@varlock/bumpy 1.8.1 → 1.9.2

package/README.md

@@ -50,7 +50,7 @@ Fixed locale fallback logic in utils.
 
 - **All package managers** - npm, pnpm, yarn, and bun workspaces
 - **Smart dependency propagation** - configurable rules for how version bumps cascade through your dependency graph (see [version propagation docs](https://github.com/dmno-dev/bumpy/blob/main/docs/version-propagation.md))
-- **Pack-then-publish** - by default, publishes to npm (resolving `workspace:` and `catalog:` protocols, with OIDC/provenance support). Per-package custom publish commands let you target anything - VSCode extensions, Docker images, JSR, private registries, etc.
+- **Pack-then-publish** - by default, publishes to npm (resolving `workspace:` and `catalog:` protocols, with OIDC/provenance support). Supports [npm staged publishing](https://docs.npmjs.com/staged-publishing) for 2FA-gated releases. Per-package custom publish commands let you target anything - VSCode extensions, Docker images, JSR, private registries, etc.
 - **Flexible package management** - include/exclude any package individually via per-package config, glob patterns, or `privatePackages` setting
 - **Non-interactive CLI** - `bumpy add` works fully non-interactively for CI/CD and AI-assisted development
 - **Aggregated GitHub releases** - optionally create a single consolidated release instead of one per package
@@ -121,7 +121,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-      id-token: write # required for npm trusted publishing (OIDC)
+      id-token: write # required for npm trusted publishing (OIDC) and provenance
     steps:
       - uses: actions/checkout@v6
         with:
@@ -129,7 +129,8 @@ jobs:
       - uses: oven-sh/setup-bun@v2
       - uses: actions/setup-node@v6
         with:
-          node-version: lts/*
+          node-version: latest
+      - run: npm install -g npm@latest # ensure npm >= 11.15.0 for OIDC/staged publishing
       - run: bun install
       - run: bunx @varlock/bumpy ci release
         env:
@@ -137,7 +138,7 @@ jobs:
           BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }} # PAT so that version PR triggers CI
 ```
 
-> **Trusted publishing setup:** Configure each package on [npmjs.com](https://docs.npmjs.com/trusted-publishers/) → Package Settings → Trusted Publishers → GitHub Actions. Specify your org/user, repo, and the workflow filename (`bumpy-release.yml`). No `NPM_TOKEN` secret needed. Requires npm >= 11.5.1 - bumpy will warn if your version is too old.
+> **Trusted publishing setup:** Configure each package on [npmjs.com](https://docs.npmjs.com/trusted-publishers/) → Package Settings → Trusted Publishers → GitHub Actions. Specify your org/user, repo, and the workflow filename (`bumpy-release.yml`). No `NPM_TOKEN` secret needed. Enable `provenance` and `npmStaged` in your [publish config](https://github.com/dmno-dev/bumpy/blob/main/docs/configuration.md#staged-publishing) for maximum security.
 
 <details>
 <summary>Alternative: token-based auth (NPM_TOKEN secret)</summary>

package/dist/{add-BL_7iHAo.mjs → add-t_nY85Lo.mjs}

@@ -1,11 +1,11 @@
 import { n as log, r as require_picocolors, s as __toESM } from "./logger-BgksGFuf.mjs";
 import { n as exists, t as ensureDir } from "./fs-CBXKZhoU.mjs";
-import { a as loadConfig, o as loadPackageConfig, r as getBumpyDir } from "./config-gMu1z0bz.mjs";
-import { a as writeBumpFile, o as discoverPackages, r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-BbiqKKZg.mjs";
+import { a as loadConfig, o as loadPackageConfig, r as getBumpyDir } from "./config-48u1NbKv.mjs";
+import { a as writeBumpFile, o as discoverPackages, r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-B_7P2UZO.mjs";
 import { r as getChangedFiles } from "./git-CpJqzpp-.mjs";
 import { l as pt, o as gt, r as Ot, s as mt, t as unwrap, u as wt } from "./clack-W95rXis0.mjs";
