Upgrade lerna to v8

[ckeshava]

High Level Overview of Change

This PR aims to accomplish the following:

1. Upgrade lerna to v8.
2. Update parse-url, parse-path, lodash.template, form-data dependencies to newer versions.

This PR succeeds the following dependabot PR: #3051

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

Did you update HISTORY.md?

• Yes
• No, this change does not impact library users

Test Plan

The existing tests pass. No new tests are required for this upgrade.

[coderabbitai]

Walkthrough

Lerna configuration updated: devDependency bumped from ^4.0.0 to ^8.2.3 and monorepo discovery changed from useWorkspaces: true to an explicit packages array listing six packages; npmClient remains npm.

Changes

Cohort / File(s)	Summary
Monorepo configuration lerna.json, package.json	Lerna devDependency updated from ^4.0.0 → ^8.2.3. lerna.json replaces useWorkspaces: true with an explicit packages array containing: xrpl, ripple-binary-codec, ripple-keypairs, ripple-address-codec, isomorphic, secret-numbers. npmClient remains npm.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the packages entries match repository package locations and globs.
• Check Lerna v8 changelog for any workspace/command behavioral changes affecting CI or scripts.

Poem

🐰 I swapped workspaces for packages with care,
six little crates now listed there.
Lerna hopped up, version in tow,
npm still steady — off we go! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change—upgrading lerna to v8—though it doesn't mention the Node version upgrade, which is also a significant part of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description follows the required template with a high-level overview, context, type of change, and test plan clearly provided.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/ripple-address-codec/HISTORY.md (1)

5-7: Minor: Refine the wording for grammatical clarity.

The phrase "upgrades of lerna dependency" is slightly awkward. Consider "upgrade of the lerna dependency" or simply "lerna v8 upgrade" for brevity and clarity.

Apply this diff to improve the wording:

-* Upgraded the minimum Node version to v20. This was necessitated by the upgrades of lerna dependency to v8.2.3.
+* Upgraded the minimum Node version to v20. This was necessitated by the lerna v8 upgrade to v8.2.3.

Alternatively:

-* Upgraded the minimum Node version to v20. This was necessitated by the upgrades of lerna dependency to v8.2.3.
+* Upgraded the minimum Node version to v20. This was necessitated by the upgrade of the lerna dependency to v8.2.3.

packages/secret-numbers/HISTORY.md (1)

7-9: Minor: Consistent with ripple-address-codec, refine the wording for grammatical clarity.

The phrase "upgrades of lerna dependency" is slightly awkward. Apply the same wording improvement used in the ripple-address-codec HISTORY.md file.

Apply this diff to improve the wording:

-* Upgraded the minimum Node version to v20. This was necessitated by the upgrades of lerna dependency to v8.2.3.
+* Upgraded the minimum Node version to v20. This was necessitated by the lerna v8 upgrade to v8.2.3.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 920d765 and 15103aa.

📒 Files selected for processing (6)

• packages/isomorphic/HISTORY.md (1 hunks)
• packages/ripple-address-codec/HISTORY.md (1 hunks)
• packages/ripple-binary-codec/HISTORY.md (1 hunks)
• packages/ripple-keypairs/HISTORY.md (1 hunks)
• packages/secret-numbers/HISTORY.md (1 hunks)
• packages/xrpl/HISTORY.md (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• packages/ripple-binary-codec/HISTORY.md
• packages/xrpl/HISTORY.md
• packages/isomorphic/HISTORY.md
• packages/ripple-keypairs/HISTORY.md

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: mvadari
Repo: XRPLF/xrpl.js PR: 2788
File: .github/workflows/nodejs.yml:25-25
Timestamp: 2024-09-26T21:14:56.813Z
Learning: In `.github/workflows/nodejs.yml`, the `build-and-lint` job's actions `actions/setup-node` and `actions/cache` are updated to `v4`.

📚 Learning: 2024-10-11T18:48:28.561Z

Learnt from: mvadari
Repo: XRPLF/xrpl.js PR: 2779
File: packages/xrpl/HISTORY.md:10-14
Timestamp: 2024-10-11T18:48:28.561Z
Learning: Ensure to reference the correct version numbers when commenting on changes to `HISTORY.md` to avoid confusion.

Applied to files:

• packages/secret-numbers/HISTORY.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: integration (20.x)
• GitHub Check: unit (22.x)
• GitHub Check: build-and-lint (24.x)
• GitHub Check: integration (24.x)
• GitHub Check: unit (24.x)
• GitHub Check: integration (22.x)
• GitHub Check: browser (24.x)
• GitHub Check: unit (20.x)
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

package.json (2)

69-72: Critical: Node engine requirement not updated to v20.

The PR objectives state "Raise Node engine requirement to v20 (Node v18 is past its scheduled lifetime)", but the engines.node field still shows >=18.0.0. This contradicts the PR's primary objective.

