@bobfrankston/npmglobalize 1.0.179 → 1.0.180

package/README.md

@@ -427,6 +427,13 @@ Workspace mode is auto-detected when run from a root with `"private": true` and
                 history instead of creating a fresh repo.
 -adopt          Strict adopt: require a reachable git remote in
                 package.json.repository. Abort if probe fails. Skips prompt.
+-no-import-check, -no-imports
+                Skip the undeclared-imports scan. By default, npmglobalize
+                scans .ts/.js source for imports of packages not declared in
+                any dependencies bucket and warns before publishing. The scan
+                catches silent runtime failures (ERR_MODULE_NOT_FOUND on a
+                clean install) where the import was resolving via a global or
+                parent node_modules at dev time but won't on the target host.
 -force          Continue despite git errors
 -dry-run        Preview what would happen
 -quiet          Suppress npm warnings (default)

package/cli.js

@@ -86,6 +86,10 @@ Other Options:
                   in package.json.repository if reachable, else fresh init)
   -adopt          Strict adopt: require a reachable git remote in
                   package.json.repository. Abort if probe fails. Skips prompt.
+  -no-import-check
+                  Skip the undeclared-imports scan. Default: scan runs and
+                  warns about packages imported in .ts/.js but missing from
+                  any dependencies bucket (catches silent runtime failures).
   -force          Continue despite git errors
   -dry-run        Preview what would happen
   -quiet          Suppress npm warnings (default)
@@ -229,6 +233,10 @@ function parseArgs(args) {
             case '-adopt':
                 options.adopt = true;
                 break;
+            case '-no-import-check':
+            case '-no-imports':
+                options.noImportCheck = true;
+                break;
             case '-git':
                 i++;
                 if (args[i] === 'private' || args[i] === 'public') {

package/lib.d.ts

@@ -119,6 +119,8 @@ export interface GlobalizeOptions {
      *  package.json.repository. Aborts (rather than creating a fresh repo) if
      *  the probe fails. Skips the no-git prompt. */
     adopt?: boolean;
+    /** Skip the undeclared-imports scan. Default false (scan runs). */
+    noImportCheck?: boolean;
     /** Internal: signals this call is from workspace orchestrator */
     /** Skip the upfront dep-graph prescan */
     noPrescan?: boolean;
@@ -260,6 +262,12 @@ export interface PrescanIssue {
     message: string;
     suggestion?: string;
 }
+export interface UndeclaredImport {
+    name: string;
+    file: string;
+    line: number;
+}
+export declare function findUndeclaredImports(cwd: string, pkg: any): UndeclaredImport[];
 /** Walk the full file: dep graph and collect issues up front — missing scopes,
  *  unresolvable paths, missing package.json, unpublished transitives. Lets the
  *  user resolve all problems before starting the publish cascade instead of