 import { n as slugify, t as randomName } from "./names-COooXAFg.mjs";
-import { n as findChangedPackages, r as require_picomatch } from "./check-CcRjFgSY.mjs";
+import { n as findChangedPackages, r as require_picomatch } from "./check-0vJJPD24.mjs";
 import { relative, resolve } from "node:path";
 import * as readline from "node:readline";
 //#region src/prompts/bump-select.ts

package/dist/{apply-release-plan-DncfboRW.mjs → apply-release-plan-D9wl4Q0H.mjs}

@@ -1,6 +1,6 @@
 import { a as readJson, c as removeFile, f as writeText, i as listFiles, l as updateJsonFields, n as exists, s as readText, u as updateJsonNestedField } from "./fs-CBXKZhoU.mjs";
-import { r as getBumpyDir } from "./config-gMu1z0bz.mjs";
-import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry } from "./changelog-CFWf9s2q.mjs";
+import { r as getBumpyDir } from "./config-48u1NbKv.mjs";
+import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry } from "./changelog-LaYJ7aUa.mjs";
 import { resolve } from "node:path";
 //#region src/core/apply-release-plan.ts
 /** Apply the release plan: bump versions, update changelogs, delete bump files */

package/dist/{bump-file-BbiqKKZg.mjs → bump-file-B_7P2UZO.mjs}

@@ -1,5 +1,5 @@
 import { a as readJson, f as writeText, i as listFiles, n as exists, s as readText } from "./fs-CBXKZhoU.mjs";
-import { i as isPackageManaged, o as loadPackageConfig, r as getBumpyDir } from "./config-gMu1z0bz.mjs";
+import { i as isPackageManaged, o as loadPackageConfig, r as getBumpyDir } from "./config-48u1NbKv.mjs";
 import { i as jsYaml, n as detectWorkspaces } from "./package-manager-BQPwXwu5.mjs";
 import { s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
 import { relative, resolve } from "node:path";

package/dist/{changelog-CFWf9s2q.mjs → changelog-LaYJ7aUa.mjs}

@@ -1,5 +1,5 @@
 import { n as log } from "./logger-BgksGFuf.mjs";
-import { c as maxBump, t as BUMP_LEVELS } from "./types-CAwBhUsn.mjs";
+import { c as maxBump, t as BUMP_LEVELS } from "./types-DMdVeeEm.mjs";
 import { relative, resolve } from "node:path";
 import { realpathSync } from "node:fs";
 //#region src/core/changelog.ts
@@ -45,7 +45,7 @@ const defaultFormatter = (ctx) => {
 const BUILTIN_FORMATTERS = {
 	default: defaultFormatter,
 	github: async () => {
-		const { createGithubFormatter } = await import("./changelog-github-T5LqaTwV.mjs");
+		const { createGithubFormatter } = await import("./changelog-github-BXEhPeiW.mjs");
 		return createGithubFormatter();
 	}
 };
@@ -56,7 +56,7 @@ const BUILTIN_FORMATTERS = {
 async function loadFormatter(changelog, rootDir) {
 	const [name, options] = Array.isArray(changelog) ? changelog : [changelog, {}];
 	if (name === "github") {
-		const { createGithubFormatter } = await import("./changelog-github-T5LqaTwV.mjs");
+		const { createGithubFormatter } = await import("./changelog-github-BXEhPeiW.mjs");
 		return createGithubFormatter(options);
 	}
 	if (typeof name === "string" && BUILTIN_FORMATTERS[name]) {

package/dist/{changelog-github-T5LqaTwV.mjs → changelog-github-BXEhPeiW.mjs}

@@ -1,6 +1,6 @@
-import { c as maxBump } from "./types-CAwBhUsn.mjs";
+import { c as maxBump } from "./types-DMdVeeEm.mjs";
 import { s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { o as sortBumpFilesByType, r as getBumpTypeForPackage } from "./changelog-CFWf9s2q.mjs";
+import { o as sortBumpFilesByType, r as getBumpTypeForPackage } from "./changelog-LaYJ7aUa.mjs";
 //#region src/core/changelog-github.ts
 /** Authors filtered from "Thanks" attribution by default (e.g. bots) */
 /** Authors filtered from "Thanks" attribution by default (e.g. AI/automation bots) */

package/dist/{check-CcRjFgSY.mjs → check-0vJJPD24.mjs}

@@ -1,6 +1,6 @@
 import { a as __exportAll, i as __commonJSMin, n as log, s as __toESM, t as colorize } from "./logger-BgksGFuf.mjs";
