@bobfrankston/npmglobalize 1.0.160 → 1.0.162

package/README.md

@@ -189,6 +189,31 @@ npmglobalize -np          # --nopublish (formerly --apply)
 npmglobalize --cleanup    # Restore original file: references
 ```
 
+### 📝 Release Notes via `.commitmsg`
+
+For multi-line or reusable release notes, write them to a `.commitmsg` file in the package root instead of passing them on the command line:
+
+```bash
+cat > .commitmsg <<'EOF'
+Added foo feature
+Fixed bar regression
+EOF
+npmglobalize
+```
+
+Behavior:
+- If `-m` / `-message` is **not** given and `.commitmsg` exists, its contents are used as the commit message (and force a release even if the working tree is otherwise clean).
+- After a successful `npm publish`, npmglobalize:
+  1. Appends the contents to `npmchanges.md` under a `## v<version> — <YYYY-MM-DD>` header (creating the file if needed)
+  2. Deletes `.commitmsg`
+  3. Commits both changes as `Log v<version> to npmchanges.md` and pushes
+
+Notes:
+- **Git/GitHub only.** npm publish does not consume git commit messages; `npmchanges.md` lives in the git repo and on GitHub but is excluded from the published npm tarball (the standard `*.md` rule keeps only `README.md`).
+- If both `-m` and `.commitmsg` are present, `-m` wins and `.commitmsg` is left alone (not consumed).
+- If publish fails, `.commitmsg` is preserved for the next attempt.
+- `.commitmsg` is auto-added to `.npmignore` (security pattern) so it never leaks into the tarball.
+
 ### 🔧 Git Integration & Error Recovery
 
 **Automatic tag conflict resolution**:
@@ -288,6 +313,8 @@ Publishing requires being on a branch so commits and tags can be properly tracke
 -nopublish, -np      Just transform, don't publish (persisted to config)
 -cleanup             Restore file: dependencies from .dependencies backup
 -m, -message <msg>   Custom commit message (forces release even without changes)
+                     If -m not given, a `.commitmsg` file (if present) is used instead.
+                     See "Release Notes via .commitmsg" below.
 ```
 
 ### Dependency Options

package/cli.js

@@ -27,6 +27,9 @@ Release Options:
   -nopublish, -np      Just transform, don't publish (persisted to config)
   -cleanup             Restore from .dependencies
   -m, -message <msg>   Custom commit message (forces release even without changes)
+                       If -m not given and a .commitmsg file exists in cwd, its
+                       contents are used. After a successful publish it is appended
+                       to npmchanges.md (with version header) and deleted.
 
 Dependency Options:
   -update-deps, -ud        Update package.json to latest (minor/patch only, safe)

package/ignorepatterns.json5

@@ -41,7 +41,8 @@
             ".env*",
             "token*",
             "certs/",
-            "*cert*/"
+            "*cert*/",
+            ".commitmsg"
         ],
         // Prompted or auto-added with --conform
         recommended: [

