@gjsify/cli 0.4.27 → 0.4.29

package/lib/commands/lint.js

@@ -1,14 +1,16 @@
-// `gjsify lint` — wraps biome's `lint` mode.
+// `gjsify lint` — wraps oxlint.
 //
-// Sibling of `gjsify format`. Spawns biome from node_modules directly
-// (no Node launcher). Default behaviour: report-only. Pass `--write`
-// for biome's safe-fix mode, or use `gjsify fix` for the combined
-// format + safe-lint-fix + organize-imports surface.
+// Sibling of `gjsify format`. Spawns oxlint via its Node launcher
+// (`node_modules/oxlint/bin/oxlint` → `dist/cli.js`) — NOT a bare binary —
+// because oxlint's JS-plugin host (used by the internal
+// `oxlint-plugin-gjsify` rule) lives in the JS launcher. Default behaviour:
+// report-only. Pass `--fix` for oxlint's safe-fix mode, or use `gjsify fix`
+// for the combined oxfmt + oxlint --fix surface.
 import { resolve } from 'node:path';
-import { BiomeNotFoundError, findBiomeConfig, printBiomeNotFound, runBiome, } from '../utils/biome-resolve.js';
+import { OxcNotFoundError, findOxlintConfig, printOxcNotFound, runOxlint } from '../utils/oxc-resolve.js';
 export const lintCommand = {
     command: 'lint [paths..]',
-    description: 'Run Biome lint diagnostics (native binary spawn — no Node launcher).',
+    description: 'Run oxlint diagnostics (spawned via its Node launcher to support JS plugins).',
     builder: (yargs) => {
         return yargs
             .positional('paths', {
@@ -16,41 +18,39 @@ export const lintCommand = {
             type: 'string',
             array: true,
         })
-            .option('write', {
+            .option('fix', {
             description: 'Apply safe lint fixes in place.',
             type: 'boolean',
             default: false,
         })
             .option('config-path', {
-            description: 'Path to a biome.json. Default: walks up from cwd to find one.',
+            description: 'Path to an .oxlintrc.json. Default: walks up from cwd to find one.',
             type: 'string',
             normalize: true,
         })
             .option('verbose', {
-            description: 'Echo the resolved biome binary + args before spawning.',
+            description: 'Echo the resolved oxlint launcher + args before spawning.',
             type: 'boolean',
             default: false,
         });
     },
     handler: async (args) => {
         const cwd = process.cwd();
-        const paths = args.paths?.length
-            ? args.paths
-            : ['.'];
-        const biomeArgs = ['lint'];
-        if (args.write)
-            biomeArgs.push('--write');
-        const configPath = args.configPath ?? findBiomeConfig(cwd) ?? undefined;
+        const paths = args.paths?.length ? args.paths : ['.'];
+        const oxlintArgs = [];
+        if (args.fix)
+            oxlintArgs.push('--fix');
+        const configPath = args.configPath ?? findOxlintConfig(cwd) ?? undefined;
         if (configPath)
-            biomeArgs.push(`--config-path=${resolve(configPath, '..')}`);
-        biomeArgs.push(...paths);
+            oxlintArgs.push('--config', resolve(configPath));
+        oxlintArgs.push(...paths);
         try {
-            const code = await runBiome(biomeArgs, { cwd, verbose: args.verbose });
+            const code = await runOxlint(oxlintArgs, { cwd, verbose: args.verbose });
             process.exitCode = code;
         }
         catch (err) {
-            if (err instanceof BiomeNotFoundError) {
-                printBiomeNotFound(err);
+            if (err instanceof OxcNotFoundError) {
+                printOxcNotFound(err);
                 process.exitCode = 1;
                 return;
             }

