@majordigital/create-acorn 1.6.5 → 1.6.7

package/bin/create-acorn.mjs

@@ -116,23 +116,35 @@ async function setupPreDeploy() {
   cpSync(scriptsSrc, scriptsDest, { recursive: true, force: true });
   console.log('Pre-deploy scripts copied to scripts/.');
 
-  console.log('Installing pre-deploy tools (Lighthouse, Playwright, linkinator)...');
-  await runCommand('npm', ['install', '--save-dev', '--legacy-peer-deps',
-    'lighthouse', 'chrome-launcher', 'playwright', 'linkinator'
-  ]);
-  console.log('');
-
+  // Write devDependencies and scripts into package.json explicitly, rather than
+  // relying on `npm install --save-dev` to persist them. When the packages are
+  // already present in node_modules, npm reports "up to date" and may skip
+  // updating package.json — leaving the deps unrecorded.
+  const preDeployDeps = {
+    lighthouse: '^13',
+    'chrome-launcher': '^1',
+    playwright: '^1',
+    linkinator: '^7',
+  };
   try {
+    if (!pkg.devDependencies) pkg.devDependencies = {};
+    for (const [name, range] of Object.entries(preDeployDeps)) {
+      if (!pkg.devDependencies[name]) pkg.devDependencies[name] = range;
+    }
     if (!pkg.scripts) pkg.scripts = {};
     pkg.scripts['lighthouse'] = 'node scripts/lighthouse-audit.mjs';
     pkg.scripts['check-links'] = 'node scripts/check-links.mjs';
     pkg.scripts['cross-browser'] = 'node scripts/cross-browser-check.mjs';
     writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
-    console.log('Added pre-deploy scripts to package.json.');
+    console.log('Added pre-deploy scripts and dependencies to package.json.');
   } catch {
-    console.log('Warning: Could not add pre-deploy scripts to package.json.');
+    console.log('Warning: Could not update package.json with pre-deploy setup.');
   }
   console.log('');
+
+  console.log('Installing pre-deploy tools (Lighthouse, Playwright, linkinator)...');
+  await runCommand('npm', ['install', '--legacy-peer-deps']);
+  console.log('');
 }
 
 async function setupNextApp() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@majordigital/create-acorn",
-  "version": "1.6.5",
+  "version": "1.6.7",
   "description": "Interactive starter CLI for Acorn with Storyblok/Prismic/DatoCMS, TypeScript, and Tailwind.",
   "bin": {
     "create-acorn": "bin/create-acorn.mjs",

package/template/scripts/check-links.mjs

@@ -28,30 +28,21 @@ const concurrency = isLocalhost ? 2 : 5;
 
 // Support Netlify Basic Auth (password-protected preview deploys).
 // Set NETLIFY_AUTH=user:password in your environment before running.
+// NOTE: requires linkinator >=7 (the `headers` option is applied to every
+// fetch). Credentials are sent via an Authorization header, not embedded in
+// the URL — Node's fetch (undici) rejects URLs that contain credentials.
 const netlifyAuth = process.env.NETLIFY_AUTH;
-
-// Extract hostname so we can match internal URLs with or without credentials.
-const { protocol, hostname } = new URL(baseUrl);
-const escapedHostname = hostname.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-
-// Rewrite every internal link to include credentials so all requests authenticate.
-// Without this, links found in HTML use clean URLs and get 401.
-const urlRewriteExpressions = netlifyAuth
-    ? [{ pattern: new RegExp(`^${protocol}//${escapedHostname}`), replacement: `${protocol}//${netlifyAuth}@${hostname}` }]
-    : [];
-
-const crawlUrl = netlifyAuth
-    ? baseUrl.replace(/^(https?:\/\/)/, `$1${netlifyAuth}@`)
-    : baseUrl;
+const headers = netlifyAuth
+    ? { Authorization: `Basic ${Buffer.from(netlifyAuth).toString("base64")}` }
+    : {};
 
 const checker = new LinkChecker();
 
 checker.on("link", (result) => {
     if (result.state === "BROKEN") {
-        // Strip credentials from URLs before printing
-        const url = result.url.replace(/\/\/[^@]+@/, "//");
-        const parent = result.parent?.replace(/\/\/[^@]+@/, "//");
-        console.log(`  BROKEN [${result.status}] ${url} (from ${parent})`);
+        console.log(
+            `  BROKEN [${result.status}] ${result.url} (from ${result.parent})`,
+        );
     }
 });
 
@@ -61,14 +52,14 @@ console.log(`Concurrency: ${concurrency}`);
 console.log("This may take several minutes...\n");
 
 const result = await checker.check({
-    path: crawlUrl,
+    path: baseUrl,
     recurse: true,
     concurrency,
     timeout: 30000,
-    urlRewriteExpressions,
+    headers,
     linksToSkip: [
-        // Skip URLs that don't contain our hostname (handles both clean and credential-embedded forms)
-        `^(?!https?://[^/@]*@?${escapedHostname})`,
+        // Skip external links to avoid false positives from rate limiting
+        `^(?!(${baseUrl.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}))`,
         // Skip multi-filter URLs — the filter UI generates combinatorial links
         // (e.g. ?filter=a%2Cb%2Cc) that cause a crawl explosion. Not real links.
         ".*[?&]filter=.*%2C.*",
@@ -95,8 +86,6 @@ console.log(`OK: ${ok.length}`);
 console.log(`Broken: ${broken.length}`);
 console.log(`Skipped: ${skipped.length}`);
 
-const stripAuth = (u) => u?.replace(/\/\/[^@]+@/, "//") ?? u;
-
 let md = `## Broken Link Check\n\n`;
 md += `Crawled: ${baseUrl}\n\n`;
 md += `| Metric | Count |\n|--------|-------|\n`;
@@ -108,11 +97,11 @@ md += `| Skipped | ${skipped.length} |\n\n`;
 if (broken.length > 0) {
     const grouped = new Map();
     for (const link of broken) {
-        const key = stripAuth(link.url);
+        const key = link.url;
         if (!grouped.has(key)) {
-            grouped.set(key, { status: link.status, url: key, foundOn: new Set() });
+            grouped.set(key, { status: link.status, url: link.url, foundOn: new Set() });
         }
-        grouped.get(key).foundOn.add(stripAuth(link.parent));
+        grouped.get(key).foundOn.add(link.parent);
     }
 
     md += `### Broken Links (${grouped.size} unique)\n\n`;