@bobfrankston/npmglobalize 1.0.159 → 1.0.161

package/README.md

@@ -189,6 +189,31 @@ npmglobalize -np          # --nopublish (formerly --apply)
 npmglobalize --cleanup    # Restore original file: references
 ```
 
+### 📝 Release Notes via `.commitmsg`
+
+For multi-line or reusable release notes, write them to a `.commitmsg` file in the package root instead of passing them on the command line:
+
+```bash
+cat > .commitmsg <<'EOF'
+Added foo feature
+Fixed bar regression
+EOF
+npmglobalize
+```
+
+Behavior:
+- If `-m` / `-message` is **not** given and `.commitmsg` exists, its contents are used as the commit message (and force a release even if the working tree is otherwise clean).
+- After a successful `npm publish`, npmglobalize:
+  1. Appends the contents to `npmchanges.md` under a `## v<version> — <YYYY-MM-DD>` header (creating the file if needed)
+  2. Deletes `.commitmsg`
+  3. Commits both changes as `Log v<version> to npmchanges.md` and pushes
+
+Notes:
+- **Git/GitHub only.** npm publish does not consume git commit messages; `npmchanges.md` lives in the git repo and on GitHub but is excluded from the published npm tarball (the standard `*.md` rule keeps only `README.md`).
+- If both `-m` and `.commitmsg` are present, `-m` wins and `.commitmsg` is left alone (not consumed).
+- If publish fails, `.commitmsg` is preserved for the next attempt.
+- `.commitmsg` is auto-added to `.npmignore` (security pattern) so it never leaks into the tarball.
+
 ### 🔧 Git Integration & Error Recovery
 
 **Automatic tag conflict resolution**:
@@ -288,6 +313,8 @@ Publishing requires being on a branch so commits and tags can be properly tracke
 -nopublish, -np      Just transform, don't publish (persisted to config)
 -cleanup             Restore file: dependencies from .dependencies backup
 -m, -message <msg>   Custom commit message (forces release even without changes)
+                     If -m not given, a `.commitmsg` file (if present) is used instead.
+                     See "Release Notes via .commitmsg" below.
 ```
 
 ### Dependency Options

package/cli.js

@@ -27,6 +27,9 @@ Release Options:
   -nopublish, -np      Just transform, don't publish (persisted to config)
   -cleanup             Restore from .dependencies
   -m, -message <msg>   Custom commit message (forces release even without changes)
+                       If -m not given and a .commitmsg file exists in cwd, its
+                       contents are used. After a successful publish it is appended
+                       to npmchanges.md (with version header) and deleted.
 
 Dependency Options:
   -update-deps, -ud        Update package.json to latest (minor/patch only, safe)

package/ignorepatterns.json5

@@ -41,7 +41,8 @@
             ".env*",
             "token*",
             "certs/",
-            "*cert*/"
+            "*cert*/",
+            ".commitmsg"
         ],
         // Prompted or auto-added with --conform
         recommended: [

package/lib.d.ts

@@ -243,12 +243,26 @@ export declare function parseVersionTag(tag: string): number[] | null;
 export declare function compareVersions(a: number[], b: number[]): number;
 /** Fix version/tag mismatches */
 export declare function fixVersionTagMismatch(cwd: string, pkg: any, verbose?: boolean): boolean;
+/** Return declared deps (dependencies + devDependencies) that don't resolve from
+ *  `pkgDir`. Skips `file:`/`workspace:`/`link:` specs — those are handled elsewhere.
+ *  A declared dep that doesn't resolve means `package.json` and installed
+ *  `node_modules/` are out of sync (e.g. dep added but `npm install` not re-run). */
+export declare function missingDeps(pkgDir: string, pkg: any): string[];
 /** Walk `file:` deps transitively and run `npm install` in any target whose
- *  package.json declares deps but has no `node_modules/`. Also covers `cwd`
- *  itself on the first call, so a fresh clone with no `node_modules/` gets
- *  installed before the upcoming build/pack tries to resolve imports.
+ *  declared deps aren't all resolvable from its directory. Covers both
+ *  "fresh clone, no `node_modules/`" and "dep added but `npm install` not
+ *  re-run" (partial-sync) cases. Also covers `cwd` itself on the first call.
  *  Cycle-safe via the shared `visited` set. */
 export declare function ensureFileDepModules(cwd: string, verbose?: boolean, visited?: Set<string>): void;
+/** Ensure the workspace-root `node_modules/` is in sync with every member's
+ *  declared deps. Workspaces hoist deps to the root, so a dep added to any
+ *  member `package.json` without a follow-up `npm install` at the root leaves
+ *  the root `node_modules/` stale — the case where `member/` dirs exist but
+ *  the actual package (e.g. `marked`) is not hoisted. */
+export declare function ensureWorkspaceDepModules(rootDir: string, members: Array<{
+    dir: string;
+    pkg: any;
+}>, verbose?: boolean): void;
 /** Run a command and return success status */
 export declare function runCommand(cmd: string, args: string[], options?: {
     silent?: boolean;