Apply this diff to update the Node engine requirement:

   "engines": {
-    "node": ">=18.0.0",
+    "node": ">=20.0.0",
     "npm": ">=7.10.0"
   }

---

69-72: Update Node version requirements to v20 minimum for consistency.

• package.json engines field: Change from ">=18.0.0" to ">=20.0.0" (line 70)
• .github/workflows/faucet_test.yml: Update matrix from 18.x to 20.x

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 15103aa and ac2115d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• lerna.json (1 hunks)
• package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: mvadari
Repo: XRPLF/xrpl.js PR: 2788
File: .github/workflows/nodejs.yml:25-25
Timestamp: 2024-09-26T21:14:56.813Z
Learning: In `.github/workflows/nodejs.yml`, the `build-and-lint` job's actions `actions/setup-node` and `actions/cache` are updated to `v4`.

📚 Learning: 2024-09-26T21:14:56.813Z

Learnt from: mvadari
Repo: XRPLF/xrpl.js PR: 2788
File: .github/workflows/nodejs.yml:25-25
Timestamp: 2024-09-26T21:14:56.813Z
Learning: In `.github/workflows/nodejs.yml`, the `build-and-lint` job's actions `actions/setup-node` and `actions/cache` are updated to `v4`.

Applied to files:

• package.json

📚 Learning: 2024-12-06T19:25:15.376Z

Learnt from: shawnxie999
Repo: XRPLF/xrpl.js PR: 2661
File: packages/xrpl/test/integration/transactions/mptokenAuthorize.test.ts:29-118
Timestamp: 2024-12-06T19:25:15.376Z
Learning: In the XRPLF/xrpl.js TypeScript client library, when writing tests (e.g., in `packages/xrpl/test/integration/transactions/`), we generally do not need to test rippled server behaviors, because those behaviors are covered by rippled's own integration and unit tests.

Applied to files:

• lerna.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: unit (20.x)
• GitHub Check: unit (22.x)
• GitHub Check: unit (24.x)
• GitHub Check: build-and-lint (24.x)
• GitHub Check: integration (20.x)
• GitHub Check: integration (24.x)
• GitHub Check: integration (22.x)
• GitHub Check: browser (24.x)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

package.json (1)

34-34: The Node engine requirement in package.json is >=18.0.0, not v20. The current @types/node version of ^18.19.29 is already appropriate for this requirement and does not need to be updated.

Likely an incorrect or invalid review comment.

lerna.json (1)

3-10: Correct lerna configuration: explicit packages property replaces deprecated useWorkspaces.

Lerna 7.0.0 introduced a breaking change that deprecates useWorkspaces. Using an explicit packages array with full paths is the correct approach, and all six packages are properly listed: xrpl, ripple-binary-codec, ripple-keypairs, ripple-address-codec, isomorphic, and secret-numbers. Each package has a valid package.json file and matches the workspace pattern defined in the root package.json.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update lerna to latest stable version (9.0.3).

The current version ^8.2.3 is outdated. The latest stable version is 9.0.3. Update to the latest version to benefit from security fixes and new features. Note: After updating, run lerna repair to migrate your lerna.json to the latest version and remove any outdated options.

🤖 Prompt for AI Agents

In package.json around line 51, the lerna dependency is pinned to "^8.2.3" which
is outdated; update the version string to "9.0.3" in package.json, run your
package manager to install the updated dependency, then run "lerna repair" to
migrate lerna.json to the new format and remove or adjust any deprecated/removed
options as suggested by the repair output.

[ckeshava]

We will consider v9 at a later date. For the purposes of resolving security vulnerability issues, lerna v8 suffices.

[coderabbitai]

@ckeshava, understood! Thank you for the clarification. Upgrading to lerna v8 to address security vulnerabilities makes sense, and I'll note your decision to defer v9 for a future update.

---

✏️ Learnings added

Learnt from: ckeshava
Repo: XRPLF/xrpl.js PR: 3156
File: package.json:51-51
Timestamp: 2025-12-16T21:30:15.604Z
Learning: In the xrpl.js repository, lerna v8 is intentionally used (not v9) as it suffices for resolving security vulnerabilities. The team plans to consider v9 at a later date.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[Patel-Raj11]

It would be good idea to test releasing a package using lerna commands by following manual release steps. Apart from that, this change looks good!

For ref: XRPLF/typescript-style#24 (comment)

[mvadari]

Yes, definitely do that - the last time we tried upgrading a major version of lerna (v6), the release failed, and we had to emergency downgrade

[ckeshava]

I have published three versions of a testing xrpl package with the new lerna version: https://www.npmjs.com/package/xrpl-chenna-testing-1?activeTab=versions

I used this git-branch to publish these versions. This git branch is identical to this PR, except for top three commits which have synthetically incremented the versions for the xrpl package inside the monorepo.

[ckeshava]

Yes, definitely do that - the last time we tried upgrading a major version of lerna (v6), the release failed, and we had to emergency downgrade

That sounds like a big issue for all users of Lerna. I'm guessing lerna provided a subsequent fix.

