@bobfrankston/npmglobalize 1.0.180 → 1.0.181

package/README.md

@@ -427,13 +427,18 @@ Workspace mode is auto-detected when run from a root with `"private": true` and
                 history instead of creating a fresh repo.
 -adopt          Strict adopt: require a reachable git remote in
                 package.json.repository. Abort if probe fails. Skips prompt.
--no-import-check, -no-imports
-                Skip the undeclared-imports scan. By default, npmglobalize
-                scans .ts/.js source for imports of packages not declared in
-                any dependencies bucket and warns before publishing. The scan
-                catches silent runtime failures (ERR_MODULE_NOT_FOUND on a
-                clean install) where the import was resolving via a global or
-                parent node_modules at dev time but won't on the target host.
+-strict-imports, -import-check
+                Opt in to scanning .ts/.js source for imports of packages not
+                declared in any dependencies bucket. Off by default — the
+                always-declare style this enforces doesn't hold in monorepos
+                that rely on workspace cross-refs or the -public-deps cascade
+                (those produce noisy prompts that get dismissed reflexively,
+                which defeats the safety purpose). Use only on packages where
+                every import is meant to be a direct package.json declaration.
+                When it does fire, it catches silent runtime failures —
+                ERR_MODULE_NOT_FOUND on a clean install of a published tarball
+                that was resolving via an ambient parent/global node_modules
+                at dev time.
 -force          Continue despite git errors
 -dry-run        Preview what would happen
 -quiet          Suppress npm warnings (default)

package/cli.js

@@ -86,10 +86,12 @@ Other Options:
                   in package.json.repository if reachable, else fresh init)
   -adopt          Strict adopt: require a reachable git remote in
                   package.json.repository. Abort if probe fails. Skips prompt.
-  -no-import-check
-                  Skip the undeclared-imports scan. Default: scan runs and
-                  warns about packages imported in .ts/.js but missing from
-                  any dependencies bucket (catches silent runtime failures).
+  -strict-imports, -import-check
+                  Scan .ts/.js for imports not declared in any deps bucket and
+                  warn before publish. Off by default — the always-declare
+                  style this enforces doesn't hold for monorepos that rely on
+                  workspace cross-refs / -public-deps cascade. Opt in only
+                  when the assumption holds in your codebase.
   -force          Continue despite git errors
   -dry-run        Preview what would happen
   -quiet          Suppress npm warnings (default)
@@ -233,9 +235,9 @@ function parseArgs(args) {
             case '-adopt':
                 options.adopt = true;
                 break;
-            case '-no-import-check':
-            case '-no-imports':
-                options.noImportCheck = true;
+            case '-strict-imports':
+            case '-import-check':
+                options.importCheck = true;
                 break;
             case '-git':
                 i++;

package/lib.d.ts

@@ -119,8 +119,12 @@ export interface GlobalizeOptions {
      *  package.json.repository. Aborts (rather than creating a fresh repo) if
      *  the probe fails. Skips the no-git prompt. */
     adopt?: boolean;
-    /** Skip the undeclared-imports scan. Default false (scan runs). */
-    noImportCheck?: boolean;
+    /** Run the undeclared-imports scan (`-strict-imports`). Default false —
+     *  the scan assumes a style where every import is declared in the
+     *  consuming package's package.json, which doesn't hold for monorepos
+     *  that rely on workspace cross-refs / -public-deps cascade. Opt in when
+     *  the assumption holds. */
+    importCheck?: boolean;
     /** Internal: signals this call is from workspace orchestrator */
     /** Skip the upfront dep-graph prescan */
     noPrescan?: boolean;