package/lib.js

@@ -1322,10 +1322,51 @@ function restoreNestedDepModules(stashed, verbose) {
         }
     }
 }
+/** Walk up the directory tree looking for `node_modules/<depName>/package.json`.
+ *  Matches Node's module resolution so hoisted workspace deps are found. */
+function depResolves(startDir, depName) {
+    let dir = path.resolve(startDir);
+    const segs = depName.split('/');
+    while (true) {
+        const candidate = path.join(dir, 'node_modules', ...segs, 'package.json');
+        if (fs.existsSync(candidate))
+            return true;
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            return false;
+        dir = parent;
+    }
+}
+/** Return declared deps (dependencies + devDependencies) that don't resolve from
+ *  `pkgDir`. Skips `file:`/`workspace:`/`link:` specs — those are handled elsewhere.
+ *  A declared dep that doesn't resolve means `package.json` and installed
+ *  `node_modules/` are out of sync (e.g. dep added but `npm install` not re-run). */
+export function missingDeps(pkgDir, pkg) {
+    const missing = [];
+    for (const key of ['dependencies', 'devDependencies']) {
+        const deps = pkg?.[key];
+        if (!deps || typeof deps !== 'object')
+            continue;
+        for (const [name, spec] of Object.entries(deps)) {
+            if (typeof spec !== 'string')
+                continue;
+            if (spec.startsWith('file:') || spec.startsWith('workspace:') || spec.startsWith('link:'))
+                continue;
+            if (!depResolves(pkgDir, name))
+                missing.push(name);
+        }
+    }
+    return missing;
+}
+function formatMissingReason(missing) {
+    if (missing.length === 1)
+        return `missing dep: ${missing[0]}`;
+    return `${missing.length} missing deps: ${missing.slice(0, 3).join(', ')}${missing.length > 3 ? ', …' : ''}`;
+}
 /** Walk `file:` deps transitively and run `npm install` in any target whose
- *  package.json declares deps but has no `node_modules/`. Also covers `cwd`
- *  itself on the first call, so a fresh clone with no `node_modules/` gets
- *  installed before the upcoming build/pack tries to resolve imports.
+ *  declared deps aren't all resolvable from its directory. Covers both
+ *  "fresh clone, no `node_modules/`" and "dep added but `npm install` not
+ *  re-run" (partial-sync) cases. Also covers `cwd` itself on the first call.
  *  Cycle-safe via the shared `visited` set. */
 export function ensureFileDepModules(cwd, verbose = false, visited = new Set()) {
     const abs = path.resolve(cwd);
@@ -1339,11 +1380,13 @@ export function ensureFileDepModules(cwd, verbose = false, visited = new Set())
     catch {
         return;
     }
-    const cwdHasDeps = (pkg?.dependencies && Object.keys(pkg.dependencies).length > 0) ||
-        (pkg?.devDependencies && Object.keys(pkg.devDependencies).length > 0);
-    if (cwdHasDeps && !fs.existsSync(path.join(abs, 'node_modules'))) {
+    const cwdMissing = missingDeps(abs, pkg);
+    if (cwdMissing.length > 0) {
+        // Only clear a stale lockfile if node_modules is entirely absent (fresh clone).
+        // For partial-sync cases, keep the lockfile so pinned versions stay honored.
+        const nm = path.join(abs, 'node_modules');
         const lock = path.join(abs, 'package-lock.json');
-        if (fs.existsSync(lock)) {
+        if (!fs.existsSync(nm) && fs.existsSync(lock)) {
             if (verbose)
                 console.log(colors.dim(`  removing stale ${lock}`));
             try {
@@ -1351,7 +1394,7 @@ export function ensureFileDepModules(cwd, verbose = false, visited = new Set())
             }
             catch { /* best-effort */ }
         }
-        console.log(colors.yellow(`↻ installing node_modules in ${pkg?.name || abs}`));
+        console.log(colors.yellow(`↻ installing node_modules in ${pkg?.name || abs} (${formatMissingReason(cwdMissing)})`));
         const r = runCommand('npm', ['install'], { cwd: abs, silent: !verbose });
         if (!r.success) {
             console.error(colors.red(`  ✗ npm install failed in ${abs}`));
@@ -1376,12 +1419,11 @@ export function ensureFileDepModules(cwd, verbose = false, visited = new Set())
             catch {
                 continue;
             }
