fix: move @workos-inc/node to peerDependencies

[nicknisi]

Summary

• Moves @workos-inc/node from dependencies to peerDependencies with range ^8.0.0 || ^9.0.0
• Adds @workos-inc/node@^9.2.0 to devDependencies for development/testing

Context

Users on @workos-inc/node@9.x are forced to use package manager resolutions to avoid version conflicts.

The SDK was a regular dependency pinned to ^8.0.0, causing npm to install a separate nested copy alongside the consumer's v9. Since authkit-session re-exports types from the SDK (User, Impersonator, WorkOS, etc.), this results in type mismatches across the package boundary.

As a peer dependency, the consumer controls the SDK version and only one copy exists at runtime.

What's NOT affected

authkit-session only uses userManagement methods (getJwksUrl, getAuthorizationUrl, getLogoutUrl, authenticateWithRefreshToken, authenticateWithCode) — none of which changed in v9. Build and tests pass against v9.2.0.

Test plan

• pnpm run build passes
• pnpm test — 243/243 tests pass
• authkit-tanstack-start build + 217 tests pass with linked authkit-session

---

[greptile-apps]

Greptile Summary

This PR fixes a dual-copy SDK problem by promoting @workos-inc/node from a direct dependency to a peer dependency with range ^8.0.0 || ^9.0.0, and adds ^9.2.0 to devDependencies for CI builds.

• Peer dependency promotion: @workos-inc/node is removed from dependencies and added to peerDependencies (^8.0.0 || ^9.0.0), letting the consumer control the single installed copy and eliminating the type-mismatch issue that arose when consumers had v9 alongside the previously-pinned v8.
• Dev dependency update: ^9.2.0 is added to devDependencies so builds and tests run against the latest major; the lock file is updated accordingly (8.13.0 → 9.2.0).
• Minor engine note: The lock file now shows that @workos-inc/node@9.2.0 declares engines.node >= 22.11.0, while the package's own engines field still advertises >=20.0.0; consumers on Node 20 pairing with v9 of the SDK may encounter package-manager engine warnings.

Confidence Score: 5/5

Safe to merge — the change correctly externalises the SDK as a peer dependency and resolves the dual-copy type-mismatch issue for v9 consumers.

The change is narrowly scoped to dependency classification: removing a direct dep, adding a peer dep range, and bumping the dev dep. No application logic is touched. The only notable detail is that the package's engines.node still says >=20.0.0 while @workos-inc/node@9.x requires >=22.11.0, which could surprise Node 20 consumers who adopt v9 as their peer — but this is a documentation concern, not a functional regression.

No files require special attention; both changed files are straightforward dependency manifest updates.

Important Files Changed

Filename	Overview
package.json	Moves @workos-inc/node from dependencies to peerDependencies (^8.0.0
pnpm-lock.yaml	Lock file updated to reflect @workos-inc/node moving from a direct dependency (8.13.0) to a dev dependency (9.2.0); snapshot correctly shows the new version's node engine requirement (>=22.11.0)

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Consumer installs authkit-session] --> B{Which @workos-inc/node version?}
    B -->|v8.x| C["@workos-inc/node ^8.0.0\n(peer dep satisfied)"]
    B -->|v9.x| D["@workos-inc/node ^9.0.0\n(peer dep satisfied)"]
    C --> E[Single copy of SDK in node_modules]
    D --> E
    E --> F[authkit-session re-exports types\n User, Impersonator, WorkOS]
    F --> G[No type mismatch at package boundary]

    subgraph Before
        H[authkit-session deps: @workos-inc/node ^8.0.0]
        I[Consumer: @workos-inc/node ^9.x]
        H & I --> J[Two copies of SDK installed\nType mismatch across boundary]
    end

Loading

_{Reviews (2): Last reviewed commit: "fix: run pnpm i" | Re-trigger Greptile}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.