package/lib.js

@@ -13,6 +13,7 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import { execSync, spawn, spawnSync } from 'child_process';
+import { builtinModules } from 'module';
 import { readConfig as readUserConfig, writeConfig as writeUserConfig, configDir } from '@bobfrankston/userconfig';
 import { freezeDependencies } from '@bobfrankston/freezepak';
 import { importgen as runImportgen } from '@bobfrankston/importgen';
@@ -1304,6 +1305,130 @@ function printDepTree(baseDir, indent = 0, visited = new Set()) {
         }
     }
 }
+/** Source-import scan: finds package imports in .ts/.js that aren't declared
+ *  in any of the package.json dep buckets. Catches the failure mode where a
+ *  file imports `@scope/thing` but no one ever added it to dependencies — the
+ *  tarball publishes "fine" and crashes with ERR_MODULE_NOT_FOUND on install.
+ *  The previously-working case usually relies on a global/parent copy that
+ *  Node ESM resolution happened to find. */
+const SOURCE_SKIP_DIRS = new Set([
+    'node_modules', 'prev', '.git', 'dist', 'build', 'out',
+    'coverage', '.next', '.nuxt', '.turbo', '.cache'
+]);
+function collectSourceFiles(dir, acc = [], depth = 0) {
+    if (depth > 12)
+        return acc;
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return acc;
+    }
+    for (const ent of entries) {
+        const name = ent.name;
+        if (ent.isDirectory()) {
+            if (SOURCE_SKIP_DIRS.has(name))
+                continue;
+            if (name.startsWith('.'))
+                continue; // .git, .vscode, .idea, etc.
+            collectSourceFiles(path.join(dir, name), acc, depth + 1);
+        }
+        else if (ent.isFile()) {
+            if (name.endsWith('.d.ts') || name.endsWith('.map'))
+                continue;
+            if (name.endsWith('.ts') || name.endsWith('.tsx')
+                || name.endsWith('.js') || name.endsWith('.jsx')
+                || name.endsWith('.mjs') || name.endsWith('.cjs')) {
+                acc.push(path.join(dir, name));
+            }
+        }
+    }
+    return acc;
+}
+/** Extract the package name from an ESM/CJS module specifier.
+ *  Returns null for relative paths, absolute paths, URLs, node: builtins. */
+function specifierToPackageName(spec) {
+    if (!spec)
+        return null;
+    if (spec.startsWith('.'))
+        return null; // ./ or ../
+    if (spec.startsWith('/'))
+        return null; // /abs
+    if (spec.startsWith('node:'))
+        return null; // node:fs
+    if (/^[a-z][a-z0-9+.-]*:/i.test(spec))
+        return null; // url/data
+    if (spec.startsWith('#'))
+        return null; // subpath import
+    if (spec.startsWith('@')) {
+        const parts = spec.split('/');
+        return parts.length >= 2 ? `${parts[0]}/${parts[1]}` : null;
+    }
+    return spec.split('/')[0];
+}
+const NODE_BUILTIN_NAMES = new Set(builtinModules);
+export function findUndeclaredImports(cwd, pkg) {
+    const declared = new Set();
+    for (const k of DEP_KEYS) {
+        const bucket = pkg[k] || pkg['.' + k]; // also consult the backup bucket if a transform is pending
+        if (bucket)
+            for (const n of Object.keys(bucket))
+                declared.add(n);
+    }
+    const selfName = pkg.name;
+    // One specifier per line is the common case; a few patterns cover the rest.
+    // We process line-by-line so we can report file:line and avoid pathological
+    // backtracking on huge files.
+    const FROM_RE = /\bfrom\s+['"]([^'"]+)['"]/g;
+    const BARE_IMPORT_RE = /(?:^|;|\s)import\s+['"]([^'"]+)['"]/g;
+    const DYNAMIC_RE = /(?:^|[^.\w$])import\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    const REQUIRE_RE = /(?:^|[^.\w$])require\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    const PATTERNS = [FROM_RE, BARE_IMPORT_RE, DYNAMIC_RE, REQUIRE_RE];
+    const findings = new Map();
+    const files = collectSourceFiles(cwd);
+    for (const f of files) {
+        let content;
+        try {
+            content = fs.readFileSync(f, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        // Quick reject: no import/require keyword anywhere → skip
+        if (!/\bimport\b|\brequire\s*\(/.test(content))
+            continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            for (const re of PATTERNS) {
+                re.lastIndex = 0;
+                let m;
+                while ((m = re.exec(line))) {
+                    const spec = m[1];
+                    const pkgName = specifierToPackageName(spec);
+                    if (!pkgName)
+                        continue;
+                    if (NODE_BUILTIN_NAMES.has(pkgName))
+                        continue;
+                    if (pkgName === selfName)
+                        continue;
+                    if (declared.has(pkgName))
+                        continue;
+                    if (!findings.has(pkgName)) {
+                        findings.set(pkgName, {
+                            file: path.relative(cwd, f).replace(/\\/g, '/'),
+                            line: i + 1
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return [...findings.entries()]
+        .map(([name, loc]) => ({ name, ...loc }))
+        .sort((a, b) => a.name.localeCompare(b.name));
+}
 /** Walk the full file: dep graph and collect issues up front — missing scopes,
  *  unresolvable paths, missing package.json, unpublished transitives. Lets the
  *  user resolve all problems before starting the publish cascade instead of
@@ -3411,7 +3536,7 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     const { bump = 'patch', noPublish = false, cleanup = false, install = false, link = false, wsl = false, force = false, files = true, dryRun = false, quiet = true, verbose = false, init = false, gitVisibility = 'private', npmVisibility = 'private', message, conform = false, asis = false, updateDeps = false, updateMajor = false, publishDeps = true, // Default to publishing deps for safety
     publishDepsYes = false, // -pd: auto-yes to dep-cascade prompts (private only)
     publicDeps = false, // -public-deps: cascade public visibility to all deps
-    noPrescan = false, forcePublish = false, fix = true, fixTags = false, rebase = false, show = false, local = false, freeze = false, usePaths = true, allowTs, adopt = false } = options;
+    noPrescan = false, forcePublish = false, fix = true, fixTags = false, rebase = false, show = false, local = false, freeze = false, usePaths = true, allowTs, adopt = false, noImportCheck = false } = options;
     // Show tool version only for recursive dep calls (CLI already prints it at startup)
     const toolVersion = getToolVersion();
     if (!options._fromWorkspace && !options._fromCli) {
@@ -3554,6 +3679,41 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
             console.log(colors.dim('Prescan: no issues found in dep graph.'));
         }
     }
+    // Source-import scan — catches imports of packages not declared in
+    // dependencies/devDependencies/peer/optional. Runs by default; skip with
+    // -no-import-check. Only at the top level (deps in the cascade will be
+    // scanned when their own globalize() runs).
+    if (!noImportCheck && !cleanup && !options._fromDep && !options._fromWorkspace) {
+        const scanPkg = readPackageJson(cwd);
+        const undeclared = findUndeclaredImports(cwd, scanPkg);
+        if (undeclared.length > 0) {
+            console.log('');
+            console.log(colors.yellow(`Undeclared imports found (${undeclared.length}):`));
+            for (const u of undeclared) {
+                console.log(colors.yellow(`  ${u.name}`)
+                    + colors.dim(`  (${u.file}:${u.line})`));
+            }
+            console.log(colors.dim('  These packages are imported but not in any package.json dep bucket.'));
+            console.log(colors.dim('  After publish, `npm install` won\'t pull them and the package will'));
+            console.log(colors.dim('  crash with ERR_MODULE_NOT_FOUND on a clean install.'));
+            const interactive = !init && !options.autoInit && !publishDepsYes && !dryRun;
+            if (interactive) {
+                const ok = await confirm('Continue anyway?', false);
+                if (!ok) {
+                    console.log('Aborted. Add the missing packages to dependencies and re-run.');
+                    console.log(colors.dim('  Tip: for siblings, use "file:../<dir>"; otherwise add the latest published version.'));
+                    return false;
+                }
+            }
+            else {
+                console.log(colors.yellow('  (non-interactive mode — continuing, but the install will likely fail at runtime)'));
+            }
+            console.log('');
+        }
+        else if (verbose) {
+            console.log(colors.dim('Import scan: all imports are declared.'));
+        }
+    }
     // Check ignore files first (unless cleanup mode)
     if (!cleanup && !asis) {
         const checkResult = checkIgnoreFiles(cwd, { conform, asis, verbose, allowTs });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/npmglobalize",
-  "version": "1.0.179",
+  "version": "1.0.180",
   "description": "Transform file: dependencies to npm versions for publishing",
   "main": "index.js",
   "type": "module",