fix(deps): Resolve immutable to 4.3.8 #4465

coderabbitai · 2026-03-05T22:36:37Z

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail # First, check the package.json around line 361 echo "=== Checking package.json around line 361 ===" sed -n '355,370p' package.json echo "" echo "=== All immutable declarations in package.json ===" rg -n '"immutable"\s*:' package.json echo "" echo "=== Check for lockfile ===" if [ -f yarn.lock ]; then echo "Found yarn.lock" LOCKFILE="yarn.lock" elif [ -f package-lock.json ]; then echo "Found package-lock.json" LOCKFILE="package-lock.json" else echo "No lockfile found" exit 1 fi echo "" echo "=== Checking actual immutable resolution in lockfile ===" if [[ "$LOCKFILE" == "yarn.lock" ]]; then rg -n '^immutable@' yarn.lock -A5 | head -50 else jq -r '.dependencies.immutable // .devDependencies.immutable // empty' package-lock.json fi

Repository: box/box-ui-elements

Length of output: 1325

Tighten the immutable version floor to ^4.3.8 for consistency.

Line 361 sets immutable to ^4.3.0. While the lockfile currently resolves to 4.3.8, the semver range allows 4.3.1–4.3.7 in fresh installs. To match the stated target and prevent accidental downgrades, change the lower bound to ^4.3.8.

Suggested change

- "immutable": "^4.3.0", + "immutable": "^4.3.8",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"immutable": "^4.3.0",

"immutable": "^4.3.8",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` at line 361, Update the package.json dependency entry for the "immutable" package to tighten the minimum allowed version from "^4.3.0" to "^4.3.8" so fresh installs cannot resolve to 4.3.1–4.3.7; locate the "immutable" dependency line in package.json (the dependency key "immutable") and change its version string to "^4.3.8", then regenerate or verify the lockfile is consistent with 4.3.8.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Manifest version contracts ===" rg -n '"immutable"\s*:|"react-immutable-proptypes"\s*:' package.json LOCKFILE="$(fd '^yarn\.lock$' | head -n1)" if [[ -n "${LOCKFILE}" ]]; then echo "" echo "=== Immutable majors present in lockfile ===" rg -n '^immutable@|^\s{2}version "(3|4)\.' "$LOCKFILE" -A1 -B0 fi echo "" echo "=== Immutable callsites to review for v4 compatibility risk ===" rg -nP --type=js --type=ts "from ['\"]immutable['\"]|\bnew\s+Range\s*\(|\bRecord\s*\(\s*\{" src 2>/dev/null || echo "(No matches found or src/ not present)"

Repository: box/box-ui-elements

Length of output: 50376

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Package.json lines 220-240 (around line 227) ===" sed -n '220,240p' package.json echo "" echo "=== Package.json lines 320-330 (around line 326) ===" sed -n '320,330p' package.json echo "" echo "=== Package.json lines 355-365 (around line 361) ===" sed -n '355,365p' package.json echo "" echo "=== Checking for resolutions/overrides sections ===" rg -n '(resolutions|overrides)\s*:' package.json

Repository: box/box-ui-elements

Length of output: 1597

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Checking package.json section structure ===" rg -n '^\s{2}"(dependencies|devDependencies|peerDependencies|optionalDependencies)"\s*:' package.json echo "" echo "=== Verifying immutable declarations and their sections ===" rg -B 15 '"immutable"' package.json | head -80

Repository: box/box-ui-elements

Length of output: 110

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Full package.json structure (head) ===" head -20 package.json echo "" echo "=== All immutable entries with context ===" grep -n -B 5 -A 2 '"immutable"' package.json

Repository: box/box-ui-elements

Length of output: 1584

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Identifying which dependency section each line belongs to ===" sed -n '100,230p' package.json | grep -n 'dependencies\|immutable' | head -20 echo "" echo "=== Searching for immutable usage in source code ===" rg -l 'immutable' src --type js --type ts 2>/dev/null | head -10 echo "" echo "=== Sample immutable usage patterns ===" rg "from ['\"]immutable['\"]|import.*immutable" src --type js --type ts 2>/dev/null | head -20

Repository: box/box-ui-elements

Length of output: 2141

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Checking which section each immutable declaration belongs to ===" sed -n '1,365p' package.json | grep -n 'dependencies\|resolutions' | tail -20 echo "" echo "=== Summary: identifying section headers before each immutable declaration ===" awk '/^[[:space:]]*"(dependencies|devDependencies|peerDependencies|resolutions)"/ {section=$0; line=NR} /immutable/ {print "Line " NR ": " section " (at line " line ")"}' package.json