-import { a as loadConfig, o as loadPackageConfig, r as getBumpyDir } from "./config-gMu1z0bz.mjs";
-import { r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-BbiqKKZg.mjs";
+import { a as loadConfig, o as loadPackageConfig, r as getBumpyDir } from "./config-48u1NbKv.mjs";
+import { r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-B_7P2UZO.mjs";
 import { a as getFileStatuses, r as getChangedFiles } from "./git-CpJqzpp-.mjs";
 import { relative } from "node:path";
 //#region ../../node_modules/.bun/picomatch@4.0.4/node_modules/picomatch/lib/constants.js

package/dist/{ci-BWxlSnSN.mjs → ci-CHIpKtvI.mjs}

@@ -1,12 +1,12 @@
 import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
-import { a as loadConfig } from "./config-gMu1z0bz.mjs";
+import { a as loadConfig } from "./config-48u1NbKv.mjs";
 import { t as detectPackageManager } from "./package-manager-BQPwXwu5.mjs";
-import { i as recoverDeletedBumpFiles, r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-BbiqKKZg.mjs";
-import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-7ApKPR6T.mjs";
+import { i as recoverDeletedBumpFiles, r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-B_7P2UZO.mjs";
+import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-s1o52Rc-.mjs";
 import { n as runArgs, r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
 import { d as withGitToken, r as getChangedFiles } from "./git-CpJqzpp-.mjs";
 import { t as randomName } from "./names-COooXAFg.mjs";
-import { n as findChangedPackages } from "./check-CcRjFgSY.mjs";
+import { n as findChangedPackages } from "./check-0vJJPD24.mjs";
 import { t as resolveCommitMessage } from "./commit-message-CSWVKPJ-.mjs";
 import { appendFileSync, mkdirSync, writeFileSync } from "node:fs";
 import { createHash } from "node:crypto";
@@ -155,7 +155,7 @@ async function ciPlanCommand(rootDir) {
 			packageNames: plan.releases.map((r) => r.name)
 		};
 	} else {
-		const { findUnpublishedPackages } = await import("./publish-CbvWNkjU.mjs");
+		const { findUnpublishedPackages } = await import("./publish-CI7o7EEI.mjs");
 		const unpublished = await findUnpublishedPackages(packages, config);
 		if (unpublished.length > 0) output = {
 			mode: "publish",
@@ -226,7 +226,7 @@ async function ciReleaseCommand(rootDir, opts) {
 	if (bumpFiles.length === 0) {
 		log.info("No pending bump files — checking for unpublished packages...");
 		const recoveredBumpFiles = recoverDeletedBumpFiles(rootDir);
-		const { publishCommand } = await import("./publish-CbvWNkjU.mjs");
+		const { publishCommand } = await import("./publish-CI7o7EEI.mjs");
 		await publishCommand(rootDir, {
 			tag: opts.tag,
 			recoveredBumpFiles
@@ -243,7 +243,7 @@ async function ciReleaseCommand(rootDir, opts) {
 }
 async function autoPublish(rootDir, config, plan, tag) {
 	log.step("Running bumpy version...");
-	const { versionCommand } = await import("./version-DFCrc_fz.mjs");
+	const { versionCommand } = await import("./version-C7uFKayK.mjs");
 	await versionCommand(rootDir);
 	log.step("Committing version changes...");
 	runArgs([
@@ -272,7 +272,7 @@ async function autoPublish(rootDir, config, plan, tag) {
 		], { cwd: rootDir });
 	}
 	log.step("Running bumpy publish...");
-	const { publishCommand } = await import("./publish-CbvWNkjU.mjs");
+	const { publishCommand } = await import("./publish-CI7o7EEI.mjs");
 	await publishCommand(rootDir, { tag });
 }
 /**
@@ -346,7 +346,7 @@ async function createVersionPr(rootDir, plan, config, packageDirs, branchName) {
 		branch
 	], { cwd: rootDir });
 	log.step("Running bumpy version...");
-	const { versionCommand } = await import("./version-DFCrc_fz.mjs");
+	const { versionCommand } = await import("./version-C7uFKayK.mjs");
 	await versionCommand(rootDir);
 	runArgs([