package/lib/commands/pack.js

@@ -113,15 +113,11 @@ export async function packWorkspace(wsDir, opts = {}) {
     // mutated it (e.g. a `prepack` that injects build metadata into
     // package.json fields). Rare but legal — npm pack does the same.
     const sourceAfterScripts = readFileSync(pkgPath, 'utf-8');
-    const pkgAfterScripts = sourceAfterScripts === originalSource
-        ? pkg
-        : JSON.parse(sourceAfterScripts);
+    const pkgAfterScripts = sourceAfterScripts === originalSource ? pkg : JSON.parse(sourceAfterScripts);
     // Rewrite workspace:^/~/* deps to resolved npm version ranges, mirroring
     // yarn's auto-rewrite at publish time. Done in-memory only — the source
     // package.json on disk is never mutated by `gjsify pack`.
-    const rewrittenPkg = opts.skipWorkspaceRewrite
-        ? pkgAfterScripts
-        : rewriteWorkspaceDeps(pkgAfterScripts, wsDir);
+    const rewrittenPkg = opts.skipWorkspaceRewrite ? pkgAfterScripts : rewriteWorkspaceDeps(pkgAfterScripts, wsDir);
     const rewrittenSource = JSON.stringify(rewrittenPkg, null, indentOf(sourceAfterScripts)) + '\n';
     // Collect files according to the package.json `files` field (or npm's
     // default set). The package.json itself is always included with the
@@ -148,9 +144,7 @@ export async function packWorkspace(wsDir, opts = {}) {
     const tarBytes = createTarball(entries);
     const gzipBytes = await gzip(tarBytes);
     // npm filename: scope replaced with leading dash. "@gjsify/foo" → "gjsify-foo".
-    const filenameBase = name.startsWith('@')
-        ? name.slice(1).replace('/', '-')
-        : name;
+    const filenameBase = name.startsWith('@') ? name.slice(1).replace('/', '-') : name;
     const filename = `${filenameBase}-${version}.tgz`;
     const sha1 = createHash('sha1').update(gzipBytes).digest('hex');
     const sha512 = createHash('sha512').update(gzipBytes).digest('base64');
@@ -188,7 +182,9 @@ export async function packWorkspace(wsDir, opts = {}) {
  */
 function collectFiles(wsDir, pkg) {
     const always = forceIncluded(pkg);
-    const filesField = Array.isArray(pkg.files) ? pkg.files.filter((f) => typeof f === 'string') : null;
+    const filesField = Array.isArray(pkg.files)
+        ? pkg.files.filter((f) => typeof f === 'string')
+        : null;
     let candidates;
     if (filesField) {
         candidates = expandFilesPatterns(wsDir, filesField);
@@ -208,12 +204,25 @@ function collectFiles(wsDir, pkg) {
     }
     return [...out].sort();
 }
-const ALWAYS_INCLUDED_BASENAMES = new Set(['package.json', 'README', 'README.md', 'LICENSE', 'LICENSE.md', 'NOTICE', 'NOTICE.md']);
 const NEVER_INCLUDED_BASENAMES = new Set([
-    '.git', '.svn', '.hg', '.gitignore', '.gitattributes', '.npmrc',
-    'CVS', '.DS_Store', 'node_modules', '.npmignore', 'package-lock.json',
-    'gjsify-lock.json', 'yarn.lock', 'yarn-error.log', '.yarn',
-    '.pnp.cjs', '.pnp.loader.mjs', 'tsconfig.tsbuildinfo',
+    '.git',
+    '.svn',
+    '.hg',
+    '.gitignore',
+    '.gitattributes',
+    '.npmrc',
+    'CVS',
+    '.DS_Store',
+    'node_modules',
+    '.npmignore',
+    'package-lock.json',
+    'gjsify-lock.json',
+    'yarn.lock',
+    'yarn-error.log',
+    '.yarn',
+    '.pnp.cjs',
+    '.pnp.loader.mjs',
+    'tsconfig.tsbuildinfo',
 ]);
 function forceIncluded(pkg) {
     const out = new Set();
@@ -292,7 +301,7 @@ function loadIgnore(wsDir) {
     const npmIgnorePath = join(wsDir, '.npmignore');
     const gitIgnorePath = join(wsDir, '.gitignore');
     const patterns = [];
-    const sourcePath = existsSync(npmIgnorePath) ? npmIgnorePath : (existsSync(gitIgnorePath) ? gitIgnorePath : null);
+    const sourcePath = existsSync(npmIgnorePath) ? npmIgnorePath : existsSync(gitIgnorePath) ? gitIgnorePath : null;
     if (sourcePath) {
         const lines = readFileSync(sourcePath, 'utf-8').split('\n');
         for (const raw of lines) {
@@ -319,7 +328,10 @@ function globToRegex(glob) {
     // Escape regex metachars except *,?,/
     pat = pat.replace(/[.+^${}()|[\]\\]/g, '\\$&');
     // ** → .*  *  → [^/]*  ? → [^/]
-    pat = pat.replace(/\*\*/g, '__DOUBLESTAR__').replace(/\*/g, '[^/]*').replace(/__DOUBLESTAR__/g, '.*');
+    pat = pat
+        .replace(/\*\*/g, '__DOUBLESTAR__')
+        .replace(/\*/g, '[^/]*')
+        .replace(/__DOUBLESTAR__/g, '.*');
     pat = pat.replace(/\?/g, '[^/]');
     return new RegExp(`^${pat}($|/)`);
 }

