Backoffice NPM: use looser peerDependencies version ranges for plugin compatibility (#21644)

* feat(backoffice): use looser version ranges for peerDependencies

Convert hoisted dependencies to peerDependencies with more permissive version
ranges that allow plugin developers to use different versions without npm conflicts.

Version range strategy:
- Pre-release (0.x.y): >=X.Y.Z <1.0.0
  Example: @hey-api/openapi-ts 0.85.0 → >=0.85.0 <1.0.0
  Allows plugins to use 0.85.0, 0.91.1, 0.99.99 without conflicts

- Stable (major.x.y where major ≥1): major.x.x
  Example: lit ^3.3.1 → 3.x.x
  Allows any patch/minor within the major version

This allows plugin developers to:
- Use @hey-api/openapi-ts 0.91.1 while backoffice uses 0.85.0
- Install compatible deduplicated versions when available
- Override versions when needed for their specific use case

Types remain available from peerDependencies (automatically installed by npm 7+).
When @hey-api reaches 1.0.0, the range will automatically become ^1.0.0.

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* refactor(backoffice): use semver package for version parsing in cleanse script

Replace regex-based version parsing with the semver package used by npm itself.
This ensures version parsing is consistent with npm's own semver handling and is
more robust for edge cases.

Also update the version range logic to be more explicit and correct:
- Pre-release (0.x.y): >=X.Y.Z <1.0.0
- Stable (1+.x.y): >=X.Y.Z <NEXT_MAJOR.0.0

This ensures plugin developers use at least the tested version and prevents
accidental downgrades to incompatible minor versions.

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* chore: formats file

* chore: lockfile

* fix(backoffice): use semver.minVersion to parse version ranges

Fix parsing of version ranges like ^0.85.0 by using semver.minVersion() instead
of semver.parse(). The parse() function only handles exact versions, while
minVersion() extracts the minimum version from a range.

Example transformations:
- ^0.85.0 → 0.85.0 → >=0.85.0 <1.0.0
- ^3.3.1 → 3.3.1 → >=3.3.1 <4.0.0

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* refactor(backoffice): keep caret ranges for stable package versions

Optimize the version range conversion logic:

- Stable versions (major ≥ 1) with caret (e.g., ^3.3.1): Keep as-is
  The caret already implements the desired range: >=3.3.1 <4.0.0

- Pre-release versions (0.x.y): Convert to explicit range
  ^0.85.0 → >=0.85.0 <1.0.0 (caret only allows 0.85.z, not 0.91.z)

- Exact versions (e.g., 3.16.0): Convert to range
  3.16.0 → >=3.16.0 <4.0.0

This simplifies the published package.json while maintaining the same semantics
and is more explicit about the intent.

Examples of published peerDependencies:
- lit: ^3.3.1 (unchanged, already has correct range)
- rxjs: ^7.8.2 (unchanged)
- @hey-api/openapi-ts: >=0.85.0 <1.0.0 (converted from ^0.85.0)
- @tiptap/core: >=3.16.0 <4.0.0 (converted from 3.16.0)

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* refactor(backoffice): use caret for stable exact versions

Simplify stable exact versions (e.g., 3.16.0) by adding a caret prefix (^3.16.0)
instead of explicit range (>=3.16.0 <4.0.0). Both are semantically identical for
stable versions but caret is more concise and conventional.

Updated version range logic:
- Stable with caret (^3.3.1): Keep as-is
- Pre-release with caret (^0.85.0): Convert to >=0.85.0 <1.0.0
- Stable exact version (3.16.0): Convert to ^3.16.0

Examples of published peerDependencies:
- lit: ^3.3.1
- rxjs: ^7.8.2
- @hey-api/openapi-ts: >=0.85.0 <1.0.0
- @tiptap/core: ^3.16.0 (now with caret)

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* refactor(backoffice): ensure all pre-release versions get explicit range

Reorganize version conversion logic for clarity:

1. All pre-release (0.x.y) versions → explicit range: >=X.Y.Z <1.0.0
   - Examples: ^0.85.0 → >=0.85.0 <1.0.0, 0.85.0 → >=0.85.0 <1.0.0

2. Stable versions with caret (^3.3.1) → keep as-is

3. Stable versions exact (3.16.0) → add caret: ^3.16.0

This ensures pre-release version constraints are properly loosened for plugins
while maintaining stability guarantees.

