@bobfrankston/npmglobalize 1.0.179 → 1.0.181

package/README.md

@@ -427,6 +427,18 @@ Workspace mode is auto-detected when run from a root with `"private": true` and
                 history instead of creating a fresh repo.
 -adopt          Strict adopt: require a reachable git remote in
                 package.json.repository. Abort if probe fails. Skips prompt.
+-strict-imports, -import-check
+                Opt in to scanning .ts/.js source for imports of packages not
+                declared in any dependencies bucket. Off by default — the
+                always-declare style this enforces doesn't hold in monorepos
+                that rely on workspace cross-refs or the -public-deps cascade
+                (those produce noisy prompts that get dismissed reflexively,
+                which defeats the safety purpose). Use only on packages where
+                every import is meant to be a direct package.json declaration.
+                When it does fire, it catches silent runtime failures —
+                ERR_MODULE_NOT_FOUND on a clean install of a published tarball
+                that was resolving via an ambient parent/global node_modules
+                at dev time.
 -force          Continue despite git errors
 -dry-run        Preview what would happen
 -quiet          Suppress npm warnings (default)

package/cli.js

@@ -86,6 +86,12 @@ Other Options:
                   in package.json.repository if reachable, else fresh init)
   -adopt          Strict adopt: require a reachable git remote in
                   package.json.repository. Abort if probe fails. Skips prompt.
+  -strict-imports, -import-check
+                  Scan .ts/.js for imports not declared in any deps bucket and
+                  warn before publish. Off by default — the always-declare
+                  style this enforces doesn't hold for monorepos that rely on
+                  workspace cross-refs / -public-deps cascade. Opt in only
+                  when the assumption holds in your codebase.
   -force          Continue despite git errors
   -dry-run        Preview what would happen
   -quiet          Suppress npm warnings (default)
@@ -229,6 +235,10 @@ function parseArgs(args) {
             case '-adopt':
                 options.adopt = true;
                 break;
+            case '-strict-imports':
+            case '-import-check':
+                options.importCheck = true;
+                break;
             case '-git':
                 i++;
                 if (args[i] === 'private' || args[i] === 'public') {

package/lib.d.ts

@@ -119,6 +119,12 @@ export interface GlobalizeOptions {
      *  package.json.repository. Aborts (rather than creating a fresh repo) if
      *  the probe fails. Skips the no-git prompt. */
     adopt?: boolean;
+    /** Run the undeclared-imports scan (`-strict-imports`). Default false —
+     *  the scan assumes a style where every import is declared in the
+     *  consuming package's package.json, which doesn't hold for monorepos
+     *  that rely on workspace cross-refs / -public-deps cascade. Opt in when
+     *  the assumption holds. */
+    importCheck?: boolean;
     /** Internal: signals this call is from workspace orchestrator */
     /** Skip the upfront dep-graph prescan */
     noPrescan?: boolean;
@@ -260,6 +266,12 @@ export interface PrescanIssue {
     message: string;
     suggestion?: string;
 }
+export interface UndeclaredImport {
+    name: string;
+    file: string;
+    line: number;
+}
+export declare function findUndeclaredImports(cwd: string, pkg: any): UndeclaredImport[];
 /** Walk the full file: dep graph and collect issues up front — missing scopes,
  *  unresolvable paths, missing package.json, unpublished transitives. Lets the
  *  user resolve all problems before starting the publish cascade instead of

