@dk/hipp 0.1.31 → 0.1.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +19 -15
  2. package/hipp.js +13 -15
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -4,7 +4,7 @@ By Dmytri Kleiner <dev@dmytri.to>
4
4
 
5
5
  **HIPP** is a minimalist, stateless publishing tool that eliminates version-bump
6
6
  commits and merge conflicts by treating Git Tags as the single source of truth.
7
- Your `package.json` version stays permanently at `0.0.0`.
7
+ Your `package.json` version stays at `0.0.0` (or matches your latest tag).
8
8
 
9
9
  ---
10
10
 
@@ -22,10 +22,10 @@ This creates a **State Conflict**:
22
22
 
23
23
  ## The Solution
24
24
 
25
- **HIPP makes `package.json` version immutable (0.0.0)** - the **HIPP Doctrine**.
26
-
27
- Version is extracted directly from the Git Tag during publish. Your Git history
28
- stays clean, and your registry package is guaranteed to match your Git tag.
25
+ **HIPP makes Git tags the source of truth** - the version is always extracted
26
+ from the tag, not `package.json`. You can leave `package.json` at `0.0.0` (HIPP
27
+ rewrites it during publish) or keep it in sync with your tag (HIPP verifies the
28
+ match).
29
29
 
30
30
  ---
31
31
 
@@ -33,13 +33,17 @@ stays clean, and your registry package is guaranteed to match your Git tag.
33
33
 
34
34
  ### Setup
35
35
 
36
- 1. Set your project's `package.json` version to `0.0.0`:
36
+ Set your project's `package.json` version to `0.0.0`, or leave it in sync with
37
+ your latest tag. The git tag is always the source of truth.
37
38
 
38
39
  ```json
39
40
  { "name": "your-package", "version": "0.0.0" }
40
41
  ```
41
42
 
42
- 2. Ensure `package-lock.json` exists and is tracked by git.
43
+ `0.0.0` is preferred — it eliminates version-bump commits and merge conflicts.
44
+ If your tooling requires a real version, leave it in sync with your latest tag.
45
+
46
+ Ensure `package-lock.json` exists and is tracked by git.
43
47
 
44
48
  ### Tag and Publish
45
49
 
@@ -68,7 +72,7 @@ npx @dk/hipp -- --access public --tag beta
68
72
  HIPP will:
69
73
 
70
74
  1. **Key Generation**: Generate Ed25519 signing keys if needed (`hipp.priv`, `hipp.pub`)
71
- 2. **Verify**: Ensure the `0.0.0` doctrine is being followed
75
+ 2. **Verify**: Ensure `package.json` version is `0.0.0` or matches the git tag
72
76
  3. **Clean Check**: Ensure your git status is clean
73
77
  4. **Validate**: Extract and verify the latest tag against Semver rules
74
78
  5. **Sign**: Create a cryptographic manifest of your package content
@@ -219,7 +223,7 @@ package, but only private key holders can publish.
219
223
 
220
224
  HIPP enforces strict integrity rules when publishing:
221
225
 
222
- - `package.json` version must be `0.0.0`
226
+ - `package.json` version must be `0.0.0` or match the git tag
223
227
  - `package-lock.json` must exist and be tracked by git
224
228
  - `npm ci --ignore-scripts --dry-run` must succeed
225
229
  - Repository must be clean
@@ -253,21 +257,21 @@ PERFORMANCE OF THIS SOFTWARE.
253
257
  Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
254
258
 
255
259
  ```bash
256
- npx @dk/hipp verify @dk/hipp@0.1.31
260
+ npx @dk/hipp verify @dk/hipp@0.1.33
257
261
  ```
258
262
 