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* treat all modifiers the same

* docs: add backoffice npm package structure documentation

Add comprehensive section to CLAUDE.md explaining:
- Backoffice npm package architecture and plugin model
- Dependency hoisting strategy and version range logic
- How pre-release versions are handled vs stable versions
- Importmap as single source of truth for runtime
- Plugin development implications and expectations

Clarifies that while npm versions constrain types, the actual runtime comes
from importmap, and plugin developers should declare explicit dependencies
rather than relying on transitive deps.

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

* docs: add npm package publishing guide to backoffice CLAUDE.md

Add comprehensive section explaining:
- Why backoffice uses peerDependencies (importmap provides runtime)
- Dependency hoisting strategy and version range conversion logic
- How pre-release versions are handled differently from stable versions
- Example published peerDependencies showing final output
- Plugin developer guide with dos and don'ts
- Key files involved in the publishing process

Provides clear guidance for plugin developers on version compatibility
and explains the importmap-as-single-source-of-truth architecture.

https://claude.ai/code/session_01CBpcwXYZjzexKkM9Cf57Kb

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: iOvergaard

CLAUDE.md

@@ -313,6 +313,65 @@ APIs use `Asp.Versioning.Mvc`:
 - Delivery API: `/umbraco/delivery/api/v{version}/*`
 - OpenAPI/Swagger docs per version
 
+### Backoffice npm Package Structure
+
+The backoffice (`Umbraco.Web.UI.Client`) is published to npm as **`@umbraco-cms/backoffice`** with a plugin architecture:
+
+#### Architecture Overview
+
+- **Multi-workspace structure**: Subprojects in `src/libs/*`, `src/packages/*`, `src/external/*`
+- **Export model**: All exports defined in root `package.json` → `./exports` field
+- **Importmap-driven runtime**: Dependencies provided at runtime via importmap (single source of truth)
+- **Build-time types**: TypeScript types come from npm peerDependencies
+- **Plugin model**: Developers create plugins that import from `@umbraco-cms/backoffice/*` exports
+
+#### Dependency Hoisting Strategy
+
+When building for npm (`npm pack`), the `cleanse-pkg.js` script hoists subproject dependencies to root `peerDependencies` with intelligent version range conversion:
+
+**Version Range Logic** (uses `semver` package):
+
+1. **Pre-release (0.x.y)**: Convert to explicit range
+   - Input: `^0.85.0` or `0.85.0`
+   - Output: `>=0.85.0 <1.0.0`
+   - Rationale: Pre-release caret only allows patch updates, explicit range allows minor upgrades within 0.x.x
+   - Example: Plugin can use `@hey-api/openapi-ts@0.91.1` while backoffice uses `0.85.0`
+
+2. **Stable with caret (^X.Y.Z where X ≥ 1)**: Keep as-is
+   - Input: `^3.3.1`
+   - Output: `^3.3.1` (unchanged)
+   - Rationale: Caret already implements correct semantics for stable versions
+
+3. **Stable exact versions (X.Y.Z where X ≥ 1)**: Add caret
+   - Input: `3.16.0`
+   - Output: `^3.16.0`
+   - Rationale: Normalizes to conventional semver format
+
+#### Key Dependencies
+
+**Runtime via importmap** (types available from peerDependencies):
+- `lit`, `rxjs`, `@umbraco-ui/uui` - Core framework
+- `monaco-editor`, `@tiptap/*` - Feature-specific editors
+- `@hey-api/openapi-ts` - HTTP client type generation
+
+**Build-time only** (not hoisted):
+- `vite`, `typescript`, `eslint` - Dev tooling
+
+#### Plugin Development Implications
+
+Plugin developers should:
+- **Declare explicit dependencies** in their own `package.json` (avoid relying on transitive deps)
+- **Understand the version ranges**: `>=0.85.0 <1.0.0` means they can use newer pre-release versions
+- **Know that types match npm ranges**, but runtime comes from importmap (managed by backoffice)
+- **When `@hey-api` hits 1.0.0**: Published constraint will automatically become `^1.0.0`
+
+#### Implementation Details
+
+- Script location: `src/Umbraco.Web.UI.Client/devops/publish/cleanse-pkg.js`
+- Runs as `prepack` hook before npm pack
+- Uses `semver.minVersion()` for robust version range parsing
+- Generates single source of truth for importmap versions
+
 ### Known Limitations
 