package/lib.js

@@ -1346,8 +1346,13 @@ function collectSourceFiles(dir, acc = [], depth = 0) {
     }
     return acc;
 }
+/** npm package name rules (simplified): lowercase letters, digits, `-`, `_`, `.`,
+ *  optionally with an `@scope/` prefix. No spaces, no `<>`, no uppercase. */
+const NPM_NAME_RE = /^(@[a-z0-9_.~-]+\/)?[a-z0-9_.~-]+$/;
 /** Extract the package name from an ESM/CJS module specifier.
- *  Returns null for relative paths, absolute paths, URLs, node: builtins. */
+ *  Returns null for relative paths, absolute paths, URLs, node: builtins, and
+ *  anything that doesn't look like a valid npm package name (filters out
+ *  matches that landed in comments or string literals). */
 function specifierToPackageName(spec) {
     if (!spec)
         return null;
@@ -1361,11 +1366,22 @@ function specifierToPackageName(spec) {
         return null; // url/data
     if (spec.startsWith('#'))
         return null; // subpath import
+    let candidate;
     if (spec.startsWith('@')) {
         const parts = spec.split('/');
-        return parts.length >= 2 ? `${parts[0]}/${parts[1]}` : null;
+        if (parts.length < 2)
+            return null;
+        candidate = `${parts[0]}/${parts[1]}`;
+    }
+    else {
+        candidate = spec.split('/')[0];
     }
-    return spec.split('/')[0];
+    // Reject anything that isn't a plausible npm name — this filters out
+    // matches inside string literals / comments like "Bob <bob@gmail.com>"
+    // or "All Inboxes" that slipped through the regex.
+    if (!NPM_NAME_RE.test(candidate))
+        return null;
+    return candidate;
 }
 const NODE_BUILTIN_NAMES = new Set(builtinModules);
 export function findUndeclaredImports(cwd, pkg) {
@@ -1377,14 +1393,17 @@ export function findUndeclaredImports(cwd, pkg) {
                 declared.add(n);
     }
     const selfName = pkg.name;
-    // One specifier per line is the common case; a few patterns cover the rest.
-    // We process line-by-line so we can report file:line and avoid pathological
-    // backtracking on huge files.
-    const FROM_RE = /\bfrom\s+['"]([^'"]+)['"]/g;
-    const BARE_IMPORT_RE = /(?:^|;|\s)import\s+['"]([^'"]+)['"]/g;
+    // Anchored to line start (with optional leading whitespace) so that a
+    // comment like `// imported from "Bob <bob@gmail.com>"` or an inline
+    // string literal `"received from 'x'"` can't trigger the regex. This is
+    // intentionally stricter than full JS parsing — minified one-line imports
+    // are missed, but those are vendor bundles where false negatives are far
+    // better than the false-positive noise.
+    const IMPORT_FROM_RE = /^\s*(?:import|export)\s(?:[^'"`;]+\s)?from\s+['"]([^'"]+)['"]/g;
+    const IMPORT_BARE_RE = /^\s*import\s+['"]([^'"]+)['"]/g;
     const DYNAMIC_RE = /(?:^|[^.\w$])import\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
     const REQUIRE_RE = /(?:^|[^.\w$])require\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
-    const PATTERNS = [FROM_RE, BARE_IMPORT_RE, DYNAMIC_RE, REQUIRE_RE];
+    const PATTERNS = [IMPORT_FROM_RE, IMPORT_BARE_RE, DYNAMIC_RE, REQUIRE_RE];
     const findings = new Map();
     const files = collectSourceFiles(cwd);
     for (const f of files) {
@@ -3536,7 +3555,7 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
     const { bump = 'patch', noPublish = false, cleanup = false, install = false, link = false, wsl = false, force = false, files = true, dryRun = false, quiet = true, verbose = false, init = false, gitVisibility = 'private', npmVisibility = 'private', message, conform = false, asis = false, updateDeps = false, updateMajor = false, publishDeps = true, // Default to publishing deps for safety
     publishDepsYes = false, // -pd: auto-yes to dep-cascade prompts (private only)
     publicDeps = false, // -public-deps: cascade public visibility to all deps
-    noPrescan = false, forcePublish = false, fix = true, fixTags = false, rebase = false, show = false, local = false, freeze = false, usePaths = true, allowTs, adopt = false, noImportCheck = false } = options;
+    noPrescan = false, forcePublish = false, fix = true, fixTags = false, rebase = false, show = false, local = false, freeze = false, usePaths = true, allowTs, adopt = false, importCheck = false } = options;
     // Show tool version only for recursive dep calls (CLI already prints it at startup)
     const toolVersion = getToolVersion();
     if (!options._fromWorkspace && !options._fromCli) {
@@ -3680,10 +3699,12 @@ export async function globalize(cwd, options = {}, configOptions = {}) {
         }
     }
     // Source-import scan — catches imports of packages not declared in
-    // dependencies/devDependencies/peer/optional. Runs by default; skip with
-    // -no-import-check. Only at the top level (deps in the cascade will be
-    // scanned when their own globalize() runs).
-    if (!noImportCheck && !cleanup && !options._fromDep && !options._fromWorkspace) {
+    // dependencies/devDependencies/peer/optional. Opt-in via -strict-imports
+    // because the always-declare style this check enforces doesn't hold in
+    // monorepos that rely on workspace cross-refs / -public-deps. Only at the
+    // top level (deps in the cascade will be scanned when their own
+    // globalize() runs).
+    if (importCheck && !cleanup && !options._fromDep && !options._fromWorkspace) {
         const scanPkg = readPackageJson(cwd);
         const undeclared = findUndeclaredImports(cwd, scanPkg);
         if (undeclared.length > 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/npmglobalize",
-  "version": "1.0.180",
+  "version": "1.0.181",
   "description": "Transform file: dependencies to npm versions for publishing",
   "main": "index.js",
   "type": "module",