@rtorcato/js-tooling 2.19.1 → 2.20.0

package/dist/cli/commands/doctor.js

@@ -807,6 +807,23 @@ async function checkCodeowners(dir) {
         hint: 'Run `npx @rtorcato/js-tooling fix codeowners` to scaffold .github/CODEOWNERS',
     };
 }
+async function checkCommunityHealth(dir) {
+    const anchors = ['CONTRIBUTING.md', 'SECURITY.md'];
+    const present = await Promise.all(anchors.map((f) => fs.pathExists(path.join(dir, f))));
+    if (present.every(Boolean)) {
+        return {
+            check: 'Community health',
+            status: 'ok',
+            detail: 'CONTRIBUTING.md and SECURITY.md found',
+        };
+    }
+    return {
+        check: 'Community health',
+        status: 'optional-missing',
+        detail: 'missing community-health files (CONTRIBUTING/SECURITY/templates)',
+        hint: 'Run `npx @rtorcato/js-tooling fix community-health` to scaffold them',
+    };
+}
 async function checkGitLabCI(dir) {
     for (const candidate of ['.gitlab-ci.yml', '.gitlab-ci.yaml']) {
         if (await fs.pathExists(path.join(dir, candidate))) {
@@ -850,6 +867,7 @@ export async function runDoctor(dir) {
     results.push(await checkCodeQL(targetDir));
     results.push(await checkGitLabCI(targetDir));
     results.push(await checkCodeowners(targetDir));
+    results.push(await checkCommunityHealth(targetDir));
     results.push(await checkTypedoc(targetDir, pkg));
     results.push(await checkAreTheTypesWrong(targetDir, pkg));
     results.push(await checkTreeshakeSetup(targetDir, pkg));

package/dist/cli/commands/fix.js

@@ -6,6 +6,7 @@ import fs from 'fs-extra';
 import inquirer from 'inquirer';
 import { installAgentRules } from '../generators/agent-rules.js';
 import { generateSemanticReleaseConfig } from '../generators/build.js';
+import { generateCommunityHealth } from '../generators/community-health.js';
 import { generateCommitlintConfig, generateHuskyConfig, generatePrePushHook, } from '../generators/git.js';
 import { generateGitHubActions } from '../generators/github-actions.js';
 import { generateGitLabCI } from '../generators/gitlab-ci.js';
@@ -210,17 +211,17 @@ const FIXERS = [
     },
     {
         target: 'semantic-release',
-        description: 'Scaffold release.config.mjs (skipped on private packages)',
+        description: 'Scaffold release.config.mjs + install preset plugins (skipped on private packages)',
         appliesTo: ['semantic-release'],
-        outputs: ['release.config.mjs'],
+        outputs: ['release.config.mjs', 'package.json'],
         canFixDrift: true,
         async run({ targetDir, pkg }) {
             if (pkg?.private === true) {
                 console.log(chalk.gray('   skipping — package is private'));
                 return { filesWritten: [] };
             }
-            await generateSemanticReleaseConfig(targetDir);
-            return { filesWritten: ['release.config.mjs'] };
+            const filesWritten = await generateSemanticReleaseConfig(targetDir);
+            return { filesWritten };
         },
     },
     {
@@ -299,6 +300,24 @@ const FIXERS = [
             return { filesWritten: [written] };
         },
     },
+    {
+        target: 'community-health',
+        description: 'Scaffold CONTRIBUTING.md, SECURITY.md, PR + issue templates',
+        appliesTo: ['Community health'],
+        outputs: [
+            'CONTRIBUTING.md',
+            'SECURITY.md',
+            '.github/PULL_REQUEST_TEMPLATE.md',
+            '.github/ISSUE_TEMPLATE/bug_report.md',
+            '.github/ISSUE_TEMPLATE/feature_request.md',
+        ],
+        riskLevel: 'safe-add',
+        canFixDrift: false,
+        async run({ targetDir }) {
+            const filesWritten = await generateCommunityHealth(targetDir);
+            return { filesWritten };
+        },
+    },
     {
         target: 'gitlab-ci',
         description: 'Scaffold .gitlab-ci.yml (lint/typecheck/test/build mirrored from GitHub Actions)',