 1. **Circular Dependencies**: Avoided via `Lazy<T>` or event notifications

src/Umbraco.Web.UI.Client/CLAUDE.md

@@ -92,4 +92,87 @@ See **[Commands](./docs/commands.md)** for all available commands.
 
 ---
 
+## npm Package Publishing
+
+### Overview
+
+The backoffice is published to npm as `@umbraco-cms/backoffice` with a plugin-first architecture. All dependencies are **peerDependencies** because:
+
+1. **Importmap provides runtime**: The actual code at runtime comes from importmap, not npm
+2. **Types are the primary need**: Plugin developers need types for development, but runtime is managed centrally
+3. **Version flexibility**: Allows plugins to use different versions of pre-release packages (e.g., `@hey-api/openapi-ts`)
+
+### Dependency Hoisting & Version Ranges
+
+The `npm pack` process (prepack hook) runs `devops/publish/cleanse-pkg.js` which:
+
+1. **Collects dependencies** from all workspace subpackages
+2. **Converts to peerDependencies** at the root level
+3. **Intelligently adjusts version ranges** based on stability
+
+#### Version Range Conversion Logic
+
+Uses the `semver` package (npm's own semver library) for robust parsing:
+
+**Pre-release packages (0.x.y)**
+```
+Input:  ^0.85.0    or    0.85.0
+Output: >=0.85.0 <1.0.0
+
+Why: Pre-release caret (^0.85.0) only allows patch updates (0.85.x).
+     Explicit range allows plugins to use 0.91.1 without conflicts.
+```
+
+**Stable packages with caret (major ≥ 1)**
+```
+Input:  ^3.3.1
+Output: ^3.3.1    (kept as-is)
+
+Why: Caret already implements the correct range: >=3.3.1 <4.0.0
+```
+
+**Stable exact versions (major ≥ 1)**
+```
+Input:  3.16.0    (from @tiptap/*)
+Output: ^3.16.0
+
+Why: Normalizes to conventional semver format
+```
+
+#### Example Published peerDependencies
+
+```json
+{
+  "peerDependencies": {
+    "lit": "^3.3.1",
+    "rxjs": "^7.8.2",
+    "@umbraco-ui/uui": "^1.17.0-rc.5",
+    "monaco-editor": "^0.55.1",
+    "@tiptap/core": "^3.16.0",
+    "@hey-api/openapi-ts": ">=0.85.0 <1.0.0"
+  }
+}
+```
+
+### Plugin Developer Guide
+
+When using `@umbraco-cms/backoffice`:
+
+- **Declare dependencies explicitly** in your `package.json` (don't rely on transitive deps from backoffice)
+- **Version ranges are flexible**: `>=0.85.0 <1.0.0` means you can use `0.85.0`, `0.91.1`, or `0.99.99`
+- **Types come from npm**: TypeScript gets types from your declared versions
+- **Runtime comes from importmap**: The actual code at runtime is managed by the backoffice (importmap)
+- **Future compatibility**: When `@hey-api` hits `1.0.0`, the published range will automatically become `^1.0.0`
+
+### Key Files
+
+| File | Purpose |
+|------|---------|
+| `package.json` | Root package with exports and workspace references |
+| `devops/publish/cleanse-pkg.js` | Script that runs during `npm pack` to hoist and convert versions |
+| `src/external/*` | Dependency wrapper packages |
+| `src/packages/core` | Contains `@hey-api/openapi-ts` and other utilities |
+
+---
+
 **This project follows a modular package architecture with strict TypeScript, Lit web components, and an extensible manifest system. Each package is independent but follows consistent patterns. For extension development, use the Context API for dependency injection, controllers for logic, and manifests for registration.**