package/lib/commands/publish.d.ts

@@ -3,6 +3,7 @@ interface PublishOptions {
     path?: string;
     tag?: string;
     access?: string;
+    otp?: string;
     'tolerate-republish'?: boolean;
     'tolerate-untrusted-new'?: boolean;
     provenance?: boolean;

package/lib/commands/publish.js

@@ -36,9 +36,9 @@
 import { existsSync, readFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join, resolve } from 'node:path';
-import { DEFAULT_REGISTRY, parseNpmrc, registryFor, buildHeaders, } from '@gjsify/npm-registry';
+import { DEFAULT_REGISTRY, parseNpmrc, registryFor, buildHeaders } from '@gjsify/npm-registry';
 import { packWorkspace } from './pack.js';
-import { getNpmTrustedToken, hasGithubOidcEnv, OidcExchangeError, OidcUnavailableError, } from '../utils/npm-oidc.js';
+import { getNpmTrustedToken, hasGithubOidcEnv, OidcExchangeError, OidcUnavailableError } from '../utils/npm-oidc.js';
 export const publishCommand = {
     command: 'publish [path]',
     description: 'Pack + upload the workspace at <path> (default: cwd) to its npm registry. Drop-in for `npm publish` with workspace:^ rewrite handled automatically.',
@@ -52,6 +52,10 @@ export const publishCommand = {
         .option('access', {
         description: 'Package access — `public` or `restricted` (required for first publish of scoped packages on the public registry).',
         type: 'string',
+    })
+        .option('otp', {
+        description: 'npm 2FA one-time code; sent as the `npm-otp` header. Required for manual publishes from a 2FA-enabled account.',
+        type: 'string',
     })
         .option('tolerate-republish', {
         description: 'Treat "version already published" as success — covers both classic 409 Conflict and the npm OIDC-path 403 Forbidden + `"previously published"` body shape. Matches yarn `--tolerate-republish`.',
@@ -64,7 +68,7 @@ export const publishCommand = {
         default: false,
     })
         .option('provenance', {
-        description: 'Pass-through flag — recorded in the payload but no signing happens (gjsify doesn\'t ship a sigstore signer yet).',
+        description: "Pass-through flag — recorded in the payload but no signing happens (gjsify doesn't ship a sigstore signer yet).",
         type: 'boolean',
         default: false,
     })
@@ -95,6 +99,7 @@ export const publishCommand = {
         const wsDir = resolve(args.path ?? process.cwd());
         const tag = args.tag ?? 'latest';
         const access = args.access;
+        const otp = args.otp;
         const tolerate = args['tolerate-republish'] === true;
         const tolerateUntrustedNew = args['tolerate-untrusted-new'] === true;
         const provenance = args.provenance === true;
@@ -222,9 +227,7 @@ export const publishCommand = {
         // libnpmpublish/lib/publish.js). The full scoped filename is what
         // `npm pack` writes to disk, but the registry stores tarballs at
         // the unscoped path.
-        const unscopedName = packed.name.includes('/')
-            ? packed.name.slice(packed.name.indexOf('/') + 1)
-            : packed.name;
+        const unscopedName = packed.name.includes('/') ? packed.name.slice(packed.name.indexOf('/') + 1) : packed.name;
         const wireFilename = `${unscopedName}-${packed.version}.tgz`;
         const tarballUrl = `${registryClean}/${packed.name}/-/${wireFilename}`;
         // 4. Build payload + PUT
@@ -240,13 +243,17 @@ export const publishCommand = {
         const headers = buildHeaders(url, { npmrc });
         headers['content-type'] = 'application/json';
         headers['accept'] = '*/*';
+        // 2FA OTP — sent as the `npm-otp` header (npm-registry-fetch convention,
+        // verified in refs/npm-cli/node_modules/npm-registry-fetch/lib/index.js
+        // line ~243: `if (opts.otp) headers['npm-otp'] = opts.otp`).
+        if (otp)
+            headers['npm-otp'] = otp;
         // Trusted Publishing path. `--trusted` forces OIDC (errors if env
         // vars are missing); the default `undefined` triggers auto-detect:
