fix: add @workos-inc/node as a peer dependency

[nicknisi]

Summary

• Adds @workos-inc/node with range ^8.0.0 || ^9.0.0 to peerDependencies

Context

Companion to workos/authkit-session#32.

This package re-exports types that originate from @workos-inc/node (e.g., User, Impersonator via authkit-session). Declaring the SDK as an explicit peer dependency makes the requirement visible at install time and ensures a single copy at runtime — preventing type mismatches for consumers on @workos-inc/node@9.x.

Test plan

• pnpm run build passes
• pnpm test — 217/217 tests pass

---

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[greptile-apps]

Greptile Summary

This PR adds @workos-inc/node as an explicit peer dependency (range ^8.0.0 || ^9.0.0) to surface the SDK requirement at install time and prevent type mismatches for consumers on v9.x, complementing a parallel change in authkit-session.

• package.json: @workos-inc/node added to peerDependencies; no matching devDependencies entry was added, unlike every other peer dep in this file.
• pnpm-lock.yaml: As a result, pnpm records the package under dependencies (resolving to 8.13.0) rather than devDependencies, which is inconsistent with how the other peer deps are tracked.

Confidence Score: 4/5

Safe to merge; the peer dependency declaration is correct and all tests pass. A minor inconsistency in how devDependencies is managed is worth a follow-up but does not affect the published package.

The change correctly declares @workos-inc/node as a peer dependency and pnpm build/tests pass. The only issue is that a corresponding devDependencies entry is missing — every other peer dep in this project has one — which causes the lockfile to record it under dependencies rather than devDependencies. This does not affect the published artifact but is an inconsistency future contributors will notice.

package.json — missing devDependencies counterpart for the new peer dep.

Important Files Changed

Filename	Overview
package.json	Adds @workos-inc/node to peerDependencies with range `^8.0.0
pnpm-lock.yaml	Records @workos-inc/node@8.13.0 under dependencies (not devDependencies) — a consequence of the missing devDependencies entry in package.json; consistent with how pnpm handles peer-only declarations under autoInstallPeers: true.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    Consumer["Consumer App"]
    PKG["@workos/authkit-tanstack-react-start"]
    PEER["@workos-inc/node\n(peerDependency ^8.0.0 || ^9.0.0)"]
    SESSION["@workos/authkit-session\n(dependency ^0.5.1)"]
    TYPES["Re-exported types\n(User, Impersonator, …)"]

    Consumer -->|installs| PKG
    Consumer -->|must also install| PEER
    PKG -->|depends on| SESSION
    SESSION -->|depends on| PEER
    PKG -->|re-exports types from| PEER
    PEER --> TYPES
    Consumer --> TYPES

Loading

Comments Outside Diff (1)

1. package.json, line 77-78 (link)

   Every other peer dependency in this file (@tanstack/react-router, @tanstack/react-start, react, react-dom) also has a matching entry in devDependencies, which is what causes pnpm to record them under devDependencies in the lockfile and makes the version used for local development explicit and auditable. Without a devDependencies entry, @workos-inc/node ends up under dependencies in pnpm-lock.yaml — an inconsistency that could surprise future contributors and confuses tooling that distinguishes runtime from dev installs.

_{Reviews (1): Last reviewed commit: "fix: add @workos-inc/node as a peer depe..." | Re-trigger Greptile}