package/lib.js

@@ -13,6 +13,7 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import { execSync, spawn, spawnSync } from 'child_process';
+import { builtinModules } from 'module';
 import { readConfig as readUserConfig, writeConfig as writeUserConfig, configDir } from '@bobfrankston/userconfig';
 import { freezeDependencies } from '@bobfrankston/freezepak';
 import { importgen as runImportgen } from '@bobfrankston/importgen';
@@ -1304,6 +1305,149 @@ function printDepTree(baseDir, indent = 0, visited = new Set()) {
         }
     }
 }
+/** Source-import scan: finds package imports in .ts/.js that aren't declared
+ *  in any of the package.json dep buckets. Catches the failure mode where a
+ *  file imports `@scope/thing` but no one ever added it to dependencies — the
+ *  tarball publishes "fine" and crashes with ERR_MODULE_NOT_FOUND on install.
+ *  The previously-working case usually relies on a global/parent copy that
+ *  Node ESM resolution happened to find. */
+const SOURCE_SKIP_DIRS = new Set([
+    'node_modules', 'prev', '.git', 'dist', 'build', 'out',
+    'coverage', '.next', '.nuxt', '.turbo', '.cache'
+]);
+function collectSourceFiles(dir, acc = [], depth = 0) {
+    if (depth > 12)
+        return acc;
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return acc;
+    }
+    for (const ent of entries) {
+        const name = ent.name;
+        if (ent.isDirectory()) {
+            if (SOURCE_SKIP_DIRS.has(name))
+                continue;
+            if (name.startsWith('.'))
+                continue; // .git, .vscode, .idea, etc.
+            collectSourceFiles(path.join(dir, name), acc, depth + 1);
+        }
+        else if (ent.isFile()) {
+            if (name.endsWith('.d.ts') || name.endsWith('.map'))
+                continue;
+            if (name.endsWith('.ts') || name.endsWith('.tsx')
+                || name.endsWith('.js') || name.endsWith('.jsx')
+                || name.endsWith('.mjs') || name.endsWith('.cjs')) {
+                acc.push(path.join(dir, name));
+            }
+        }
+    }
+    return acc;
+}
+/** npm package name rules (simplified): lowercase letters, digits, `-`, `_`, `.`,
+ *  optionally with an `@scope/` prefix. No spaces, no `<>`, no uppercase. */
+const NPM_NAME_RE = /^(@[a-z0-9_.~-]+\/)?[a-z0-9_.~-]+$/;
+/** Extract the package name from an ESM/CJS module specifier.
+ *  Returns null for relative paths, absolute paths, URLs, node: builtins, and
+ *  anything that doesn't look like a valid npm package name (filters out
+ *  matches that landed in comments or string literals). */
+function specifierToPackageName(spec) {
+    if (!spec)
+        return null;
+    if (spec.startsWith('.'))
+        return null; // ./ or ../
+    if (spec.startsWith('/'))
+        return null; // /abs
+    if (spec.startsWith('node:'))
+        return null; // node:fs
+    if (/^[a-z][a-z0-9+.-]*:/i.test(spec))
+        return null; // url/data
+    if (spec.startsWith('#'))
+        return null; // subpath import
+    let candidate;
+    if (spec.startsWith('@')) {
+        const parts = spec.split('/');
+        if (parts.length < 2)
+            return null;
+        candidate = `${parts[0]}/${parts[1]}`;
+    }
+    else {
+        candidate = spec.split('/')[0];
+    }
+    // Reject anything that isn't a plausible npm name — this filters out
+    // matches inside string literals / comments like "Bob <bob@gmail.com>"
+    // or "All Inboxes" that slipped through the regex.
+    if (!NPM_NAME_RE.test(candidate))
+        return null;
+    return candidate;
+}
+const NODE_BUILTIN_NAMES = new Set(builtinModules);
+export function findUndeclaredImports(cwd, pkg) {
+    const declared = new Set();
+    for (const k of DEP_KEYS) {
+        const bucket = pkg[k] || pkg['.' + k]; // also consult the backup bucket if a transform is pending
+        if (bucket)
+            for (const n of Object.keys(bucket))
+                declared.add(n);
+    }
+    const selfName = pkg.name;
+    // Anchored to line start (with optional leading whitespace) so that a
+    // comment like `// imported from "Bob <bob@gmail.com>"` or an inline
+    // string literal `"received from 'x'"` can't trigger the regex. This is
+    // intentionally stricter than full JS parsing — minified one-line imports
+    // are missed, but those are vendor bundles where false negatives are far
+    // better than the false-positive noise.
+    const IMPORT_FROM_RE = /^\s*(?:import|export)\s(?:[^'"`;]+\s)?from\s+['"]([^'"]+)['"]/g;
+    const IMPORT_BARE_RE = /^\s*import\s+['"]([^'"]+)['"]/g;
+    const DYNAMIC_RE = /(?:^|[^.\w$])import\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    const REQUIRE_RE = /(?:^|[^.\w$])require\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    const PATTERNS = [IMPORT_FROM_RE, IMPORT_BARE_RE, DYNAMIC_RE, REQUIRE_RE];
+    const findings = new Map();
+    const files = collectSourceFiles(cwd);
+    for (const f of files) {
+        let content;
+        try {
+            content = fs.readFileSync(f, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        // Quick reject: no import/require keyword anywhere → skip
+        if (!/\bimport\b|\brequire\s*\(/.test(content))