         // OIDC is used iff GitHub OIDC env vars are present AND no
         // `NODE_AUTH_TOKEN` is set. With `NODE_AUTH_TOKEN` set the user has
         // explicitly opted into token auth, so we don't shadow their choice.
-        const wantTrusted = trustedFlag === true ||
-            (trustedFlag === undefined && hasGithubOidcEnv() && !process.env.NODE_AUTH_TOKEN);
+        const wantTrusted = trustedFlag === true || (trustedFlag === undefined && hasGithubOidcEnv() && !process.env.NODE_AUTH_TOKEN);
         let authMode = 'token';
         if (wantTrusted) {
             try {
@@ -271,9 +278,7 @@ export const publishCommand = {
                 // Trusted Publisher bootstrap"). Skip such a package when
                 // --tolerate-untrusted-new is set so one un-bootstrapped
                 // package doesn't break the entire serialized publish loop.
-                const isUntrustedNewPackage = err instanceof OidcExchangeError &&
-                    err.status === 404 &&
-                    /package not found/i.test(err.body);
+                const isUntrustedNewPackage = err instanceof OidcExchangeError && err.status === 404 && /package not found/i.test(err.body);
                 if (isUntrustedNewPackage && tolerateUntrustedNew) {
                     const headerMsg = `${packed.name}@${packed.version} (skipped — no Trusted Publisher on npm, see AGENTS.md "New @gjsify/* package: first-publish + Trusted Publisher bootstrap")`;
                     if (args.json) {
@@ -306,13 +311,55 @@ export const publishCommand = {
             console.error(`gjsify publish: PUT ${url} (${packed.name}@${packed.version})`);
             console.error(`  auth-mode:     ${authMode}`);
             console.error(`  authorization: ${headers['authorization'] ? '(set)' : '(none)'}`);
+            console.error(`  otp:           ${headers['npm-otp'] ? '(set)' : '(none)'}`);
             console.error(`  payload size:  ${JSON.stringify(payload).length} bytes`);
         }
-        const res = await fetch(url, {
-            method: 'PUT',
-            headers,
-            body: JSON.stringify(payload),
-        });
+        const bodyStr = JSON.stringify(payload);
+        // Helper that PUTs with a given header set and returns the response.
+        async function doPut(reqHeaders) {
+            return fetch(url, {
+                method: 'PUT',
+                headers: reqHeaders,
+                body: bodyStr,
+            });
+        }
+        let res = await doPut(headers);
+        // EOTP handling — mirrors npm's otplease.js (refs/npm-cli/lib/utils/auth.js).
+        // npm signals "OTP required" via:
+        //   - HTTP 401 + `www-authenticate` header containing "otp"
+        //     (refs/npm-cli/node_modules/npm-registry-fetch/lib/check-response.js
+        //     line ~83: `auth.indexOf('otp') !== -1` → HttpErrorAuthOTP)
+        //   - HTTP 401 + body containing "one-time pass" (heuristic for
+        //     malformed responses missing the www-authenticate header —
+        //     same check-response.js lines ~92-98)
+        // We check both shapes, exactly matching npm's logic.
+        // If the caller already supplied --otp we skip this (they set the
+        // header; if the registry still 401s that is a wrong-code error).
+        if (!otp && res.status === 401) {
+            const wwwAuth = res.headers.get('www-authenticate') ?? '';
+            const body401 = await res.text().catch(() => '');
+            const needsOtp = wwwAuth.toLowerCase().split(/,\s*/).includes('otp') || /one-time pass/i.test(body401);
+            if (needsOtp) {
+                // Interactive path: if stdin is a TTY, prompt and retry once.
+                if (process.stdin.isTTY && process.stdout.isTTY) {
+                    process.stdout.write('This operation requires a one-time password.\nEnter OTP: ');
+                    const enteredOtp = await readLineFromStdin();
+                    if (enteredOtp) {
