@rainy-updates/cli 0.4.0 → 0.4.4

package/CHANGELOG.md

@@ -2,6 +2,29 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.4.4] - 2026-02-27
+
+### Changed
+
+- Version bump to `0.4.4` for production stabilization.
+- Simplified public documentation to focus on end-user CLI usage.
+- Removed user-facing instructions for GitHub Actions configuration from README.
+
+### Fixed
+
+- Removed optional `better-sqlite3` dependency to avoid deprecated native install warnings (`prebuild-install`).
+- Cache backend now uses `bun:sqlite` when available and falls back cleanly to file-based cache without native Node addons.
+
+### Added
+
+- `SECURITY.md` with vulnerability disclosure guidance.
+- `CODE_OF_CONDUCT.md` for OSS community standards.
+- Automatic CI bootstrap improvements in `init-ci`:
+  - `--mode minimal|strict`
+  - `--schedule weekly|daily|off`
+  - package-manager-aware install step generation (npm/pnpm)
+
+
 ## [0.4.0] - 2026-02-27
 
 ### Added
@@ -126,7 +149,7 @@ All notable changes to this project are documented in this file.
   - `--dep-kinds deps,dev,optional,peer`
 - Runtime controls:
   - `--concurrency` for parallel dependency checks.
-  - `--cache-ttl` for cache freshness tuning.
+- `--cache-ttl` for cache freshness tuning.
 - Cache layer improvements:
   - SQLite-first cache backend when available.
   - JSON fallback cache backend.

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,25 @@
+# Code of Conduct
+
+## Our Standards
+
+We are committed to a respectful, inclusive, and harassment-free community.
+
+Expected behavior:
+
+- be respectful and constructive
+- focus on technical issues, not personal attacks
+- welcome feedback and different viewpoints
+
+Unacceptable behavior:
+
+- harassment, discrimination, or abusive language
+- doxxing or threats
+- trolling and persistent disruption
+
+## Enforcement
+
+Project maintainers are responsible for clarifying and enforcing this code of conduct.
+
+## Reporting
+
+Report unacceptable behavior through private communication with maintainers or GitHub moderation tools.

package/README.md

@@ -1,6 +1,16 @@
 # @rainy-updates/cli
 
-Agentic OSS CLI for dependency updates focused on speed, CI automation, and workspace-scale maintenance.
+Agentic CLI to detect, control, and apply dependency updates across npm/pnpm projects and monorepos.
+
+`@rainy-updates/cli` is built for teams that need fast dependency intelligence, policy-aware upgrades, and automation-ready output for CI/CD and pull request workflows.
+
+## Why this package
+
+- Detects updates quickly across single-package repos and workspaces.
+- Applies updates safely with configurable targets (`patch`, `minor`, `major`, `latest`).
+- Enforces policy rules per package (ignore rules and max upgrade level).
+- Supports offline and cache-warmed execution for deterministic CI runs.
+- Produces machine-readable artifacts (JSON, SARIF, GitHub outputs, PR markdown report).
 
 ## Install
 
@@ -10,64 +20,53 @@ npm i -D @rainy-updates/cli
 pnpm add -D @rainy-updates/cli
 ```
 
-## Commands
+## Core commands
 
-- `check`: detect available dependency updates.
-- `upgrade`: rewrite dependency ranges (optional install + workspace sync).
-- `warm-cache`: pre-fetch package metadata into local cache for faster CI checks.
-- `init-ci`: scaffold `.github/workflows/rainy-updates.yml`.
+- `check`: analyze dependencies and report available updates.
+- `upgrade`: rewrite dependency ranges in manifests, optionally install lockfile updates.
+- `warm-cache`: prefetch package metadata for fast and offline checks.
 
-## Quick start
+## Quick usage
 
 ```bash
-# check and fail CI if updates are found
-npx @rainy-updates/cli check --ci --format json --json-file .artifacts/deps-report.json
+# 1) Detect updates
+npx @rainy-updates/cli check --format table
 