package/lib.d.ts

@@ -186,12 +186,25 @@ export declare function getFileRefs(pkg: any): Map<string, {
     name: string;
     value: string;
 }>;
+/** Expand workspace entries (which may include globs like 'packages/*') to relative
+ *  dir paths from rootDir, normalized to forward slashes. Only `<base>/*` is expanded;
+ *  more exotic globs (`**`, `?`, character classes) are passed through unchanged. */
+export declare function expandWorkspaceEntries(rootDir: string, entries: string[]): string[];
 /** Resolve workspace entries to package info. Skips dirs without package.json or with private:true. */
 export declare function resolveWorkspacePackages(rootDir: string): Array<{
     name: string;
     dir: string;
     pkg: any;
 }>;
+/** Like resolveWorkspacePackages but INCLUDES private packages and exposes the
+ *  workspaces[] entry (relative path) for each. Use for build ordering, where
+ *  a private workspace package is still part of the dep graph. */
+export declare function resolveAllWorkspacePackages(rootDir: string): Array<{
+    name: string;
+    dir: string;
+    pkg: any;
+    entry: string;
+}>;
 /** Build a dependency graph among workspace packages. Returns Map<name, Set<depName>>. */
 export declare function buildDependencyGraph(packages: Array<{
     name: string;
@@ -244,7 +257,10 @@ export declare function compareVersions(a: number[], b: number[]): number;
 /** Fix version/tag mismatches */
 export declare function fixVersionTagMismatch(cwd: string, pkg: any, verbose?: boolean): boolean;
 /** Return declared deps (dependencies + devDependencies) that don't resolve from
- *  `pkgDir`. Skips `file:`/`workspace:`/`link:` specs — those are handled elsewhere.
+ *  `pkgDir`. Skips `workspace:`/`link:` specs (handled by workspace tooling /
+ *  rarely used). `file:` deps are checked: npm installs them as junctions
+ *  (Windows) or symlinks, and `fs.existsSync` traverses both, so a missing
+ *  file: dep is a real out-of-sync case worth flagging.
  *  A declared dep that doesn't resolve means `package.json` and installed
  *  `node_modules/` are out of sync (e.g. dep added but `npm install` not re-run). */
 export declare function missingDeps(pkgDir: string, pkg: any): string[];