package/dist/cli/generators/build.js

@@ -71,11 +71,41 @@ export default mergeConfig(preset, defineConfig({ plugins: [react()] }))
 `;
     await fs.writeFile(viteConfigPath, viteConfig);
 }
+// Plugins the github/gitlab preset activates that semantic-release core does
+// NOT bundle (core bundles only commit-analyzer, release-notes-generator, npm,
+// github). Without these in the consumer's deps, `semantic-release` crashes
+// with "Cannot find module '@semantic-release/changelog'" on first run.
+const RELEASE_PLUGIN_DEPS = {
+    '@semantic-release/changelog': '^6.0.0',
+    '@semantic-release/git': '^10.0.0',
+};
 export async function generateSemanticReleaseConfig(targetDir) {
     const releaseConfigPath = path.join(targetDir, 'release.config.mjs');
     const releaseConfig = `export { default } from '@rtorcato/js-tooling/semantic-release/github'
 `;
     await fs.writeFile(releaseConfigPath, releaseConfig);
+    const written = ['release.config.mjs'];
+    // Ensure the preset's non-bundled plugins are installed; otherwise the
+    // scaffolded release.config.mjs references modules the consumer lacks.
+    const pkgPath = path.join(targetDir, 'package.json');
+    if (await fs.pathExists(pkgPath)) {
+        const pkg = (await fs.readJson(pkgPath));
+        const devDeps = (pkg.devDependencies ?? {});
+        const deps = (pkg.dependencies ?? {});
+        let changed = false;
+        for (const [name, version] of Object.entries(RELEASE_PLUGIN_DEPS)) {
+            if (!devDeps[name] && !deps[name]) {
+                devDeps[name] = version;
+                changed = true;
+            }
+        }
+        if (changed) {
+            pkg.devDependencies = devDeps;
+            await fs.writeJson(pkgPath, pkg, { spaces: 2 });
+            written.push('package.json');
+        }
+    }
+    return written;
 }
 export async function generateChangesetsConfig(targetDir) {
     // Drop the canonical Changesets config into .changeset/config.json. The user