-# pre-warm cache before strict offline checks
-npx @rainy-updates/cli warm-cache --workspace --concurrency 32
-npx @rainy-updates/cli check --workspace --offline --ci
+# 2) Strict CI mode (non-zero when updates exist)
+npx @rainy-updates/cli check --workspace --ci --format json --json-file .artifacts/updates.json
 
-# upgrade ranges and install lockfiles
+# 3) Apply upgrades with workspace sync
 npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
 
-# scaffold GitHub Actions workflow
-npx @rainy-updates/cli init-ci
+# 4) Warm cache for deterministic offline checks
+npx @rainy-updates/cli warm-cache --workspace --concurrency 32
+npx @rainy-updates/cli check --workspace --offline --ci
 ```
 
-## Core options
-
-- `--target patch|minor|major|latest`
-- `--filter <pattern>`
-- `--reject <pattern>`
-- `--dep-kinds deps,dev,optional,peer`
-- `--workspace`
-- `--concurrency <n>`
-- `--cache-ttl <seconds>`
-- `--offline` (cache-only mode)
-- `--cwd <path>`
+## What it does in production
 
-## Output options
+### Update detection engine
 
-- `--format table|json|minimal|github`
-- `--json-file <path>`
-- `--github-output <path>`
-- `--sarif-file <path>`
-- `--pr-report-file <path>` (generates markdown report for PR comments)
+- Scans dependency groups: `dependencies`, `devDependencies`, `optionalDependencies`, `peerDependencies`.
+- Resolves versions per unique package to reduce duplicate network requests.
+- Uses network concurrency controls and resilient retries.
+- Supports stale-cache fallback when registry calls fail.
 
-## Upgrade options
+### Workspace support
 
-- `--install`
-- `--pm auto|npm|pnpm`
-- `--sync` (graph-aware version alignment across workspace packages)
+- Detects package workspaces from:
+  - `package.json` workspaces
+  - `pnpm-workspace.yaml`
+- Handles multi-manifest upgrade flows.
+- Graph-aware sync mode (`--sync`) avoids breaking `workspace:*` references.
 
-## Policy controls
+### Policy-aware control
 
-- `--policy-file <path>` to apply package-level policy rules.
-- default policy discovery:
-  - `.rainyupdates-policy.json`
-  - `rainy-updates.policy.json`
+- Apply global ignore patterns.
+- Apply package-specific rules.
+- Enforce max upgrade target per package (for safer rollout).
 
-Policy example:
+Example policy file:
 
 ```json
 {
@@ -79,63 +78,118 @@ Policy example:
 }
 ```
 
-## CLI help
+Use it with:
 
 ```bash
-rainy-updates --help
-rainy-updates <command> --help
-rainy-updates --version
+npx @rainy-updates/cli check --policy-file .rainyupdates-policy.json
 ```
 
-## CI behavior
+## Output and reporting
 
-- `--ci`: returns exit code `1` when updates are found.
-- returns exit code `2` for operational errors (registry/IO/runtime failures).
+### Human output
 
-## Config files
+- `--format table`
+- `--format minimal`
 
-Supported:
+### Automation output
 
-- `.rainyupdatesrc`
-- `.rainyupdatesrc.json`
-- `package.json` -> `rainyUpdates`
+- `--format json`
+- `--json-file <path>`
+- `--sarif-file <path>`
+- `--github-output <path>`
+- `--pr-report-file <path>`
 
-Example:
+These outputs are designed for CI pipelines, security tooling, and PR review automation.
 
-```json
-{
-  "rainyUpdates": {
-    "target": "minor",
-    "workspace": true,
-    "concurrency": 24,
-    "offline": false,
-    "format": "json",
-    "cacheTtlSeconds": 1800,
-    "jsonFile": ".artifacts/deps.json",
-    "sarifFile": ".artifacts/deps.sarif",
-    "prReportFile": ".artifacts/deps.md",
-    "policyFile": ".rainyupdates-policy.json"
-  }
-}
+
+## Automatic CI bootstrap
+
+Generate a workflow in the target project automatically:
+
+```bash
+# strict mode (recommended)
+npx @rainy-updates/cli init-ci --mode strict --schedule weekly
+
+# lightweight mode
+npx @rainy-updates/cli init-ci --mode minimal --schedule daily
 ```
 