package/lib.js

@@ -685,6 +685,41 @@ export function getFileRefs(pkg) {
     return refs;
 }
 // ─── Workspace helpers ───────────────────────────────────────────────
+/** Expand workspace entries (which may include globs like 'packages/*') to relative
+ *  dir paths from rootDir, normalized to forward slashes. Only `<base>/*` is expanded;
+ *  more exotic globs (`**`, `?`, character classes) are passed through unchanged. */
+export function expandWorkspaceEntries(rootDir, entries) {
+    const expanded = [];
+    const seen = new Set();
+    const push = (rel) => { if (!seen.has(rel)) {
+        seen.add(rel);
+        expanded.push(rel);
+    } };
+    for (const entry of entries) {
+        const norm = entry.replace(/\\/g, '/');
+        const m = norm.match(/^(.+?)\/\*$/);
+        if (m && !m[1].includes('*')) {
+            const baseDir = path.resolve(rootDir, m[1]);
+            if (!fs.existsSync(baseDir) || !fs.statSync(baseDir).isDirectory())
+                continue;
+            const subs = fs.readdirSync(baseDir).sort();
+            for (const sub of subs) {
+                if (sub.startsWith('.'))
+                    continue;
+                const subPath = path.join(baseDir, sub);
+                if (!fs.statSync(subPath).isDirectory())
+                    continue;
+                if (!fs.existsSync(path.join(subPath, 'package.json')))
+                    continue;
+                push(`${m[1]}/${sub}`);
+            }
+        }
+        else {
+            push(norm);
+        }
+    }
+    return expanded;
+}
 /** Resolve workspace entries to package info. Skips dirs without package.json or with private:true. */
 export function resolveWorkspacePackages(rootDir) {
     const rootPkg = readPackageJson(rootDir);
@@ -692,7 +727,7 @@ export function resolveWorkspacePackages(rootDir) {
     if (!Array.isArray(workspaces))
         return [];
     const results = [];
-    for (const entry of workspaces) {
+    for (const entry of expandWorkspaceEntries(rootDir, workspaces)) {
         const pkgDir = path.resolve(rootDir, entry);
         const pkgJsonPath = path.join(pkgDir, 'package.json');
         if (!fs.existsSync(pkgJsonPath))
@@ -704,6 +739,87 @@ export function resolveWorkspacePackages(rootDir) {
     }
     return results;
 }
+/** Like resolveWorkspacePackages but INCLUDES private packages and exposes the
+ *  workspaces[] entry (relative path) for each. Use for build ordering, where
+ *  a private workspace package is still part of the dep graph. */
+export function resolveAllWorkspacePackages(rootDir) {
+    const rootPkg = readPackageJson(rootDir);
+    const workspaces = rootPkg.workspaces;
+    if (!Array.isArray(workspaces))
+        return [];
+    const results = [];
+    for (const entry of expandWorkspaceEntries(rootDir, workspaces)) {
+        const pkgDir = path.resolve(rootDir, entry);
+        const pkgJsonPath = path.join(pkgDir, 'package.json');
+        if (!fs.existsSync(pkgJsonPath))
+            continue;
+        const pkg = readPackageJson(pkgDir);
+        results.push({ name: pkg.name || entry, dir: pkgDir, pkg, entry });
+    }
+    return results;
+}
+/** Workspace-root build with `npm run ... --workspaces` runs sub-packages in
+ *  workspaces[] array order. If that order doesn't match topological dep order,
+ *  a consumer can be compiled against a sibling whose .d.ts/.js is still stale.
+ *  Temporarily rewrites workspaces[] to topological order for the build, then
+ *  restores it. Returns undefined if no rewrite is needed (or no build script
+ *  uses --workspaces). */
+function reorderWorkspacesForBuild(cwd, pkg, verbose) {
+    if (!Array.isArray(pkg.workspaces) || pkg.workspaces.length < 2)
+        return undefined;
+    const buildScript = typeof pkg.scripts?.build === 'string' ? pkg.scripts.build : '';
+    if (!buildScript.includes('--workspaces') && !buildScript.includes('-ws'))
+        return undefined;
+    const all = resolveAllWorkspacePackages(cwd);
+    if (all.length < 2)
+        return undefined;
+    const graph = buildDependencyGraph(all);
+    let order;
+    try {
+        order = topologicalSort(graph);
+    }
+    catch (e) {
+        console.error(colors.yellow(`  Skipping workspace reorder: ${e.message}`));
+        return undefined;
+    }
+    const nameToEntry = new Map();
+    for (const p of all)
+        nameToEntry.set(p.name, p.entry);
+    const newEntries = order
+        .map(n => nameToEntry.get(n))
+        .filter((e) => !!e);
+    // If the expanded current order already matches topological order AND has no
+    // globs, nothing to do. (When globs are present, npm expands them in fs order
+    // — we always need to write an explicit list.)
+    const original = pkg.workspaces.slice();
+    const hasGlob = original.some(e => e.includes('*'));
+    if (!hasGlob) {
+        const cur = original.map(e => e.replace(/\\/g, '/'));