+                        const retryHeaders = { ...headers, 'npm-otp': enteredOtp };
+                        res = await doPut(retryHeaders);
+                    }
+                    else {
+                        console.error(`gjsify publish: no OTP entered — re-run with \`--otp <code>\``);
+                        process.exit(1);
+                    }
+                }
+                else {
+                    // Non-interactive: give the maintainer a clear, actionable message.
+                    console.error(`gjsify publish: npm requires a 2FA one-time code — re-run with \`--otp <code>\``);
+                    process.exit(1);
+                }
+            }
+        }
         if (res.ok) {
             const out = {
                 ok: true,
@@ -341,8 +388,7 @@ export const publishCommand = {
         // Both are intentionally tolerated under --tolerate-republish so
         // that re-running a release workflow after a partial failure does
         // not error on the already-published packages.
-        const isRepublishConflict = res.status === 409 ||
-            (res.status === 403 && /previously published/i.test(text));
+        const isRepublishConflict = res.status === 409 || (res.status === 403 && /previously published/i.test(text));
         if (isRepublishConflict && tolerate) {
             const out = {
                 ok: true,
@@ -380,11 +426,15 @@ async function packWorkspaceToBytes(wsDir) {
     try {
         (await import('node:fs')).rmSync(res.absolutePath);
     }
-    catch { /* best effort */ }
+    catch {
+        /* best effort */
+    }
     try {
         (await import('node:fs')).rmdirSync(tmp);
     }
-    catch { /* best effort */ }
+    catch {
+        /* best effort */
+    }
     return bytes;
 }
 async function loadRewrittenManifest(wsDir, pkg) {
@@ -437,7 +487,9 @@ async function loadNpmrc(cwd) {
     // The auth-token npmrc from actions/setup-node ships
     // `_authToken=${NODE_AUTH_TOKEN}` as a literal placeholder; the env var
     // is set on the publish step.
-    const merged = sources.join('\n').replace(/\$\{([A-Z_][A-Z0-9_]*)\}/gi, (_, name) => process.env[name] ?? '');
+    const merged = sources
+        .join('\n')
+        .replace(/\$\{([A-Z_][A-Z0-9_]*)\}/gi, (_, name) => process.env[name] ?? '');
     return parseNpmrc(merged);
 }
 function buildPublishPayload(opts) {
@@ -480,6 +532,46 @@ function base64Encode(bytes) {
     }
     return btoa(str);
 }
+/**
+ * Read a single line from stdin (blocking via async iterator). Used for the
+ * interactive OTP prompt path (mirrors npm's `read.otp()`). Resolves with the
+ * trimmed line or an empty string if stdin closed without input.
+ */
+async function readLineFromStdin() {
+    return new Promise((resolve) => {
+        let buf = '';
+        const onData = (chunk) => {
+            buf += typeof chunk === 'string' ? chunk : chunk.toString('utf-8');
+            const nl = buf.indexOf('\n');
+            if (nl >= 0) {
+                cleanup();
+                resolve(buf.slice(0, nl).trim());
+            }
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve(buf.trim());
+        };
+        const onError = () => {
+            cleanup();
+            resolve('');
+        };
+        const cleanup = () => {
+            process.stdin.removeListener('data', onData);
+            process.stdin.removeListener('end', onEnd);
+            process.stdin.removeListener('error', onError);
+            if (typeof process.stdin.unref === 'function') {
+                process.stdin.unref?.();
+            }
+        };
+        process.stdin.setEncoding('utf-8');
+        if (process.stdin.isPaused())
+            process.stdin.resume();
+        process.stdin.once('data', onData);
+        process.stdin.once('end', onEnd);
+        process.stdin.once('error', onError);
+    });
+}
 function handleOidcFailure(err, packageName, asJson) {
     if (err instanceof OidcUnavailableError) {
         const msg = `gjsify publish: OIDC not available — ${err.message}`;

