npm - @skilly-hand/skilly-hand - Versions diffs - 0.19.0 → 0.20.0 - Mend

@skilly-hand/skilly-hand 0.19.0 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +21 -0
package/README.md +4 -0
package/package.json +6 -4
package/packages/catalog/package.json +1 -1
package/packages/cli/package.json +1 -1
package/packages/core/package.json +1 -1
package/packages/detectors/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -16,6 +16,27 @@ All notable changes to this project are documented in this file.
 ### Removed
 - _None._
+## [0.20.0] - 2026-04-11
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.20.0)
+### Added
+- Added `scripts/dependency-policy-check.mjs` and `deps:policy:check` to enforce exact runtime dependency pins plus synchronized `package-lock.json`/`npm-shrinkwrap.json`.
+- Added `scripts/dependency-update-safe.mjs` and `deps:update:safe` to enforce safe dependency upgrades with full validation gates.
+- Added `npm-shrinkwrap.json` to the repository and release workflow for npm lockfile parity.
+- Added regression test coverage for dependency policy checks, safe dependency update flow, and managed git hook installation behavior.
+### Changed
+- Updated `verify:publish` to run dependency policy checks before security, catalog, test, and packlist gates.
+- Updated `scripts/setup-hooks.mjs` to install both managed `pre-commit` and `pre-push` hooks with safety checks for foreign hooks.
+- Updated `scripts/dependency-security-check.mjs` to recognize `npm-shrinkwrap.json` as a valid npm lockfile.
+- Updated docs with dependency update policy guidance and hook setup requirements.
+### Fixed
+- Expanded script JSON contract tests to cover `dependency-policy-check`.
+### Removed
+- _None._
 ## [0.19.0] - 2026-04-11
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.19.0)

package/README.md CHANGED Viewed

@@ -105,6 +105,10 @@ See [catalog/README.md](./catalog/README.md) for generated skill metadata.
 - `npm run security:check` runs repository secret/config checks plus strict dependency security checks.
 - `npm run security:deps` runs strict dependency audit + outdated reporting only.
+- `npm run deps:policy:check` enforces exact runtime dependency pins and lockfile sync (`package-lock.json` + `npm-shrinkwrap.json`).
+- `npm run deps:update:safe -- <pkg[@version]>` is the required dependency update path; it pins exact versions, syncs shrinkwrap, and blocks completion unless all validation gates pass.
+- Do not use raw `npm install` for dependency upgrades in this repo; use `deps:update:safe` so tests and security gates run before accepting version changes.
+- Run `npm run setup:hooks` once per clone to install `pre-commit` (fast checks) and `pre-push` (full gate) hooks.
 ---

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/skilly-hand",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "license": "CC-BY-NC-4.0",
   "type": "module",
   "publishConfig": {
@@ -29,11 +29,13 @@
     "catalog:sync": "node ./scripts/sync-catalog.mjs",
     "agentic:self:sync": "node ./scripts/sync-self-agentic.mjs",
     "test": "node --test tests/*.test.js && node ./scripts/test-in-sandbox.mjs",
+    "deps:policy:check": "node ./scripts/dependency-policy-check.mjs",
+    "deps:update:safe": "node ./scripts/dependency-update-safe.mjs",
     "security:deps": "node ./scripts/dependency-security-check.mjs --strict",
     "security:check": "node ./scripts/security-check.mjs --strict-deps",
     "verify:packlist": "node ./scripts/verify-packlist.mjs",
     "verify:versions": "node ./scripts/verify-versions.mjs",
-    "verify:publish": "npm run verify:versions && npm run security:check && npm run catalog:check && npm test && npm run verify:packlist",
+    "verify:publish": "npm run verify:versions && npm run deps:policy:check && npm run security:check && npm run catalog:check && npm test && npm run verify:packlist",
     "publish:prepare": "npm run verify:publish && npm pack --dry-run --json",
     "publish:otp": "node ./scripts/publish-with-otp.mjs",
     "publish:next": "node ./scripts/publish-with-otp.mjs --tag next",
@@ -47,7 +49,7 @@
     "doctor": "node ./packages/cli/src/bin.js doctor"
   },
   "dependencies": {
-    "ink": "^5.2.1",
-    "react": "^18.3.1"
+    "ink": "5.2.1",
+    "react": "18.3.1"
   }
 }

package/packages/catalog/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/catalog",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "private": true,
   "type": "module"
 }

package/packages/cli/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/cli",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "private": true,
   "type": "module",
   "bin": {

package/packages/core/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/core",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "private": true,
   "type": "module"
 }

package/packages/detectors/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/detectors",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "private": true,
   "type": "module"
 }