package/dist/cli/generators/community-health.js

@@ -0,0 +1,145 @@
+import path from 'node:path';
+import fs from 'fs-extra';
+const CONTRIBUTING = `# Contributing
+
+Thanks for your interest in contributing!
+
+## Local setup
+
+\`\`\`bash
+pnpm install
+pnpm build
+pnpm test
+\`\`\`
+
+## Commit messages
+
+This project uses [Conventional Commits](https://www.conventionalcommits.org/).
+Format: \`type(scope): summary\` — e.g. \`fix(api): handle empty payload\`.
+Common types: \`feat\`, \`fix\`, \`docs\`, \`refactor\`, \`test\`, \`chore\`.
+If commitizen is set up, run \`pnpm commit\` to be guided through it.
+
+## Pull requests
+
+- Keep PRs focused and small where possible.
+- Make sure \`pnpm test\` and \`pnpm check\` (lint) pass.
+- Add tests for new behaviour.
+- Describe what changed and why in the PR description.
+`;
+// Relative advisory link works from a repo-root SECURITY.md on GitHub, so the
+// template stays repo-agnostic (no hardcoded owner/name). Fill in the contact.
+const SECURITY = `# Security Policy
+
+## Supported versions
+
+Only the latest major version receives security fixes.
+
+## Reporting a vulnerability
+
+Do **not** open a public GitHub issue for security vulnerabilities.
+
+Instead, use [GitHub's private vulnerability reporting](../../security/advisories/new)
+or email **<security-contact@example.com>** with:
+
+- A description of the vulnerability
+- Steps to reproduce
+- Potential impact
+
+You'll receive a response within 5 business days.
+`;
+const PULL_REQUEST_TEMPLATE = `## Summary
+
+<!-- 1-3 bullet points describing what changed and why -->
+-
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Refactor / cleanup
+- [ ] Documentation
+- [ ] CI / tooling
+
+## Test plan
+
+- [ ] Existing tests pass (\`pnpm test\`)
+- [ ] New tests added for new behaviour
+
+## Checklist
+
+- [ ] No debug logging left in production code
+- [ ] No breaking changes (or BREAKING CHANGE footer added to commit)
+- [ ] Lint passes (\`pnpm check\` / \`pnpm lint\`)
+`;
+const BUG_REPORT = `---
+name: Bug report
+about: Something isn't working as expected
+labels: bug
+---
+
+## Describe the bug
+
+<!-- A clear and concise description of what the bug is -->
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Expected behaviour
+
+## Actual behaviour
+
+<!-- Paste any error output here -->
+
+\`\`\`
+\`\`\`
+
+## Environment
+
+- Package version:
+- Node version (\`node -v\`):
+- Package manager + version:
+- OS:
+`;
+const FEATURE_REQUEST = `---
+name: Feature request
+about: Suggest an idea or improvement
+labels: enhancement
+---
+
+## Problem
+
+<!-- What are you trying to do that you can't do today? -->
+
+## Proposed solution
+
+## Alternatives considered
+
+## Additional context
+`;
+const FILES = [
+    { rel: 'CONTRIBUTING.md', content: CONTRIBUTING },
+    { rel: 'SECURITY.md', content: SECURITY },
+    { rel: '.github/PULL_REQUEST_TEMPLATE.md', content: PULL_REQUEST_TEMPLATE },
+    { rel: '.github/ISSUE_TEMPLATE/bug_report.md', content: BUG_REPORT },
+    { rel: '.github/ISSUE_TEMPLATE/feature_request.md', content: FEATURE_REQUEST },
+];
+/**
+ * Scaffold GitHub community-health files. Safe-add: existing files are left
+ * untouched (the user owns them once written). Returns the list of files
+ * actually created.
+ */
+export async function generateCommunityHealth(targetDir) {
+    const written = [];
+    for (const { rel, content } of FILES) {
+        const filepath = path.join(targetDir, rel);
+        if (await fs.pathExists(filepath))
+            continue;
+        await fs.ensureDir(path.dirname(filepath));
+        await fs.writeFile(filepath, content);
+        written.push(rel);
+    }
+    return written;
+}

package/dist/cli/generators/github-actions.js

@@ -48,15 +48,15 @@ jobs:
       cache-key: \${{ steps.cache-key.outputs.key }}
     steps:
       - name: 📦 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: 📦 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
 
       - name: 📦 Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           version: latest
 
@@ -65,7 +65,7 @@ jobs:
         run: echo "key=\${{ runner.os }}-pnpm-\${{ hashFiles('**/pnpm-lock.yaml') }}" >> $GITHUB_OUTPUT
 
       - name: 📦 Cache dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.pnpm-store
@@ -83,20 +83,20 @@ jobs:
     if: needs.check-skip.outputs.should-skip != 'true'
     steps:
       - name: 📦 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: 📦 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
 
       - name: 📦 Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           version: latest
 
       - name: 📦 Restore dependencies cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.pnpm-store
@@ -113,20 +113,20 @@ ${hasTypeScript
     if: needs.check-skip.outputs.should-skip != 'true'
     steps:
       - name: 📦 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: 📦 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
 
       - name: 📦 Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           version: latest
 
       - name: 📦 Restore dependencies cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.pnpm-store
@@ -144,20 +144,20 @@ ${hasTests
     if: needs.check-skip.outputs.should-skip != 'true'
     steps:
       - name: 📦 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: 📦 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
 
       - name: 📦 Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           version: latest
 
       - name: 📦 Restore dependencies cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.pnpm-store
@@ -175,20 +175,20 @@ ${hasBuild
     if: needs.check-skip.outputs.should-skip != 'true'
     steps:
       - name: 📦 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: 📦 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
 
       - name: 📦 Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           version: latest
 
       - name: 📦 Restore dependencies cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.pnpm-store
@@ -199,7 +199,7 @@ ${hasBuild
         run: pnpm build
 
       - name: 📦 Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: build-artifacts
           path: |
@@ -221,24 +221,24 @@ ${isLibrary && config.semanticRelease
       id-token: write
     steps:
       - name: 📦 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
         with:
           fetch-depth: 0
           token: \${{ secrets.GITHUB_TOKEN }}
 
       - name: 📦 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           registry-url: 'https://registry.npmjs.org'
 
       - name: 📦 Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           version: latest
 
       - name: 📦 Restore dependencies cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.pnpm-store

package/dist/cli/generators/gitlab-ci.js

@@ -59,7 +59,7 @@ function renderGitLabCI(config) {
     return `# .gitlab-ci.yml — generated by @rtorcato/js-tooling
 # Customize stages and jobs to fit your pipeline.
 