package/lib/commands/run.js

@@ -108,9 +108,7 @@ async function runScript(script, extraArgs) {
     // (stdout is always a pipe there, but the GHA log viewer renders ANSI
     // fine). Respect user overrides: FORCE_COLOR=0 or NO_COLOR keeps
     // colors off.
-    const colorEnv = process.env.FORCE_COLOR !== undefined || process.env.NO_COLOR !== undefined
-        ? {}
-        : { FORCE_COLOR: '1' };
+    const colorEnv = process.env.FORCE_COLOR !== undefined || process.env.NO_COLOR !== undefined ? {} : { FORCE_COLOR: '1' };
     const env = {
         ...process.env,
         ...colorEnv,
@@ -119,9 +117,7 @@ async function runScript(script, extraArgs) {
         npm_package_name: pkg.name ?? '',
         npm_package_version: pkg.version ?? '',
     };
-    const fullCmd = extraArgs.length > 0
-        ? `${literal} ${extraArgs.map(shellEscape).join(' ')}`
-        : literal;
+    const fullCmd = extraArgs.length > 0 ? `${literal} ${extraArgs.map(shellEscape).join(' ')}` : literal;
     // ensureMainLoop() (called inside spawn) keeps GJS alive after the
     // child exits — without an explicit process.exit() the success path
     // would park the loop forever. The error path already exits.

package/lib/commands/self-update.js

@@ -76,18 +76,34 @@ export const selfUpdateCommand = {
             return;
         }
         if (args.check) {
-            console.log(currentVersion
-                ? `Update available: v${currentVersion} → v${target}`
-                : `Install required: → v${target}`);
+            console.log(currentVersion ? `Update available: v${currentVersion} → v${target}` : `Install required: → v${target}`);
             process.exit(1);
             return;
         }
         console.log(`Installing ${PACKAGE_NAME}@${target} ...`);
-        await installPackages({
-            prefix: layout.prefix,
-            specs: [`${PACKAGE_NAME}@${target}`],
-            verbose: false,
-        });
+        // `@gjsify/cli` is a self-contained GJS bundle: every workspace dep
+        // (`@gjsify/node-polyfills`, `@gjsify/v8`, …) is bundled into the
+        // published `dist/cli.gjs.mjs` artifact and must NOT be resolved as
+        // a separate npm package. `skipDeps: true` limits the native install
+        // backend to fetching the top-level tarball only, avoiding spurious
+        // packument requests for workspace-internal packages that are not
+        // published to the public registry (which previously caused a
+        // 406 Not Acceptable → fatal crash on the `@gjsify/v8` packument).
+        try {
+            await installPackages({
+                prefix: layout.prefix,
+                specs: [`${PACKAGE_NAME}@${target}`],
+                verbose: false,
+                skipDeps: true,
+            });
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`self-update: install failed — ${msg}`);
+            console.error(`Re-run \`gjsify self-update\` to retry.`);
+            process.exit(1);
+            return;
+        }
         const linked = linkGlobalBins([PACKAGE_NAME], layout);
         if (linked.length === 0) {
             console.warn('self-update: install completed but no bins were linked — package.json may be missing a `bin` field.');
@@ -107,6 +123,18 @@ export const selfUpdateCommand = {
  */
 function readCurrentVersion() {
     try {
+        // Escape hatch for tests: point GJSIFY_CLI_PACKAGE_JSON at a synthetic
+        // package.json to override the upward-walk discovery.  When set to a
+        // file whose `name` does not equal PACKAGE_NAME the function returns
+        // null, which is the correct production behaviour for "version unknown".
+        const override = process.env.GJSIFY_CLI_PACKAGE_JSON;
+        if (override) {
+            const pkg = JSON.parse(readFileSync(override, 'utf-8'));
+            if (pkg.name === PACKAGE_NAME && typeof pkg.version === 'string') {
+                return pkg.version;
+            }
+            return null;
+        }
         const here = fileURLToPath(import.meta.url);
         let dir = dirname(resolve(here));
         for (let i = 0; i < 8 && dir !== dirname(dir); i++) {