+            continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            for (const re of PATTERNS) {
+                re.lastIndex = 0;
+                let m;
+                while ((m = re.exec(line))) {
+                    const spec = m[1];
+                    const pkgName = specifierToPackageName(spec);
+                    if (!pkgName)
+                        continue;
+                    if (NODE_BUILTIN_NAMES.has(pkgName))
+                        continue;
+                    if (pkgName === selfName)
+                        continue;
+                    if (declared.has(pkgName))
+                        continue;
+                    if (!findings.has(pkgName)) {
+                        findings.set(pkgName, {
+                            file: path.relative(cwd, f).replace(/\\/g, '/'),
+                            line: i + 1
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return [...findings.entries()]
+        .map(([name, loc]) => ({ name, ...loc }))
+        .sort((a, b) => a.name.localeCompare(b.name));
+}
 /** Walk the full file: dep graph and collect issues up front — missing scopes,
  *  unresolvable paths, missing package.json, unpublished transitives. Lets the
  *  user resolve all problems before starting the publish cascade instead of
@@ -3411,7 +3555,7 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     const { bump = 'patch', noPublish = false, cleanup = false, install = false, link = false, wsl = false, force = false, files = true, dryRun = false, quiet = true, verbose = false, init = false, gitVisibility = 'private', npmVisibility = 'private', message, conform = false, asis = false, updateDeps = false, updateMajor = false, publishDeps = true, // Default to publishing deps for safety
     publishDepsYes = false, // -pd: auto-yes to dep-cascade prompts (private only)
     publicDeps = false, // -public-deps: cascade public visibility to all deps
-    noPrescan = false, forcePublish = false, fix = true, fixTags = false, rebase = false, show = false, local = false, freeze = false, usePaths = true, allowTs, adopt = false } = options;
+    noPrescan = false, forcePublish = false, fix = true, fixTags = false, rebase = false, show = false, local = false, freeze = false, usePaths = true, allowTs, adopt = false, importCheck = false } = options;
     // Show tool version only for recursive dep calls (CLI already prints it at startup)
     const toolVersion = getToolVersion();
     if (!options._fromWorkspace && !options._fromCli) {
@@ -3554,6 +3698,43 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
             console.log(colors.dim('Prescan: no issues found in dep graph.'));
         }
     }
+    // Source-import scan — catches imports of packages not declared in
+    // dependencies/devDependencies/peer/optional. Opt-in via -strict-imports
+    // because the always-declare style this check enforces doesn't hold in
+    // monorepos that rely on workspace cross-refs / -public-deps. Only at the
+    // top level (deps in the cascade will be scanned when their own
+    // globalize() runs).
+    if (importCheck && !cleanup && !options._fromDep && !options._fromWorkspace) {
+        const scanPkg = readPackageJson(cwd);
+        const undeclared = findUndeclaredImports(cwd, scanPkg);
+        if (undeclared.length > 0) {
+            console.log('');
+            console.log(colors.yellow(`Undeclared imports found (${undeclared.length}):`));
+            for (const u of undeclared) {
+                console.log(colors.yellow(`  ${u.name}`)
+                    + colors.dim(`  (${u.file}:${u.line})`));
+            }
+            console.log(colors.dim('  These packages are imported but not in any package.json dep bucket.'));
+            console.log(colors.dim('  After publish, `npm install` won\'t pull them and the package will'));
+            console.log(colors.dim('  crash with ERR_MODULE_NOT_FOUND on a clean install.'));
+            const interactive = !init && !options.autoInit && !publishDepsYes && !dryRun;
+            if (interactive) {
+                const ok = await confirm('Continue anyway?', false);
+                if (!ok) {
+                    console.log('Aborted. Add the missing packages to dependencies and re-run.');
+                    console.log(colors.dim('  Tip: for siblings, use "file:../<dir>"; otherwise add the latest published version.'));
+                    return false;
+                }
+            }
+            else {
+                console.log(colors.yellow('  (non-interactive mode — continuing, but the install will likely fail at runtime)'));
+            }
+            console.log('');
+        }
+        else if (verbose) {
+            console.log(colors.dim('Import scan: all imports are declared.'));
+        }
+    }
     // Check ignore files first (unless cleanup mode)
     if (!cleanup && !asis) {
         const checkResult = checkIgnoreFiles(cwd, { conform, asis, verbose, allowTs });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/npmglobalize",
-  "version": "1.0.179",
+  "version": "1.0.181",
   "description": "Transform file: dependencies to npm versions for publishing",
   "main": "index.js",
   "type": "module",