Trovella Wiki
Delivery

Dependency Management Overview

How Trovella manages third-party dependencies across the monorepo -- pnpm catalog, Renovate automation, and version strategy.

How It Works

Trovella's dependency management rests on three pillars:

  1. pnpm catalog -- a single source of truth for shared dependency versions, defined in pnpm-workspace.yaml. Packages reference versions with "catalog:" instead of hardcoded ranges.
  2. Renovate -- a GitHub App that opens PRs for outdated dependencies every weekend. DevDependency patches automerge; runtime and major updates require human review.
  3. Version strategy -- caret ranges (^) for flexibility, overrides for transitive dependency fixes, and a monthly manual deep-check as a safety net.

Together, these ensure that version drift across the monorepo is impossible for cataloged dependencies, updates flow in automatically with CI validation, and breaking changes always get human review.

The Critical Rule

Use pnpm install, not pnpm update, when changing catalog dependency versions.

pnpm update rewrites "catalog:" specifiers in package.json files to pinned version strings (e.g., "^5.9.3"). This breaks pnpm install --frozen-lockfile in CI and Docker builds because the lockfile no longer matches the modified package.json files.

To update a catalog dependency: edit the version in pnpm-workspace.yaml, then run pnpm install.

Catalog vs. Non-Catalog Dependencies

Not every dependency goes through the catalog. The split:

TypeWhere version livesExample
Catalogedpnpm-workspace.yaml catalog: sectionreact, next, drizzle-orm, zod
Non-catalogedIndividual package.json filesclass-variance-authority, clsx, sonner
Workspace"workspace:*" (always latest local)@repo/db, @repo/api, @repo/auth

Cataloged dependencies are packages used by multiple workspace packages or that must stay in lockstep across the monorepo. Non-cataloged dependencies are used by a single package and have no cross-package version constraint. Workspace dependencies are internal @repo/* packages that always resolve to the local version.

  • Catalog Pattern -- full catalog reference, how "catalog:" resolves, and how to update versions
  • Renovate Automation -- scheduling, grouping, automerge rules, and PR review workflow
  • Adding Dependencies -- step-by-step guide for adding a new dependency to the monorepo
  • Version Strategy -- range conventions, overrides, pins, and the monthly deep-check

CI Integration

How tests run in GitHub Actions -- service containers, the --affected optimization, pre-commit hooks, and the path from local to CI.

Catalog Pattern

How the pnpm catalog centralizes dependency versions across the monorepo -- full catalog reference, resolution mechanics, and update workflow.

On this page

How It WorksThe Critical RuleCatalog vs. Non-Catalog DependenciesWhat to Read Next