package/lib/commands/showcase.js

@@ -1,5 +1,5 @@
 import { discoverShowcases, findShowcase } from '../utils/discover-showcases.js';
-import { runMinimalChecks, detectPackageManager, buildInstallCommand, } from '../utils/check-system-deps.js';
+import { runMinimalChecks, detectPackageManager, buildInstallCommand } from '../utils/check-system-deps.js';
 import { spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 import { readFileSync } from 'node:fs';

package/lib/commands/system-check.js

@@ -3,8 +3,7 @@ export const systemCheckCommand = {
     command: 'system-check',
     description: 'Check that required system dependencies (GJS, GTK4, libsoup3, …) are installed. Optional dependencies are detected only when their @gjsify/* package is in your project. (Previously called `gjsify check`; the bare name now runs TypeScript checks across the workspace — see `gjsify check --help`.)',
     builder: (yargs) => {
-        return yargs
-            .option('json', {
+        return yargs.option('json', {
             description: 'Output results as JSON',
             type: 'boolean',
             default: false,
@@ -13,8 +12,8 @@ export const systemCheckCommand = {
     handler: async (args) => {
         const results = runAllChecks(process.cwd());
         const pm = detectPackageManager();
-        const missingRequired = results.filter(r => !r.found && r.severity === 'required');
-        const missingOptional = results.filter(r => !r.found && r.severity === 'optional');
+        const missingRequired = results.filter((r) => !r.found && r.severity === 'required');
+        const missingOptional = results.filter((r) => !r.found && r.severity === 'optional');
         const allMissing = [...missingRequired, ...missingOptional];
         if (args.json) {
             console.log(JSON.stringify({ packageManager: pm, deps: results }, null, 2));
@@ -23,8 +22,8 @@ export const systemCheckCommand = {
             return;
         }
         console.log('System dependency check\n');
-        const required = results.filter(r => r.severity === 'required');
-        const optional = results.filter(r => r.severity === 'optional');
+        const required = results.filter((r) => r.severity === 'required');
+        const optional = results.filter((r) => r.severity === 'optional');
         if (required.length > 0) {
             console.log('Required:');
             for (const dep of required) {
@@ -39,9 +38,7 @@ export const systemCheckCommand = {
                 // ⚠ for missing-but-needed-by-installed-packages, ○ for missing-but-not-needed (shouldn't appear in conditional mode)
                 const icon = dep.found ? '✓' : '⚠';
                 const ver = dep.version ? `  (${dep.version})` : '';
-                const requiredBy = dep.requiredBy && dep.requiredBy.length > 0
-                    ? `  — needed by ${dep.requiredBy.join(', ')}`
-                    : '';
+                const requiredBy = dep.requiredBy && dep.requiredBy.length > 0 ? `  — needed by ${dep.requiredBy.join(', ')}` : '';
                 console.log(`  ${icon}  ${dep.name}${ver}${requiredBy}`);
             }
         }
@@ -51,10 +48,10 @@ export const systemCheckCommand = {
             return;
         }
         if (missingRequired.length > 0) {
-            console.log(`\nMissing required: ${missingRequired.map(d => d.name).join(', ')}`);
+            console.log(`\nMissing required: ${missingRequired.map((d) => d.name).join(', ')}`);
         }
         if (missingOptional.length > 0) {
-            console.log(`Missing optional: ${missingOptional.map(d => d.name).join(', ')}`);
+            console.log(`Missing optional: ${missingOptional.map((d) => d.name).join(', ')}`);
         }
         const cmd = buildInstallCommand(pm, allMissing);
         if (cmd) {