+        if (cur.length === newEntries.length && cur.every((v, i) => v === newEntries[i])) {
+            return undefined;
+        }
+    }
+    pkg.workspaces = newEntries;
+    writePackageJson(cwd, pkg);
+    if (verbose) {
+        console.log(colors.dim(`  Reordered workspaces[] for topological build: ${newEntries.join(' → ')}`));
+    }
+    let restored = false;
+    return () => {
+        if (restored)
+            return;
+        restored = true;
+        try {
+            pkg.workspaces = original;
+            const onDisk = readPackageJson(cwd);
+            onDisk.workspaces = original;
+            writePackageJson(cwd, onDisk);
+        }
+        catch (e) {
+            console.error(colors.yellow(`  Warning: failed to restore workspaces[]: ${e.message}`));
+        }
+    };
+}
 /** Build a dependency graph among workspace packages. Returns Map<name, Set<depName>>. */
 export function buildDependencyGraph(packages) {
     const nameSet = new Set(packages.map(p => p.name));
@@ -1338,7 +1454,10 @@ function depResolves(startDir, depName) {
     }
 }
 /** Return declared deps (dependencies + devDependencies) that don't resolve from
- *  `pkgDir`. Skips `file:`/`workspace:`/`link:` specs — those are handled elsewhere.
+ *  `pkgDir`. Skips `workspace:`/`link:` specs (handled by workspace tooling /
+ *  rarely used). `file:` deps are checked: npm installs them as junctions
+ *  (Windows) or symlinks, and `fs.existsSync` traverses both, so a missing
+ *  file: dep is a real out-of-sync case worth flagging.
  *  A declared dep that doesn't resolve means `package.json` and installed
  *  `node_modules/` are out of sync (e.g. dep added but `npm install` not re-run). */
 export function missingDeps(pkgDir, pkg) {
@@ -1350,7 +1469,7 @@ export function missingDeps(pkgDir, pkg) {
         for (const [name, spec] of Object.entries(deps)) {
             if (typeof spec !== 'string')
                 continue;
-            if (spec.startsWith('file:') || spec.startsWith('workspace:') || spec.startsWith('link:'))
+            if (spec.startsWith('workspace:') || spec.startsWith('link:'))
                 continue;
             if (!depResolves(pkgDir, name))
                 missing.push(name);
@@ -3281,25 +3400,34 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
             ensureFileDepModules(cwd, verbose);
         console.log(`${timestamp()} Running build...`);
         if (!dryRun) {
-            // Always capture output so we can extract tsc errors for the summary
-            const buildResult = runCommand('npm', ['run', 'build'], { cwd, silent: true });
-            if (!buildResult.success) {
-                const buildOutput = buildResult.stderr || buildResult.output;
-                if (buildOutput)
-                    console.error(buildOutput);
-                console.error(colors.red('ERROR: Build failed'));
-                diagnoseBuildFailure(buildOutput || '', cwd);
-                const firstErr = extractFirstTscError(buildOutput || '');
-                recordBuildIssue(pkg.name || path.basename(cwd), 'error', firstErr || 'Build failed');
-                if (!force) {
-                    return false;
+            // For workspace roots whose build invokes `--workspaces`, npm uses
+            // workspaces[] array order; rewrite to topological order so deps build
+            // before consumers (avoids stale-.d.ts errors in cross-package imports).
+            const restoreWorkspaces = reorderWorkspacesForBuild(cwd, pkg, verbose);
+            try {
+                // Always capture output so we can extract tsc errors for the summary
+                const buildResult = runCommand('npm', ['run', 'build'], { cwd, silent: true });
+                if (!buildResult.success) {
+                    const buildOutput = buildResult.stderr || buildResult.output;
+                    if (buildOutput)
+                        console.error(buildOutput);
+                    console.error(colors.red('ERROR: Build failed'));
+                    diagnoseBuildFailure(buildOutput || '', cwd);
+                    const firstErr = extractFirstTscError(buildOutput || '');
+                    recordBuildIssue(pkg.name || path.basename(cwd), 'error', firstErr || 'Build failed');
+                    if (!force) {
+                        return false;
+                    }
+                    console.log(colors.yellow('Continuing with --force despite build failure...'));
+                }
+                else {
+                    if (verbose && buildResult.output)
+                        process.stdout.write(buildResult.output);
+                    console.log(`${timestamp()} ${colors.green('✓ Build succeeded')}`);
                 }
-                console.log(colors.yellow('Continuing with --force despite build failure...'));
             }
-            else {
-                if (verbose && buildResult.output)