 		"git",

package/dist/cli.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
-import { n as findRoot } from "./config-gMu1z0bz.mjs";
+import { n as findRoot } from "./config-48u1NbKv.mjs";
 //#region src/cli.ts
 const args = process.argv.slice(2);
 const command = args[0];
@@ -31,7 +31,7 @@ async function main() {
 			}
 			case "add": {
 				const rootDir = await findRoot();
-				const { addCommand } = await import("./add-BL_7iHAo.mjs");
+				const { addCommand } = await import("./add-t_nY85Lo.mjs");
 				await addCommand(rootDir, {
 					packages: flags.packages,
 					message: flags.message,
@@ -43,7 +43,7 @@ async function main() {
 			}
 			case "status": {
 				const rootDir = await findRoot();
-				const { statusCommand } = await import("./status-C02g_WIx.mjs");
+				const { statusCommand } = await import("./status-BvemGN6p.mjs");
 				await statusCommand(rootDir, {
 					json: flags.json === true,
 					packagesOnly: flags.packages === true,
@@ -55,13 +55,13 @@ async function main() {
 			}
 			case "version": {
 				const rootDir = await findRoot();
-				const { versionCommand } = await import("./version-DFCrc_fz.mjs");
+				const { versionCommand } = await import("./version-C7uFKayK.mjs");
 				await versionCommand(rootDir, { commit: flags.commit === true });
 				break;
 			}
 			case "generate": {
 				const rootDir = await findRoot();
-				const { generateCommand } = await import("./generate-BfLL5AfI.mjs");
+				const { generateCommand } = await import("./generate-zNgPV9rR.mjs");
 				await generateCommand(rootDir, {
 					from: flags.from,
 					dryRun: flags["dry-run"] === true,
@@ -71,7 +71,7 @@ async function main() {
 			}
 			case "check": {
 				const rootDir = await findRoot();
-				const { checkCommand } = await import("./check-CcRjFgSY.mjs").then((n) => n.t);
+				const { checkCommand } = await import("./check-0vJJPD24.mjs").then((n) => n.t);
 				const hookValue = flags.hook;
 				if (hookValue && hookValue !== "pre-commit" && hookValue !== "pre-push") {
 					log.error(`Invalid --hook value "${hookValue}". Expected "pre-commit" or "pre-push".`);
@@ -89,17 +89,17 @@ async function main() {
 				const subcommand = args[1];
 				const ciFlags = parseFlags(args.slice(2));
 				if (subcommand === "check") {
-					const { ciCheckCommand } = await import("./ci-BWxlSnSN.mjs");
+					const { ciCheckCommand } = await import("./ci-CHIpKtvI.mjs");
 					await ciCheckCommand(rootDir, {
 						comment: ciFlags.comment !== void 0 ? ciFlags.comment === true : void 0,
 						strict: ciFlags.strict === true,
 						noFail: ciFlags["no-fail"] === true
 					});
 				} else if (subcommand === "plan") {
-					const { ciPlanCommand } = await import("./ci-BWxlSnSN.mjs");
+					const { ciPlanCommand } = await import("./ci-CHIpKtvI.mjs");
 					await ciPlanCommand(rootDir);
 				} else if (subcommand === "release") {
-					const { ciReleaseCommand } = await import("./ci-BWxlSnSN.mjs");
+					const { ciReleaseCommand } = await import("./ci-CHIpKtvI.mjs");
 					await ciReleaseCommand(rootDir, {
 						mode: ciFlags["auto-publish"] === true ? "auto-publish" : "version-pr",
 						tag: ciFlags.tag,
@@ -116,7 +116,7 @@ async function main() {
 			}
 			case "publish": {
 				const rootDir = await findRoot();
-				const { publishCommand } = await import("./publish-CbvWNkjU.mjs");
+				const { publishCommand } = await import("./publish-CI7o7EEI.mjs");
 				await publishCommand(rootDir, {
 					dryRun: flags["dry-run"] === true,
 					tag: flags.tag,
@@ -140,7 +140,7 @@ async function main() {
 			}
 			case "--version":
 			case "-v":
-				console.log(`bumpy 1.8.1`);
+				console.log(`bumpy 1.9.2`);
 				break;
 			case "help":
 			case "--help":
@@ -160,7 +160,7 @@ async function main() {
 }
 function printHelp() {
 	console.log(`