-            const hasDeps = (targetPkg?.dependencies && Object.keys(targetPkg.dependencies).length > 0) ||
-                (targetPkg?.devDependencies && Object.keys(targetPkg.devDependencies).length > 0);
-            const nm = path.join(target, 'node_modules');
-            if (hasDeps && !fs.existsSync(nm)) {
+            const targetMissing = missingDeps(target, targetPkg);
+            if (targetMissing.length > 0) {
+                const nm = path.join(target, 'node_modules');
                 const lock = path.join(target, 'package-lock.json');
-                if (fs.existsSync(lock)) {
+                if (!fs.existsSync(nm) && fs.existsSync(lock)) {
                     if (verbose)
                         console.log(colors.dim(`  removing stale ${lock}`));
                     try {
@@ -1389,7 +1431,7 @@ export function ensureFileDepModules(cwd, verbose = false, visited = new Set())
                     }
                     catch { /* best-effort */ }
                 }
-                console.log(colors.yellow(`↻ restoring node_modules in ${name} (${target})`));
+                console.log(colors.yellow(`↻ restoring node_modules in ${name} (${target}) (${formatMissingReason(targetMissing)})`));
                 const r = runCommand('npm', ['install'], { cwd: target, silent: !verbose });
                 if (!r.success) {
                     console.error(colors.red(`  ✗ npm install failed in ${target}`));
@@ -1401,6 +1443,38 @@ export function ensureFileDepModules(cwd, verbose = false, visited = new Set())
         }
     }
 }
+/** Ensure the workspace-root `node_modules/` is in sync with every member's
+ *  declared deps. Workspaces hoist deps to the root, so a dep added to any
+ *  member `package.json` without a follow-up `npm install` at the root leaves
+ *  the root `node_modules/` stale — the case where `member/` dirs exist but
+ *  the actual package (e.g. `marked`) is not hoisted. */
+export function ensureWorkspaceDepModules(rootDir, members, verbose = false) {
+    const root = path.resolve(rootDir);
+    let rootPkg;
+    try {
+        rootPkg = readPackageJson(root);
+    }
+    catch {
+        return;
+    }
+    const allMissing = new Set();
+    for (const name of missingDeps(root, rootPkg))
+        allMissing.add(name);
+    for (const m of members) {
+        for (const name of missingDeps(m.dir, m.pkg))
+            allMissing.add(name);
+    }
+    if (allMissing.size === 0)
+        return;
+    const list = [...allMissing];
+    console.log(colors.yellow(`↻ installing workspace node_modules in ${rootPkg?.name || path.basename(root)} (${formatMissingReason(list)})`));
+    const r = runCommand('npm', ['install'], { cwd: root, silent: !verbose });
+    if (!r.success) {
+        console.error(colors.red(`  ✗ npm install failed in ${root}`));
+        if (r.stderr)
+            console.error(colors.dim(r.stderr.split('\n').slice(0, 5).join('\n')));
+    }
+}
 /** Run npm install -g with retries for registry propagation delay */
 function installGlobalWithRetry(pkgSpec, cwd, maxRetries = 3) {
     let result = runCommand('npm', ['install', '-g', pkgSpec], { cwd, silent: false, showCommand: true });
@@ -3845,11 +3919,29 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     }
     // Re-check git status after all transformations and potential commits
     currentGitStatus = getGitStatus(cwd);
+    // If no -m given, fall back to .commitmsg file contents (one-shot changelog entry).
+    // Consumed (appended to npmchanges.md + deleted) only after a successful publish.
+    const commitMsgPath = path.join(cwd, '.commitmsg');
+    let commitMsgFromFile = null;
+    let effectiveMessage = message;
+    if (!effectiveMessage && fs.existsSync(commitMsgPath)) {
+        try {
+            const content = fs.readFileSync(commitMsgPath, 'utf-8').trim();
+            if (content) {
+                commitMsgFromFile = content;
+                effectiveMessage = content;
+                console.log(colors.cyan(`  Using .commitmsg for commit message (${content.split('\n')[0].slice(0, 60)}${content.length > 60 ? '…' : ''})`));
+            }
+        }
+        catch (err) {
+            console.error(colors.yellow(`  Warning: could not read .commitmsg: ${err.message}`));