-## Production release
+Generated file:
+
+- `.github/workflows/rainy-updates.yml`
+
+Modes:
+
+- `strict`: warm-cache + offline check + artifacts + SARIF upload.
+- `minimal`: fast check-only workflow for quick adoption.
+
+Schedule:
+
+- `weekly`, `daily`, or `off` (manual dispatch only).
+
+## Command options
+
+### Global
+
+- `--cwd <path>`
+- `--workspace`
+- `--target patch|minor|major|latest`
+- `--filter <pattern>`
+- `--reject <pattern>`
+- `--dep-kinds deps,dev,optional,peer`
+- `--concurrency <n>`
+- `--cache-ttl <seconds>`
+- `--offline`
+- `--policy-file <path>`
+- `--format table|json|minimal|github`
+- `--json-file <path>`
+- `--github-output <path>`
+- `--sarif-file <path>`
+- `--pr-report-file <path>`
+- `--ci`
+
+### Upgrade-only
+
+- `--install`
+- `--pm auto|npm|pnpm`
+- `--sync`
+
+## Config support
+
+Configuration can be loaded from:
+
+- `.rainyupdatesrc`
+- `.rainyupdatesrc.json`
+- `package.json` field: `rainyUpdates`
+
+## CLI help
 
 ```bash
-bun run prepublishOnly
-node scripts/release-preflight.mjs
-npm publish --provenance --access public
+rainy-updates --help
+rainy-updates <command> --help
+rainy-updates --version
 ```
 
-If publishing in GitHub Actions, set `NPM_TOKEN` in repository secrets.
+## Reliability characteristics
+
+- Node.js 20+ runtime.
+- Works with npm and pnpm workflows.
+- Uses optional `undici` pool path for high-throughput HTTP.
+- Cache-first architecture for speed and resilience.
+
+## CI/CD included
+
+This package ships with production CI/CD pipelines in the repository:
+
+- Continuous integration pipeline for typecheck, tests, build, and production smoke checks.
+- Tag-driven release pipeline for npm publishing with provenance.
+- Release preflight validation for npm auth/scope checks before publishing.
+
 
-The repository includes:
+## Product roadmap
 
-- `.github/workflows/ci.yml` for test/typecheck/build/smoke checks.
-- `.github/workflows/release.yml` for tag-driven npm publishing.
+The long-term roadmap is maintained in [`ROADMAP.md`](./ROADMAP.md).
 
-## Performance and runtime notes
+## License
 
-- Resolves dependency metadata by unique package name to avoid duplicate network calls.
-- Uses `undici` pool with HTTP/2 when available; falls back to native `fetch` automatically.
-- Uses layered cache with stale fallback for resilient CI runs.
+MIT

package/SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported versions
+
+Security fixes are applied to the latest released version.
+
+## Reporting vulnerabilities
+
+Report vulnerabilities privately through GitHub Security Advisories.
+
+Include:
+
+- affected version
+- reproduction steps
+- impact assessment
+- proof-of-concept if available
+
+Do not open public issues for unpatched security vulnerabilities.

package/dist/bin/cli.js

@@ -25,7 +25,10 @@ async function main() {
         }
         const parsed = await parseCliArgs(argv);
         if (parsed.command === "init-ci") {
-            const workflow = await initCiWorkflow(parsed.options.cwd, parsed.options.force);
+            const workflow = await initCiWorkflow(parsed.options.cwd, parsed.options.force, {
+                mode: parsed.options.mode,
+                schedule: parsed.options.schedule,
+            });
             process.stdout.write(workflow.created
                 ? `Created CI workflow at ${workflow.path}\n`
                 : `CI workflow already exists at ${workflow.path}. Use --force to overwrite.\n`);
@@ -107,10 +110,15 @@ Options:
   --pr-report-file <path>`;
     }
     if (isCommand && command === "init-ci") {
-        return `rainy-updates init-ci [--force]
+        return `rainy-updates init-ci [options]
 