-  ${colorize(`🐸 bumpy v1.8.1`, "bold")} - Modern monorepo versioning
+  ${colorize(`🐸 bumpy v1.9.2`, "bold")} - Modern monorepo versioning
 
   Usage: bumpy <command> [options]
 

package/dist/{config-gMu1z0bz.mjs → config-48u1NbKv.mjs}

@@ -1,6 +1,6 @@
 import { a as __exportAll } from "./logger-BgksGFuf.mjs";
 import { a as readJson, n as exists, o as readJsonc } from "./fs-CBXKZhoU.mjs";
-import { l as normalizeCascadeConfig, r as DEFAULT_CONFIG } from "./types-CAwBhUsn.mjs";
+import { l as normalizeCascadeConfig, r as DEFAULT_CONFIG } from "./types-DMdVeeEm.mjs";
 import { resolve } from "node:path";
 //#region src/core/config.ts
 var config_exports = /* @__PURE__ */ __exportAll({

package/dist/{generate-BfLL5AfI.mjs → generate-zNgPV9rR.mjs}

@@ -1,7 +1,7 @@
 import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
 import { t as ensureDir } from "./fs-CBXKZhoU.mjs";
-import { a as loadConfig, r as getBumpyDir } from "./config-gMu1z0bz.mjs";
-import { a as writeBumpFile, o as discoverPackages } from "./bump-file-BbiqKKZg.mjs";
+import { a as loadConfig, r as getBumpyDir } from "./config-48u1NbKv.mjs";
+import { a as writeBumpFile, o as discoverPackages } from "./bump-file-B_7P2UZO.mjs";
 import { s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
 import { n as getBranchCommits, o as getFilesChangedInCommit } from "./git-CpJqzpp-.mjs";
 import { n as slugify, t as randomName } from "./names-COooXAFg.mjs";

package/dist/index.d.mts

@@ -38,6 +38,20 @@ interface PublishConfig {
    * Default: "pack"
    */
   protocolResolution: 'pack' | 'in-place' | 'none';
+  /**
+   * Attach provenance attestation when publishing via npm.
+   * Requires a supported CI environment with OIDC (GitHub Actions, GitLab CI, etc.).
+   * Only works with publishManager "npm".
+   * Default: false
+   */
+  provenance: boolean;
+  /**
+   * Use npm staged publishing (`npm stage publish`).
+   * Stages the publish on npmjs.com, requiring manual 2FA approval before going live.
+   * Only works with publishManager "npm" and requires npm >= 11.15.0.
+   * Default: false
+   */
+  npmStaged: boolean;
 }
 interface BumpyConfig {
   baseBranch: string;

package/dist/index.mjs

@@ -1,8 +1,8 @@
-import { a as DEP_TYPES, c as maxBump, i as DEFAULT_PUBLISH_CONFIG, l as normalizeCascadeConfig, n as DEFAULT_BUMP_RULES, o as bumpLevel, r as DEFAULT_CONFIG, s as hasCascade, t as BUMP_LEVELS } from "./types-CAwBhUsn.mjs";
-import { a as loadConfig, n as findRoot, r as getBumpyDir, s as matchGlob } from "./config-gMu1z0bz.mjs";
-import { a as writeBumpFile, n as parseBumpFile, o as discoverPackages, r as readBumpFiles } from "./bump-file-BbiqKKZg.mjs";
-import { a as DependencyGraph, i as stripProtocol, n as bumpVersion, r as satisfies, t as assembleReleasePlan } from "./release-plan-7ApKPR6T.mjs";
-import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry, t as defaultFormatter } from "./changelog-CFWf9s2q.mjs";
-import { t as applyReleasePlan } from "./apply-release-plan-DncfboRW.mjs";
-import { t as publishPackages } from "./publish-pipeline-D99nLAtI.mjs";
+import { a as DEP_TYPES, c as maxBump, i as DEFAULT_PUBLISH_CONFIG, l as normalizeCascadeConfig, n as DEFAULT_BUMP_RULES, o as bumpLevel, r as DEFAULT_CONFIG, s as hasCascade, t as BUMP_LEVELS } from "./types-DMdVeeEm.mjs";
+import { a as loadConfig, n as findRoot, r as getBumpyDir, s as matchGlob } from "./config-48u1NbKv.mjs";
+import { a as writeBumpFile, n as parseBumpFile, o as discoverPackages, r as readBumpFiles } from "./bump-file-B_7P2UZO.mjs";
+import { a as DependencyGraph, i as stripProtocol, n as bumpVersion, r as satisfies, t as assembleReleasePlan } from "./release-plan-s1o52Rc-.mjs";
+import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry, t as defaultFormatter } from "./changelog-LaYJ7aUa.mjs";