Repository: box/box-ui-elements

Length of output: 479

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Checking immutable major versions available in lockfile ===" rg '^immutable@' yarn.lock -A 2 echo "" echo "=== Verify actual resolved version of immutable in lockfile ===" grep -A 3 '^immutable@.*:$' yarn.lock | head -20

Repository: box/box-ui-elements

Length of output: 1089

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Checking react-immutable-proptypes compatibility with immutable versions ===" rg 'react-immutable-proptypes' yarn.lock -A 5 | head -40 echo "" echo "=== Checking if there are breaking changes between immutable v3 and v4 ===" web_search "immutable.js v3 v4 breaking changes migration"

Repository: box/box-ui-elements

Length of output: 653

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Checking test results with current immutable override ===" rg 'Record\|List\|Set\|Range' src --type js --type ts | wc -l echo "" echo "=== Counting immutable usage across codebase ===" rg "from ['\"]immutable['\"]" src --type js --type ts | wc -l echo "" echo "=== Checking if react-immutable-proptypes versions match immutable expectations ===" grep -A 5 'react-immutable-proptypes' yarn.lock | head -20

Repository: box/box-ui-elements

Length of output: 126

Resolve the immutable version contract mismatch between declared v3 and overridden v4 resolutions.

Lines 227 and 326 declare immutable: ^3.7.4 (in devDependencies and peerDependencies respectively), while line 361's resolutions override forces immutable: ^4.3.0 globally. This creates a version contract conflict: yarn's lockfile consolidates to v4.3.8 via the override, but the declared specifications remain at v3, causing a mismatch between declared contracts and actual resolution. The codebase actively uses immutable APIs (Record, Set, Range, List, OrderedMap, OrderedSet), making this inconsistency problematic for type safety and peer dependency expectations.

Either update lines 227 and 326 to ^4.3.0 to align with the resolution override, or remove the override and address v4 incompatibilities if remaining on v3 is required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` at line 361, Update package.json to eliminate the version contract mismatch for the "immutable" package: either change the devDependencies and peerDependencies entries that currently declare immutable as ^3.7.4 to ^4.3.0 to match the resolutions override, or remove the resolutions override ("immutable": "^4.3.0") and instead upgrade code to be v3-compatible; specifically edit the immutable entries under devDependencies and peerDependencies or the resolutions block so all three (devDependencies, peerDependencies, resolutions) consistently reference the same major version, and then run install and test to verify APIs (Record, Set, Range, List, OrderedMap, OrderedSet) work with the chosen version.

-Original file line number
+Diff line change
@@ Expand Up / @@ -11780,15 +11780,10 @@ immutable@^3.7.4: @@
       resolved "https://registry.yarnpkg.com/immutable/-/immutable-3.8.2.tgz#c2439951455bb39913daf281376f1530e104adf3"
       integrity sha512-15gZoQ38eYjEjxkorfbcgBKBL6R7T459OuK+CpcWt7O3KF4uPCx2tD0uFETlUDIyo+1789crbMhTvQBSR5yBMg==
-    immutable@^4.0.0:
-      version "4.3.7"
-      resolved "https://registry.yarnpkg.com/immutable/-/immutable-4.3.7.tgz#c70145fc90d89fb02021e65c84eb0226e4e5a381"
-      integrity sha512-1hqclzwYwjRDFLjcFxOM5AYkkG0rpFPpr1RLPMEuGczoS7YA8gLhy8SWXYRAA/XwfEHpfo3cw5JGioS32fnMRw==
-    immutable@~3.7.4:
-      version "3.7.6"
-      resolved "https://registry.yarnpkg.com/immutable/-/immutable-3.7.6.tgz#13b4d3cb12befa15482a26fe1b2ebae640071e4b"
-      integrity sha512-AizQPcaofEtO11RZhPPHBOJRdo/20MKQF9mBLnVkBoyHi1/zXK8fzVdnEpSV9gxqtnh6Qomfp3F0xT5qP/vThw==
+    immutable@^4.0.0, immutable@^4.3.0, immutable@~3.7.4:
+      version "4.3.8"
+      resolved "https://registry.yarnpkg.com/immutable/-/immutable-4.3.8.tgz#02d183c7727fb2bb1d5d0380da0d779dce9296a7"
+      integrity sha512-d/Ld9aLbKpNwyl0KiM2CT1WYvkitQ1TSvmRtkcV8FKStiDoA7Slzgjmb/1G2yhKM1p0XeNOieaTbFZmU1d3Xuw==
     import-fresh@^2.0.0:
       version "2.0.0"
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): Resolve immutable to 4.3.8 #4465

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Mar 5, 2026

Uh oh!

fix(deps): Resolve immutable to 4.3.8 #4465

Uh oh!

fix(deps): Resolve immutable to 4.3.8 #4465

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Mar 5, 2026

Choose a reason for hiding this comment

Uh oh!