package/lib/commands/test.js

@@ -66,13 +66,15 @@ export const testCommand = {
             ? ['gjs']
             : args.runtime === 'node'
                 ? ['node']
-                : (testCfg.runtimes && testCfg.runtimes.length > 0 ? testCfg.runtimes : ['gjs', 'node']);
+                : testCfg.runtimes && testCfg.runtimes.length > 0
+                    ? testCfg.runtimes
+                    : ['gjs', 'node'];
         const results = [];
         for (const runtime of requested) {
             const outfile = join(outdir, `test.${runtime}.mjs`);
             // Build stage (skip if --no-build OR (not --rebuild AND outfile fresher than src)).
             if (args.build !== false) {
-                const needsBuild = args.rebuild || !isFresh(outfile, entry, cwd);
+                const needsBuild = args.rebuild || !isFresh(outfile, entry);
                 if (needsBuild) {
                     const buildStart = Date.now();
                     if (args.verbose) {
@@ -144,11 +146,11 @@ async function buildTestBundle(entry, outfile, runtime, verbose) {
     // the merged config; we set it explicitly here so package.json#main /
     // bundler.output.file from the surrounding project don't redirect the
     // bundle elsewhere.
-    configData.library = { ...(configData.library ?? {}) };
+    configData.library = { ...configData.library };
     configData.bundler = {
-        ...(configData.bundler ?? {}),
+        ...configData.bundler,
         input: [entry],
-        output: { ...(configData.bundler?.output ?? {}), file: outfile },
+        output: { ...configData.bundler?.output, file: outfile },
     };
     const action = new BuildAction(configData);
     await action.start({ app: runtime, library: false });
@@ -171,7 +173,7 @@ async function runTestBundle(outfile, runtime) {
     });
 }
 /** True when `outfile` exists and is newer than every `.ts`/`.mts` file under the entry's directory tree. */
-function isFresh(outfile, entry, cwd) {
+function isFresh(outfile, entry) {
     if (!existsSync(outfile))
         return false;
     const outMtime = statSync(outfile).mtimeMs;
@@ -186,7 +188,6 @@ function isFresh(outfile, entry, cwd) {
         // On any FS error, force rebuild to stay safe.
         return false;
     }
-    void cwd;
 }
 function newestMtimeUnder(path) {
     const st = statSync(path);
@@ -194,7 +195,10 @@ function newestMtimeUnder(path) {
         return st.mtimeMs;
     let max = st.mtimeMs;
     for (const entry of readdirSync(path, { withFileTypes: true })) {
-        if (entry.name === 'node_modules' || entry.name === 'dist' || entry.name === 'lib' || entry.name.startsWith('.')) {
+        if (entry.name === 'node_modules' ||
+            entry.name === 'dist' ||
+            entry.name === 'lib' ||
+            entry.name.startsWith('.')) {
             continue;
         }
         const child = join(path, entry.name);

package/lib/commands/uninstall.js

@@ -134,9 +134,7 @@ function findBinShimsForPackage(binDir, pkgDir, verbose) {
             // Find the `exec [gjs -m] '<target>' "$@"` line; the path may
             // contain `:` from the optional prebuild preamble lines, which
             // is why we anchor to `exec ` rather than the first quoted run.
-            const execLine = content
-                .split('\n')
-                .find((line) => /^exec (?:gjs -m )?'/.test(line));
+            const execLine = content.split('\n').find((line) => /^exec (?:gjs -m )?'/.test(line));
             if (!execLine)
                 continue;
             const m = execLine.match(/'([^']+)'/);

package/lib/commands/upgrade.d.ts

@@ -1,4 +1,4 @@
-import type { Command } from "../types/index.js";
+import type { Command } from '../types/index.js';
 interface UpgradeOptions {
     latest?: boolean;
     minor?: boolean;