+import { t as applyReleasePlan } from "./apply-release-plan-D9wl4Q0H.mjs";
+import { t as publishPackages } from "./publish-pipeline-DpmTVsnX.mjs";
 export { BUMP_LEVELS, DEFAULT_BUMP_RULES, DEFAULT_CONFIG, DEFAULT_PUBLISH_CONFIG, DEP_TYPES, DependencyGraph, applyReleasePlan, assembleReleasePlan, bumpLevel, bumpVersion, defaultFormatter, discoverPackages, findRoot, generateChangelogEntry, getBumpyDir, hasCascade, loadConfig, loadFormatter, matchGlob, maxBump, normalizeCascadeConfig, parseBumpFile, prependToChangelog, publishPackages, readBumpFiles, satisfies, stripProtocol, writeBumpFile };

package/dist/{publish-CbvWNkjU.mjs → publish-CI7o7EEI.mjs}

@@ -1,13 +1,13 @@
 import { n as log, o as __require, t as colorize } from "./logger-BgksGFuf.mjs";
-import { a as loadConfig } from "./config-gMu1z0bz.mjs";
+import { a as loadConfig } from "./config-48u1NbKv.mjs";
 import { n as detectWorkspaces } from "./package-manager-BQPwXwu5.mjs";
-import { s as discoverWorkspace } from "./bump-file-BbiqKKZg.mjs";
-import { a as DependencyGraph } from "./release-plan-7ApKPR6T.mjs";
+import { s as discoverWorkspace } from "./bump-file-B_7P2UZO.mjs";
+import { a as DependencyGraph } from "./release-plan-s1o52Rc-.mjs";
 import { r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { i as loadFormatter, n as generateChangelogEntry } from "./changelog-CFWf9s2q.mjs";
+import { i as loadFormatter, n as generateChangelogEntry } from "./changelog-LaYJ7aUa.mjs";
 import { c as listTags, l as pushWithTags, s as hasUncommittedChanges } from "./git-CpJqzpp-.mjs";
-import { t as publishPackages } from "./publish-pipeline-D99nLAtI.mjs";
-import { CI_PLAN_CACHE_PATH } from "./ci-BWxlSnSN.mjs";
+import { t as publishPackages } from "./publish-pipeline-DpmTVsnX.mjs";
+import { CI_PLAN_CACHE_PATH } from "./ci-CHIpKtvI.mjs";
 //#region src/core/github-release.ts
 /** Get the current HEAD commit SHA */
 function getHeadSha(rootDir) {
@@ -197,7 +197,7 @@ async function publishCommand(rootDir, opts) {
 	}
 	let toPublish = await findUnpublishedWithCache(rootDir, packages, config);
 	if (opts.filter) {
-		const { matchGlob } = await import("./config-gMu1z0bz.mjs").then((n) => n.t);
+		const { matchGlob } = await import("./config-48u1NbKv.mjs").then((n) => n.t);
 		const patterns = opts.filter.split(",").map((p) => p.trim());
 		toPublish = toPublish.filter((r) => patterns.some((p) => matchGlob(r.name, p)));
 	}

package/dist/{publish-pipeline-D99nLAtI.mjs → publish-pipeline-DpmTVsnX.mjs}

@@ -1,7 +1,7 @@
 import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
 import { a as readJson, u as updateJsonNestedField } from "./fs-CBXKZhoU.mjs";
 import { r as resolveCatalogDep } from "./package-manager-BQPwXwu5.mjs";
-import { i as stripProtocol } from "./release-plan-7ApKPR6T.mjs";
+import { i as stripProtocol } from "./release-plan-s1o52Rc-.mjs";
 import { i as runAsync, o as sq, r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
 import { t as createTag, u as tagExists } from "./git-CpJqzpp-.mjs";
 import { resolve } from "node:path";
@@ -28,6 +28,26 @@ const OIDC_NPM_UPGRADE_HINTS = {
 	gitlab: "Use a Node.js image with npm >= 11.5.1 or run `npm install -g npm@latest`",
 	circleci: "Use a Node.js image with npm >= 11.5.1 or run `sudo npm install -g npm@latest`"
 };
+/** Compare semver triples: returns true if version >= minimum */
+function npmVersionAtLeast(version, minimum) {
+	const [major, minor, patch] = version.split(".").map(Number);
+	const [minMajor, minMinor, minPatch] = minimum;
+	if (major > minMajor) return true;
+	if (major < minMajor) return false;
+	if (minor > minMinor) return true;
+	if (minor < minMinor) return false;
+	return patch >= minPatch;
+}
+const MIN_NPM_OIDC = [
+	11,
+	5,
+	1
+];
+const MIN_NPM_STAGED = [
+	11,
+	15,
+	0
+];
 /**
 * Set up npm authentication for publishing.