 Create a GitHub Actions workflow template at:
-  .github/workflows/rainy-updates.yml`;
+  .github/workflows/rainy-updates.yml
+
+Options:
+  --force
+  --mode minimal|strict
+  --schedule weekly|daily|off`;
     }
     return `rainy-updates <command> [options]
 

package/dist/cache/cache.js

@@ -110,16 +110,8 @@ async function tryCreateSqliteStore(dbPath) {
             return new SqliteCacheStore(db);
         }
     }
-    catch {
-        // noop
-    }
-    try {
-        const maybeRequire = Function("return require")();
-        const Database = maybeRequire("better-sqlite3");
-        const db = new Database(dbPath);
-        return new SqliteCacheStore(db);
-    }
     catch {
         return null;
     }
+    return null;
 }

package/dist/core/init-ci.d.ts

@@ -1,4 +1,10 @@
-export declare function initCiWorkflow(cwd: string, force: boolean): Promise<{
+export type InitCiMode = "minimal" | "strict";
+export type InitCiSchedule = "weekly" | "daily" | "off";
+export interface InitCiOptions {
+    mode: InitCiMode;
+    schedule: InitCiSchedule;
+}
+export declare function initCiWorkflow(cwd: string, force: boolean, options: InitCiOptions): Promise<{
     path: string;
     created: boolean;
 }>;

package/dist/core/init-ci.js

@@ -1,20 +1,51 @@
-import { promises as fs } from "node:fs";
+import { access, writeFile, mkdir } from "node:fs/promises";
 import path from "node:path";
-export async function initCiWorkflow(cwd, force) {
+export async function initCiWorkflow(cwd, force, options) {
     const workflowPath = path.join(cwd, ".github", "workflows", "rainy-updates.yml");
     try {
         if (!force) {
-            await fs.access(workflowPath);
+            await access(workflowPath);
             return { path: workflowPath, created: false };
         }
     }
     catch {
         // missing file, continue create
     }
-    await fs.mkdir(path.dirname(workflowPath), { recursive: true });
-    await fs.writeFile(workflowPath, workflowTemplate(), "utf8");
+    const packageManager = await detectPackageManager(cwd);
+    const scheduleBlock = renderScheduleBlock(options.schedule);
+    const workflow = options.mode === "minimal"
+        ? minimalWorkflowTemplate(scheduleBlock, packageManager)
+        : strictWorkflowTemplate(scheduleBlock, packageManager);
+    await mkdir(path.dirname(workflowPath), { recursive: true });
+    await writeFile(workflowPath, workflow, "utf8");
     return { path: workflowPath, created: true };
 }
-function workflowTemplate() {
-    return `name: Rainy Updates\n\non:\n  schedule:\n    - cron: '0 8 * * 1'\n  workflow_dispatch:\n\njobs:\n  dependency-updates:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n      - name: Run rainy updates\n        run: |\n          npx @rainy-updates/cli check \\\n            --workspace \\\n            --ci \\\n            --concurrency 32 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
+async function detectPackageManager(cwd) {
+    const pnpmLock = path.join(cwd, "pnpm-lock.yaml");
+    try {
+        await access(pnpmLock);
+        return "pnpm";
+    }
+    catch {
+        return "npm";
+    }
+}
+function renderScheduleBlock(schedule) {
+    if (schedule === "off") {
+        return "  workflow_dispatch:";
+    }
+    const cron = schedule === "daily" ? "0 8 * * *" : "0 8 * * 1";
+    return `  schedule:\n    - cron: '${cron}'\n  workflow_dispatch:`;
+}
+function installStep(packageManager) {
+    if (packageManager === "pnpm") {
+        return `      - name: Setup pnpm\n        uses: pnpm/action-setup@v4\n        with:\n          version: 9\n\n      - name: Install dependencies\n        run: pnpm install --frozen-lockfile`;
+    }
+    return `      - name: Install dependencies\n        run: npm ci`;
+}
+function minimalWorkflowTemplate(scheduleBlock, packageManager) {
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          npx @rainy-updates/cli check \\\n            --workspace \\\n            --ci \\\n            --format table\n`;
+}
+function strictWorkflowTemplate(scheduleBlock, packageManager) {
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32\n\n      - name: Run strict dependency check\n        run: |\n          npx @rainy-updates/cli check \\\n            --workspace \\\n            --offline \\\n            --ci \\\n            --concurrency 32 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
 }