259
263
  ```json
260
264
  {
261
265
  "origin": "git@github.com:dmytri/hipp.git",
262
- "tag": "v0.1.31",
263
- "revision": "270b281d7bf0e908b7c267fb87f9f68e3dc2be86",
264
- "hash": "1085bdf7d5774cae5d64236a18e95c95c8d2d198ae22e9f8cfa2c10afd0fe57b",
265
- "signature": "mPj1cIun7czw0TQmsWkq/HEq7O+ZdTUQrMhTRZ8Cm4Z23dYu/G/m/itzyC2x/kBRVW+8h+m399acusrSArCzBA==",
266
+ "tag": "v0.1.33",
267
+ "revision": "9374cd1fb9e8046983abaebd21f4812bcc80ef5a",
268
+ "hash": "bb54c711b30be14366f26749253801f8a9ac13efaa774d2aa5f6044f5f9980bb",
269
+ "signature": "U7oLJCB+Efv5tWJ9Zy7kp4saa+i1K7Z7N8+vW6e0l0AZahQpTPhZiM1ZMC5MM5g8rxnjt/NxwwCUEacVoDiPCg==",
266
270
  "name": "Dmytri Kleiner",
267
271
  "email": "dev@dmytri.to",
268
272
  "npm": "11.12.1",
269
273
  "node": "v25.8.2",
270
274
  "git": "git version 2.47.3",
271
- "hipp": "0.1.31"
275
+ "hipp": "0.1.33"
272
276
  }
273
277
  ```
package/hipp.js CHANGED
@@ -218,9 +218,9 @@ function getVersionFromExactTagOnHead() {
218
218
  }
219
219
  }
220
220
 
221
- function ensureCleanRepo(pkg) {
222
- if (pkg.version !== '0.0.0') {
223
- fail('❌ Integrity Violation: package.json version must be 0.0.0');
221
+ function ensureCleanRepo(pkg, tagVersion) {
222
+ if (pkg.version !== '0.0.0' && pkg.version !== tagVersion) {
223
+ fail(`❌ Integrity Violation: package.json version must be 0.0.0 or match the git tag (v${tagVersion})`);
224
224
  }
225
225
 
226
226
  if (pkg.workspaces) {
@@ -676,7 +676,7 @@ async function run() {
676
676
 
677
677
  const { rawTag, version } = getVersionFromExactTagOnHead();
678
678
 
679
- ensureCleanRepo(pkg);
679
+ ensureCleanRepo(pkg, version);
680
680
 
681
681
  const refInfo = ensureMutableRefPolicy();
682
682
  const provenance = ensureRemoteProvenance(rawTag, refInfo.head);
@@ -796,14 +796,12 @@ if (isVerify) {
796
796
  if (!hasSelf) {
797
797
  try {
798
798
  const pkg = JSON.parse(fs.readFileSync(path.join(process.cwd(), 'package.json'), 'utf8'));
799
- if (pkg.version === '0.0.0') {
800
- const rawTag = git(['describe', '--tags', '--exact-match', 'HEAD']);
801
- if (rawTag.startsWith('v')) {
802
- const tagVersion = semver.clean(rawTag);
803
- if (tagVersion) {
804
- runVerify(`${pkg.name}@${tagVersion}`);
805
- return;
806
- }
799
+ const rawTag = git(['describe', '--tags', '--exact-match', 'HEAD']);
800
+ if (rawTag.startsWith('v')) {
801
+ const tagVersion = semver.clean(rawTag);
802
+ if (tagVersion && (pkg.version === '0.0.0' || pkg.version === tagVersion)) {
803
+ runVerify(`${pkg.name}@${tagVersion}`);
804
+ return;
807
805
  }
808
806
  }
809
807
  } catch {}
@@ -822,8 +820,8 @@ Usage:
822
820
  npx hipp verify [@package[@version]]
823
821
  npx hipp verify --self
824
822
 
825
- Without arguments: in a hipp repo (package.json version 0.0.0 with a
826
- semver tag on HEAD), verifies the published package at that version.
823
+ Without arguments: in a hipp repo (package.json version 0.0.0 or matching
824
+ a semver tag on HEAD), verifies the published package at that version.
827
825
  Otherwise verifies @dk/hipp itself.
828
826
  --self: always verifies @dk/hipp.
829
827
 
@@ -837,7 +835,7 @@ Verify: Downloads npm tarball, clones git at tag, runs all three verification ch
837
835
  3. Rebuild verification (npm tarball equals git rebuild with manifest+version)
838
836
 
839
837
  Integrity rules:
840
- - package.json version must be 0.0.0
838
+ - package.json version must be 0.0.0 or match the git tag
841
839
  - package-lock.json must exist and be tracked
842
840
  - npm ci --ignore-scripts --dry-run must succeed
843
841
  - repository must be clean
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@dk/hipp",
3
- "version": "0.1.31",
3
+ "version": "0.1.33",
4
4
  "description": "High Integrity Package Publisher",
5
5
  "main": "hipp.js",
6
6
  "bin": {