 *
@@ -50,13 +70,10 @@ function setupNpmAuth(rootDir, publishManager) {
 	const oidcProvider = detectOidcProvider();
 	if (oidcProvider) {
 		const npmVersion = tryRunArgs(["npm", "--version"]);
-		if (npmVersion) {
-			const [major, minor, patch] = npmVersion.split(".").map(Number);
-			if (!(major > 11 || major === 11 && (minor > 5 || minor === 5 && patch >= 1))) {
-				log.warn(`  npm ${npmVersion} detected — trusted publishing (OIDC) requires npm >= 11.5.1`);
-				log.warn(`  ${OIDC_NPM_UPGRADE_HINTS[oidcProvider]}`);
-			} else log.dim(`  OIDC detected (${oidcProvider}) — npm ${npmVersion} will authenticate via trusted publishing`);
-		}
+		if (npmVersion) if (!npmVersionAtLeast(npmVersion, MIN_NPM_OIDC)) {
+			log.warn(`  npm ${npmVersion} detected — trusted publishing (OIDC) requires npm >= ${MIN_NPM_OIDC.join(".")}`);
+			log.warn(`  ${OIDC_NPM_UPGRADE_HINTS[oidcProvider]}`);
+		} else log.dim(`  OIDC detected (${oidcProvider}) — npm ${npmVersion} will authenticate via trusted publishing`);
 		return;
 	}
 	const token = process.env.NODE_AUTH_TOKEN || process.env.NPM_TOKEN;
@@ -88,6 +105,14 @@ async function publishPackages(releasePlan, packages, depGraph, config, rootDir,
 	};
 	const publishConfig = config.publish;
 	setupNpmAuth(rootDir, publishConfig.publishManager);
+	if (publishConfig.provenance && publishConfig.publishManager !== "npm") throw new Error("provenance requires publishManager \"npm\" — provenance attestation is an npm-specific feature");
+	if (publishConfig.npmStaged) {
+		if (publishConfig.publishManager !== "npm") throw new Error("npmStaged requires publishManager \"npm\" — staged publishing is an npm-specific feature");
+		const npmVersion = tryRunArgs(["npm", "--version"]);
+		if (!npmVersion) throw new Error(`npmStaged is enabled but npm was not found — install npm >= ${MIN_NPM_STAGED.join(".")}`);
+		if (!npmVersionAtLeast(npmVersion, MIN_NPM_STAGED)) throw new Error(`npmStaged requires npm >= ${MIN_NPM_STAGED.join(".")} (found ${npmVersion})\n  Upgrade npm: npm install -g npm@latest`);
+		log.dim(`Staged publishing enabled — packages will require 2FA approval on npmjs.com`);
+	}
 	const packManager = publishConfig.packManager === "auto" ? detectedPm : publishConfig.packManager;
 	const topoOrder = depGraph.topologicalSort(packages);
 	const releaseMap = new Map(releasePlan.releases.map((r) => [r.name, r]));
@@ -200,13 +225,15 @@ function getPackArgs(pm) {
 function buildPublishArgs(pkg, pkgConfig, config, opts, tarball) {
 	const publishManager = config.publish.publishManager;
 	const args = [];
-	if (publishManager === "yarn") args.push("yarn", "npm", "publish");
+	if (config.publish.npmStaged && publishManager === "npm") args.push("npm", "stage", "publish");
+	else if (publishManager === "yarn") args.push("yarn", "npm", "publish");
 	else args.push(publishManager, "publish");
 	if (tarball) args.push(tarball);
 	const access = pkgConfig?.access || config.access;
 	args.push("--access", access);
 	if (pkgConfig?.registry) args.push("--registry", pkgConfig.registry);
 	if (opts.tag) args.push("--tag", opts.tag);
+	if (config.publish.provenance && publishManager === "npm") args.push("--provenance");
 	if (config.publish.publishArgs.length > 0) args.push(...config.publish.publishArgs);
 	return args;
 }

package/dist/{release-plan-7ApKPR6T.mjs → release-plan-s1o52Rc-.mjs}

@@ -1,6 +1,6 @@