In any case, can't we always use npm publish? I understand that lerna makes our life easier with the child packages, however is it a critical blocker?

[Patel-Raj11]

In any case, can't we always use npm publish?

I think with lerna in place, npm pack does not work out of the box. So, the release pipeline had to package it using lerna before publishing -

xrpl.js/.github/workflows/release.yml

Line 298 in d6c89f9

TARBALL=$(npx lerna exec --scope "${FULL_PKG_NAME}" -- npm pack --json | jq -r '.[0].filename')

Thus lerna needs to work for npm publish to work.

[mvadari]

That sounds like a big issue for all users of Lerna. I'm guessing lerna provided a subsequent fix.

Probably was an issue with our setup, not Lerna (it was a Dependabot update so it wasn't really checked that hard)

[mvadari]

In any case, can't we always use npm publish? I understand that lerna makes our life easier with the child packages, however is it a critical blocker?

There was some talk about switching to npm workspaces a while back, perhaps that's worth reinvestigating. If npm has sufficient functionality built-in, then we wouldn't need the complexity of lerna.

[ckeshava]

I think with lerna in place, npm pack does not work out of the box. So, the release pipeline had to package it using lerna before publishing -

npm pack works for me. You need to go into the packages/xrpl/ folder and execute this command. It successfully produces a tarball for me. However, the disadvantage is that we need to release all the children packages seperately.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

70-70: Critical: Node engine version not updated to v20 as stated in PR objectives.

The PR objectives explicitly state "Upgrade Node engine requirement to v20 (Node v18 is past its scheduled lifetime)" and the PR title mentions "update engine to >= Node v20", but line 70 still shows "node": ">=18.0.0".

Apply this diff to update the Node engine requirement to v20:

-    "node": ">=18.0.0",
+    "node": ">=20.0.0",

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ac2115d and 974bbbc.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: ckeshava
Repo: XRPLF/xrpl.js PR: 3156
File: package.json:51-51
Timestamp: 2025-12-16T21:30:24.487Z
Learning: In the xrpl.js repository, lerna v8 is intentionally used (not v9) as it suffices for resolving security vulnerabilities. The team plans to consider v9 at a later date.

Learnt from: mvadari
Repo: XRPLF/xrpl.js PR: 2788
File: .github/workflows/nodejs.yml:25-25
Timestamp: 2024-09-26T21:14:56.813Z
Learning: In `.github/workflows/nodejs.yml`, the `build-and-lint` job's actions `actions/setup-node` and `actions/cache` are updated to `v4`.

📚 Learning: 2025-12-16T21:30:24.487Z

Learnt from: ckeshava
Repo: XRPLF/xrpl.js PR: 3156
File: package.json:51-51
Timestamp: 2025-12-16T21:30:24.487Z
Learning: In the xrpl.js repository, lerna v8 is intentionally used (not v9) as it suffices for resolving security vulnerabilities. The team plans to consider v9 at a later date.

Applied to files:

• package.json

📚 Learning: 2024-12-06T19:25:15.376Z

Learnt from: shawnxie999
Repo: XRPLF/xrpl.js PR: 2661
File: packages/xrpl/test/integration/transactions/mptokenAuthorize.test.ts:29-118
Timestamp: 2024-12-06T19:25:15.376Z
Learning: In the XRPLF/xrpl.js TypeScript client library, when writing tests (e.g., in `packages/xrpl/test/integration/transactions/`), we generally do not need to test rippled server behaviors, because those behaviors are covered by rippled's own integration and unit tests.

Applied to files:

• package.json

📚 Learning: 2024-09-26T21:14:56.813Z

Learnt from: mvadari
Repo: XRPLF/xrpl.js PR: 2788
File: .github/workflows/nodejs.yml:25-25
Timestamp: 2024-09-26T21:14:56.813Z
Learning: In `.github/workflows/nodejs.yml`, the `build-and-lint` job's actions `actions/setup-node` and `actions/cache` are updated to `v4`.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: integration (22.x)
• GitHub Check: integration (24.x)
• GitHub Check: unit (20.x)
• GitHub Check: integration (20.x)
• GitHub Check: unit (22.x)
• GitHub Check: unit (24.x)
• GitHub Check: browser (24.x)
• GitHub Check: build-and-lint (24.x)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

package.json (2)

51-51: LGTM! Lerna v8 upgrade is appropriate.

The upgrade to lerna v8.2.3 correctly addresses security vulnerabilities. Based on learnings, the team has intentionally chosen v8 over v9 for now, with plans to consider v9 in the future. The author has also verified the publishing workflow works correctly with this version.

Based on learnings, lerna v8 is intentionally used (not v9) as it suffices for resolving security vulnerabilities.

---

51-51: Note: AI summary mentions lerna.json changes not included in review.

The AI-generated summary mentions that "monorepo discovery changed from useWorkspaces: true to an explicit packages array" in lerna.json, but the lerna.json file was not provided for review. Please ensure that file is also reviewed if it contains changes.

[ckeshava]

Thank you very much for the comments and reviews 🙇