package/dist/core/options.d.ts

@@ -1,4 +1,5 @@
 import type { CheckOptions, UpgradeOptions } from "../types/index.js";
+import type { InitCiMode, InitCiSchedule } from "./init-ci.js";
 export type ParsedCliArgs = {
     command: "check";
     options: CheckOptions;
@@ -10,8 +11,11 @@ export type ParsedCliArgs = {
     options: CheckOptions;
 } | {
     command: "init-ci";
-    options: CheckOptions & {
+    options: {
+        cwd: string;
         force: boolean;
+        mode: InitCiMode;
+        schedule: InitCiSchedule;
     };
 };
 export declare function parseCliArgs(argv: string[]): Promise<ParsedCliArgs>;

package/dist/core/options.js

@@ -36,6 +36,8 @@ export async function parseCliArgs(argv) {
         prReportFile: undefined,
     };
     let force = false;
+    let initCiMode = "strict";
+    let initCiSchedule = "weekly";
     let resolvedConfig = await loadConfig(base.cwd);
     applyConfig(base, resolvedConfig);
     for (let index = 0; index < args.length; index += 1) {
@@ -127,6 +129,16 @@ export async function parseCliArgs(argv) {
             force = true;
             continue;
         }
+        if (current === "--mode" && next) {
+            initCiMode = ensureInitCiMode(next);
+            index += 1;
+            continue;
+        }
+        if (current === "--schedule" && next) {
+            initCiSchedule = ensureInitCiSchedule(next);
+            index += 1;
+            continue;
+        }
         if (current === "--dep-kinds" && next) {
             base.includeKinds = parseDependencyKinds(next);
             index += 1;
@@ -148,7 +160,15 @@ export async function parseCliArgs(argv) {
         return { command, options: base };
     }
     if (command === "init-ci") {
-        return { command, options: { ...base, force } };
+        return {
+            command,
+            options: {
+                cwd: base.cwd,
+                force,
+                mode: initCiMode,
+                schedule: initCiSchedule,
+            },
+        };
     }
     return {
         command: "check",
@@ -236,3 +256,15 @@ function parseDependencyKinds(value) {
     }
     return Array.from(new Set(mapped));
 }
+function ensureInitCiMode(value) {
+    if (value === "minimal" || value === "strict") {
+        return value;
+    }
+    throw new Error("--mode must be minimal or strict");
+}
+function ensureInitCiSchedule(value) {
+    if (value === "weekly" || value === "daily" || value === "off") {
+        return value;
+    }
+    throw new Error("--schedule must be weekly, daily or off");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rainy-updates/cli",
-  "version": "0.4.0",
+  "version": "0.4.4",
   "description": "Agentic CLI to check and upgrade npm/pnpm dependencies for CI workflows",
   "type": "module",
   "private": false,
@@ -36,7 +36,9 @@
     "dist",
     "README.md",
     "CHANGELOG.md",
-    "LICENSE"
+    "LICENSE",
+    "SECURITY.md",
+    "CODE_OF_CONDUCT.md"
   ],
   "scripts": {
     "clean": "rm -rf dist",
@@ -60,7 +62,6 @@
     "typescript": "^5.9.3"
   },
   "optionalDependencies": {
-    "better-sqlite3": "^12.6.2",
     "undici": "^7.22.0"
   }
 }