-image: node:20
+image: node:22
 
 stages:
 ${stages.map((s) => `  - ${s}`).join('\n')}

package/dist/cli/generators/linting.js

@@ -32,7 +32,7 @@ export async function generateBiomeConfig(targetDir) {
     // keys here forced consumers to run `biome migrate` before `biome check`
     // would run at all.
     const biomeConfig = {
-        $schema: 'https://biomejs.dev/schemas/2.3.0/schema.json',
+        $schema: 'https://biomejs.dev/schemas/2.5.0/schema.json',
         extends: ['@rtorcato/js-tooling/biome'],
     };
     await fs.writeJson(biomeConfigPath, biomeConfig, { spaces: 2 });

package/dist/cli/generators/security.js

@@ -75,7 +75,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3

package/dist/cli/generators/typedoc.js

@@ -10,9 +10,9 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v7
+      - uses: pnpm/action-setup@v6
+      - uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: pnpm

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rtorcato/js-tooling",
-	"version": "2.19.1",
+	"version": "2.20.0",
 	"description": "JavaScript and TypeScript tooling for Node.js, React, Next.js, and Vitest.",
 	"type": "module",
 	"keywords": [
@@ -175,7 +175,8 @@
 		"./tests/ssr-safety": {
 			"types": "./tooling/tests/ssr-safety.d.mts",
 			"import": "./tooling/tests/ssr-safety.mjs"
-		}
+		},
+		"./package.json": "./package.json"
 	},
 	"dependencies": {
 		"chalk": "^5.6.2",

package/tooling/biome/biome.json

@@ -1,5 +1,5 @@
 {
-	"$schema": "https://biomejs.dev/schemas/2.3.0/schema.json",
+	"$schema": "https://biomejs.dev/schemas/2.5.0/schema.json",
 	"vcs": {
 		"enabled": false,
 		"clientKind": "git",
@@ -27,7 +27,7 @@
 	"linter": {
 		"enabled": true,
 		"rules": {
-			"recommended": true,
+			"preset": "recommended",
 			"style": {
 				"noInferrableTypes": "off"
 			},

package/tooling/semantic-release/github.mjs

@@ -51,8 +51,11 @@ export default {
 				changelogFile: 'CHANGELOG.md',
 			},
 		],
-		['@semantic-release/npm', { npmPublish: true, pkgRoot: '.' }],
-		// NPM plugin to publish the package
+		// npm publishing is opt-in via NPM_TOKEN: a repo that provides the token
+		// (e.g. js-tooling's own CI) publishes; one that doesn't (GitHub-releases
+		// only) gets a green release instead of an EINVALIDNPMTOKEN failure. The
+		// version in package.json is still bumped either way.
+		['@semantic-release/npm', { npmPublish: Boolean(process.env.NPM_TOKEN), pkgRoot: '.' }],
 		[
 			'@semantic-release/git',
 			{

package/tooling/semantic-release/index.mjs

@@ -52,8 +52,11 @@ export default {
 				changelogFile: 'CHANGELOG.md',
 			},
 		],
-		['@semantic-release/npm', { npmPublish: true, pkgRoot: '.' }],
-		// NPM plugin to publish the package
+		// npm publishing is opt-in via NPM_TOKEN: a repo that provides the token
+		// publishes; one that doesn't (GitLab releases only) gets a green release
+		// instead of an EINVALIDNPMTOKEN failure. The version in package.json is
+		// still bumped either way.
+		['@semantic-release/npm', { npmPublish: Boolean(process.env.NPM_TOKEN), pkgRoot: '.' }],
 		[
 			'@semantic-release/git',
 			{