-                    process.stdout.write(buildResult.output);
-                console.log(`${timestamp()} ${colors.green('✓ Build succeeded')}`);
+            finally {
+                restoreWorkspaces?.();
             }
         }
         else {
@@ -3919,11 +4047,29 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     }
     // Re-check git status after all transformations and potential commits
     currentGitStatus = getGitStatus(cwd);
+    // If no -m given, fall back to .commitmsg file contents (one-shot changelog entry).
+    // Consumed (appended to npmchanges.md + deleted) only after a successful publish.
+    const commitMsgPath = path.join(cwd, '.commitmsg');
+    let commitMsgFromFile = null;
+    let effectiveMessage = message;
+    if (!effectiveMessage && fs.existsSync(commitMsgPath)) {
+        try {
+            const content = fs.readFileSync(commitMsgPath, 'utf-8').trim();
+            if (content) {
+                commitMsgFromFile = content;
+                effectiveMessage = content;
+                console.log(colors.cyan(`  Using .commitmsg for commit message (${content.split('\n')[0].slice(0, 60)}${content.length > 60 ? '…' : ''})`));
+            }
+        }
+        catch (err) {
+            console.error(colors.yellow(`  Warning: could not read .commitmsg: ${err.message}`));
+        }
+    }
     // Check if there are changes to commit or a custom message
     // Skip this check for first publish (currentAccess null) or just-initialized repos
     const isFirstPublish = !currentAccess;
     let skipVersionBump = false;
-    if (!currentGitStatus.hasUncommitted && !message && !justInitialized && !isFirstPublish) {
+    if (!currentGitStatus.hasUncommitted && !effectiveMessage && !justInitialized && !isFirstPublish) {
         // Check if the current version is actually on npm (it might have failed to publish previously)
         const versionCheck = spawnSafe('npm', ['view', `${pkg.name}@${pkg.version}`, 'version'], {
             shell: process.platform === 'win32',
@@ -4074,7 +4220,7 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     }
     // Git operations
     if (currentGitStatus.hasUncommitted) {
-        const commitMsg = message || 'Pre-release commit';
+        const commitMsg = effectiveMessage || 'Pre-release commit';
         console.log(`${timestamp()} Committing changes: ${commitMsg}`);
         if (!dryRun) {
             // Remove 'nul' files that break git on Windows
@@ -4701,6 +4847,36 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
         const finalAccess = effectiveNpmVisibility || currentAccess || (isScoped ? 'restricted' : 'public');
         const accessLabel = (finalAccess === 'restricted' || finalAccess === 'private') ? 'PRIVATE' : 'PUBLIC';
         console.log(`${timestamp()} ${colors.green(`✓ Published to npm as ${accessLabel}`)}`);
+        // Consume .commitmsg: append to npmchanges.md, delete the file, commit+push.
+        // Only runs if .commitmsg was actually used as the commit message.
+        if (commitMsgFromFile) {
+            try {
+                const publishedVersion = readPackageJson(cwd).version;
+                const npmChangesPath = path.join(cwd, 'npmchanges.md');
+                const date = new Date().toISOString().slice(0, 10);
+                const header = `## v${publishedVersion} — ${date}\n\n`;
+                const entry = header + commitMsgFromFile.trim() + '\n\n';
+                const existing = fs.existsSync(npmChangesPath)
+                    ? fs.readFileSync(npmChangesPath, 'utf-8')
+                    : '# npm Publish Changes\n\n';
+                const sep = existing.endsWith('\n') ? '' : '\n';
+                fs.writeFileSync(npmChangesPath, existing + sep + entry);
+                try {
+                    fs.unlinkSync(commitMsgPath);
+                }
+                catch { /* ignore */ }
+                runCommand('git', ['add', 'npmchanges.md', '.commitmsg'], { cwd, silent: true });
+                const logResult = gitCommit(`Log v${publishedVersion} to npmchanges.md`, cwd);
+                if (logResult.success) {
+                    console.log(colors.green(`  ✓ Appended to npmchanges.md and removed .commitmsg`));
+                    if (currentGitStatus.hasRemote)
+                        pushWithProtection(cwd, verbose);
+                }
+            }
+            catch (err) {
+                console.error(colors.yellow(`  Warning: could not update npmchanges.md: ${err.message}`));
+            }
+        }
     }
     else {
         console.log(`  [dry-run] Would run: npm publish ${quiet ? '--quiet' : ''}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/npmglobalize",
-  "version": "1.0.160",
+  "version": "1.0.162",
   "description": "Transform file: dependencies to npm versions for publishing",
   "main": "index.js",
   "type": "module",