+        }
+    }
     // Check if there are changes to commit or a custom message
     // Skip this check for first publish (currentAccess null) or just-initialized repos
     const isFirstPublish = !currentAccess;
     let skipVersionBump = false;
-    if (!currentGitStatus.hasUncommitted && !message && !justInitialized && !isFirstPublish) {
+    if (!currentGitStatus.hasUncommitted && !effectiveMessage && !justInitialized && !isFirstPublish) {
         // Check if the current version is actually on npm (it might have failed to publish previously)
         const versionCheck = spawnSafe('npm', ['view', `${pkg.name}@${pkg.version}`, 'version'], {
             shell: process.platform === 'win32',
@@ -4000,7 +4092,7 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     }
     // Git operations
     if (currentGitStatus.hasUncommitted) {
-        const commitMsg = message || 'Pre-release commit';
+        const commitMsg = effectiveMessage || 'Pre-release commit';
         console.log(`${timestamp()} Committing changes: ${commitMsg}`);
         if (!dryRun) {
             // Remove 'nul' files that break git on Windows
@@ -4627,6 +4719,36 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
         const finalAccess = effectiveNpmVisibility || currentAccess || (isScoped ? 'restricted' : 'public');
         const accessLabel = (finalAccess === 'restricted' || finalAccess === 'private') ? 'PRIVATE' : 'PUBLIC';
         console.log(`${timestamp()} ${colors.green(`✓ Published to npm as ${accessLabel}`)}`);
+        // Consume .commitmsg: append to npmchanges.md, delete the file, commit+push.
+        // Only runs if .commitmsg was actually used as the commit message.
+        if (commitMsgFromFile) {
+            try {
+                const publishedVersion = readPackageJson(cwd).version;
+                const npmChangesPath = path.join(cwd, 'npmchanges.md');
+                const date = new Date().toISOString().slice(0, 10);
+                const header = `## v${publishedVersion} — ${date}\n\n`;
+                const entry = header + commitMsgFromFile.trim() + '\n\n';
+                const existing = fs.existsSync(npmChangesPath)
+                    ? fs.readFileSync(npmChangesPath, 'utf-8')
+                    : '# npm Publish Changes\n\n';
+                const sep = existing.endsWith('\n') ? '' : '\n';
+                fs.writeFileSync(npmChangesPath, existing + sep + entry);
+                try {
+                    fs.unlinkSync(commitMsgPath);
+                }
+                catch { /* ignore */ }
+                runCommand('git', ['add', 'npmchanges.md', '.commitmsg'], { cwd, silent: true });
+                const logResult = gitCommit(`Log v${publishedVersion} to npmchanges.md`, cwd);
+                if (logResult.success) {
+                    console.log(colors.green(`  ✓ Appended to npmchanges.md and removed .commitmsg`));
+                    if (currentGitStatus.hasRemote)
+                        pushWithProtection(cwd, verbose);
+                }
+            }
+            catch (err) {
+                console.error(colors.yellow(`  Warning: could not update npmchanges.md: ${err.message}`));
+            }
+        }
     }
     else {
         console.log(`  [dry-run] Would run: npm publish ${quiet ? '--quiet' : ''}`);
@@ -4931,6 +5053,12 @@ export async function globalizeWorkspace(rootDir, options = {}, configOptions =
             }
         }
     }
+    // Sync workspace-root node_modules with member package.json files. Catches
+    // the case where a dep was added to a member package.json but `npm install`
+    // wasn't re-run — the builds would otherwise fail resolving the new dep.
+    if (!options.dryRun) {
+        ensureWorkspaceDepModules(rootDir, packages.map(p => ({ dir: p.dir, pkg: p.pkg })), !!options.verbose);
+    }
     // Prescan: decide which packages actually need processing so we don't waste
     // time rebuilding+republishing ones with no relevant changes.
     // A package is SKIPPED only if ALL of:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/npmglobalize",
-  "version": "1.0.159",
+  "version": "1.0.161",
   "description": "Transform file: dependencies to npm versions for publishing",
   "main": "index.js",
   "type": "module",