 import { i as __commonJSMin, s as __toESM } from "./logger-BgksGFuf.mjs";
-import { c as maxBump, l as normalizeCascadeConfig, n as DEFAULT_BUMP_RULES, o as bumpLevel, s as hasCascade } from "./types-CAwBhUsn.mjs";
-import { s as matchGlob } from "./config-gMu1z0bz.mjs";
+import { c as maxBump, l as normalizeCascadeConfig, n as DEFAULT_BUMP_RULES, o as bumpLevel, s as hasCascade } from "./types-DMdVeeEm.mjs";
+import { s as matchGlob } from "./config-48u1NbKv.mjs";
 //#region src/core/dep-graph.ts
 var DependencyGraph = class {
 	/** Map from package name → packages that depend on it */

package/dist/{status-C02g_WIx.mjs → status-BvemGN6p.mjs}

@@ -1,7 +1,7 @@
 import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
-import { a as loadConfig } from "./config-gMu1z0bz.mjs";
-import { o as discoverPackages, r as readBumpFiles, t as filterBranchBumpFiles } from "./bump-file-BbiqKKZg.mjs";
-import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-7ApKPR6T.mjs";
+import { a as loadConfig } from "./config-48u1NbKv.mjs";
+import { o as discoverPackages, r as readBumpFiles, t as filterBranchBumpFiles } from "./bump-file-B_7P2UZO.mjs";
+import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-s1o52Rc-.mjs";
 import { i as getCurrentBranch, r as getChangedFiles } from "./git-CpJqzpp-.mjs";
 //#region src/commands/status.ts
 async function statusCommand(rootDir, opts) {
@@ -29,7 +29,7 @@ async function statusCommand(rootDir, opts) {
 		releases = releases.filter((r) => types.includes(r.type));
 	}
 	if (opts.filter) {
-		const { matchGlob } = await import("./config-gMu1z0bz.mjs").then((n) => n.t);
+		const { matchGlob } = await import("./config-48u1NbKv.mjs").then((n) => n.t);
 		const patterns = opts.filter.split(",").map((p) => p.trim());
 		releases = releases.filter((r) => patterns.some((p) => matchGlob(r.name, p)));
 	}

package/dist/{types-CAwBhUsn.mjs → types-DMdVeeEm.mjs}

@@ -49,6 +49,8 @@ const DEFAULT_PUBLISH_CONFIG = {
 	packManager: "auto",
 	publishManager: "npm",
 	publishArgs: [],
+	provenance: false,
+	npmStaged: false,
 	protocolResolution: "pack"
 };
 const DEFAULT_CONFIG = {

package/dist/{version-DFCrc_fz.mjs → version-C7uFKayK.mjs}

@@ -1,10 +1,10 @@
 import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
-import { a as loadConfig } from "./config-gMu1z0bz.mjs";
+import { a as loadConfig } from "./config-48u1NbKv.mjs";
 import { n as detectWorkspaces } from "./package-manager-BQPwXwu5.mjs";
-import { o as discoverPackages, r as readBumpFiles } from "./bump-file-BbiqKKZg.mjs";
-import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-7ApKPR6T.mjs";
+import { o as discoverPackages, r as readBumpFiles } from "./bump-file-B_7P2UZO.mjs";
+import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-s1o52Rc-.mjs";
 import { n as runArgs, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { t as applyReleasePlan } from "./apply-release-plan-DncfboRW.mjs";
+import { t as applyReleasePlan } from "./apply-release-plan-D9wl4Q0H.mjs";
 import { t as resolveCommitMessage } from "./commit-message-CSWVKPJ-.mjs";
 //#region src/commands/version.ts
 async function versionCommand(rootDir, opts = {}) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@varlock/bumpy",
-  "version": "1.8.1",
+  "version": "1.9.2",
   "description": "Modern monorepo versioning and changelog tool",
   "keywords": [
     "bump",