@3.0.1 (a newer patch) independently will see a peer dependency mismatch warning against the published exact pin. This is the only workspace:* in any peerDependencies field across the repo; all other peer dependencies (e.g. @opentelemetry/api: "^1.9.0", logrocket: "^12.0.0") correctly use ^ ranges. The repo's syncpack config also enforces "range": "^" for peer dependencies of @workleap/* packages, making this inconsistent with the stated policy.
Recommendation: Change "@workleap/logrocket": "workspace:*" to "@workleap/logrocket": "workspace:^" in packages/mixpanel/package.json. This will publish as "@workleap/logrocket": "^3.0.0", which is consistent with how all other peer dependencies are declared in the repo and eliminates spurious peer dependency warnings for consumers.