src/Umbraco.Web.UI.Client/devops/publish/cleanse-pkg.js

@@ -1,6 +1,8 @@
+/* eslint-disable local-rules/enforce-umbraco-external-imports */
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { join } from 'path';
-import glob from 'tiny-glob'
+import glob from 'tiny-glob';
+import semver from 'semver';
 
 console.log('[Prepublish] Cleansing package.json');
 
@@ -10,18 +12,45 @@ const packageJson = JSON.parse(readFileSync(packageFile, 'utf8'));
 // Remove all DevDependencies
 delete packageJson.devDependencies;
 
-// Rename dependencies to peerDependencies
-packageJson.peerDependencies = { ...packageJson.dependencies };
+// Convert version to a looser range that allows plugin developers to use newer versions
+// while still enforcing a minimum version and safety ceiling
+const looseVersionRange = (version) => {
+	// Extract minimum version from a range (e.g., ^0.85.0 -> 0.85.0)
+	const minVersion = semver.minVersion(version);
+	if (!minVersion) {
+		console.warn('Could not parse version:', version, 'keeping original');
+		return version;
+	}
+
+	const major = minVersion.major;
+	const minor = minVersion.minor;
+	const patch = minVersion.patch;
+
+	// For pre-release (0.x.y), always use floor at current version and ceiling at 1.0.0
+	if (major === 0) {
+		return `>=${major}.${minor}.${patch} <1.0.0`;
+	}
+
+	// Exact version without caret, add caret (e.g., 3.16.0 -> ^3.16.0 and ^3.16.0 -> ^3.16.0 and ~3.16.0 -> ^3.16.0)
+	return `^${major}.${minor}.${patch}`;
+};
+
+// Rename dependencies to peerDependencies with looser version ranges
+packageJson.peerDependencies = {};
+Object.entries(packageJson.dependencies || {}).forEach(([key, value]) => {
+	packageJson.peerDependencies[key] = looseVersionRange(value);
+	console.log('Converting to peer dependency:', key, 'from', value, 'to', packageJson.peerDependencies[key]);
+});
 delete packageJson.dependencies;
 
 // Iterate all workspaces and hoist the dependencies to the root package.json
 const workspaces = packageJson.workspaces || [];
-const workspacePromises = workspaces.map(async workspaceGlob => {
+const workspacePromises = workspaces.map(async (workspaceGlob) => {
 	// Use glob to find the workspace path
 	const localWorkspace = workspaceGlob.replace(/\.\/src/, './dist-cms');
 	const workspacePaths = await glob(localWorkspace, { cwd: './', absolute: true });
 
-	workspacePaths.forEach(workspace => {
+	workspacePaths.forEach((workspace) => {
 		const workspacePackageFile = join(workspace, 'package.json');
 
 		// Ensure the workspace package.json exists
@@ -36,11 +65,21 @@ const workspacePromises = workspaces.map(async workspaceGlob => {
 		// Move dependencies from the workspace to the root package.json
 		if (workspacePackageJson.dependencies) {
 			Object.entries(workspacePackageJson.dependencies).forEach(([key, value]) => {
-				console.log('Hoisting dependency:', key, 'from workspace:', workspace, 'with version:', value);
-				packageJson.peerDependencies[key] = value;
+				const loosenedVersion = looseVersionRange(value);
+				console.log(
+					'Hoisting dependency:',
+					key,
+					'from workspace:',
+					workspace,
+					'with version:',
+					value,
+					'loosened to:',
+					loosenedVersion,
+				);
+				packageJson.peerDependencies[key] = loosenedVersion;
 			});
 		}
-	})
+	});
 });
 
 // Wait for all workspace processing to complete