@visulima/vis 1.0.0-alpha.40 → 1.0.0-alpha.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/CHANGELOG.md +27 -0
  2. package/dist/bin.js +1 -1
  3. package/dist/binx.js +2 -2
  4. package/dist/config/index.d.ts +18 -0
  5. package/dist/packem_chunks/bin.js +202 -202
  6. package/dist/packem_chunks/handler10.js +1 -1
  7. package/dist/packem_chunks/handler12.js +1 -1
  8. package/dist/packem_chunks/handler13.js +1 -1
  9. package/dist/packem_chunks/handler14.js +1 -1
  10. package/dist/packem_chunks/handler15.js +1 -1
  11. package/dist/packem_chunks/handler16.js +1 -1
  12. package/dist/packem_chunks/handler17.js +1 -1
  13. package/dist/packem_chunks/handler18.js +1 -1
  14. package/dist/packem_chunks/handler19.js +1 -1
  15. package/dist/packem_chunks/handler21.js +1 -1
  16. package/dist/packem_chunks/handler27.js +1 -1
  17. package/dist/packem_chunks/handler28.js +1 -1
  18. package/dist/packem_chunks/handler29.js +1 -1
  19. package/dist/packem_chunks/handler30.js +1 -2
  20. package/dist/packem_chunks/handler31.js +2 -2
  21. package/dist/packem_chunks/handler32.js +2 -2
  22. package/dist/packem_chunks/handler33.js +2 -3
  23. package/dist/packem_chunks/handler34.js +3 -6
  24. package/dist/packem_chunks/handler35.js +6 -1
  25. package/dist/packem_chunks/handler36.js +1 -42
  26. package/dist/packem_chunks/handler37.js +42 -8
  27. package/dist/packem_chunks/handler38.js +8 -9
  28. package/dist/packem_chunks/handler39.js +9 -75
  29. package/dist/packem_chunks/handler4.js +1 -1
  30. package/dist/packem_chunks/handler40.js +75 -5
  31. package/dist/packem_chunks/handler41.js +5 -4
  32. package/dist/packem_chunks/handler42.js +4 -3
  33. package/dist/packem_chunks/handler43.js +3 -2
  34. package/dist/packem_chunks/handler44.js +2 -1
  35. package/dist/packem_chunks/handler45.js +1 -1
  36. package/dist/packem_chunks/handler46.js +1 -1
  37. package/dist/packem_chunks/handler47.js +1 -3
  38. package/dist/packem_chunks/handler48.js +3 -1
  39. package/dist/packem_chunks/handler49.js +1 -7
  40. package/dist/packem_chunks/handler5.js +1 -1
  41. package/dist/packem_chunks/handler50.js +6 -32
  42. package/dist/packem_chunks/handler51.js +33 -3
  43. package/dist/packem_chunks/handler52.js +3 -8
  44. package/dist/packem_chunks/handler53.js +6 -2
  45. package/dist/packem_chunks/handler54.js +4 -1
  46. package/dist/packem_chunks/handler55.js +1 -12
  47. package/dist/packem_chunks/handler56.js +11 -6
  48. package/dist/packem_chunks/handler57.js +7 -5
  49. package/dist/packem_chunks/handler58.js +5 -11
  50. package/dist/packem_chunks/handler59.js +11 -3
  51. package/dist/packem_chunks/handler60.js +3 -22
  52. package/dist/packem_chunks/handler61.js +21 -60
  53. package/dist/packem_chunks/handler62.js +61 -3
  54. package/dist/packem_chunks/handler63.js +3 -6
  55. package/dist/packem_chunks/handler64.js +6 -708
  56. package/dist/packem_chunks/handler65.js +708 -24
  57. package/dist/packem_chunks/handler66.js +24 -25
  58. package/dist/packem_chunks/handler67.js +25 -153
  59. package/dist/packem_chunks/handler68.js +153 -10
  60. package/dist/packem_chunks/handler69.js +10 -24
  61. package/dist/packem_chunks/handler70.js +24 -322
  62. package/dist/packem_chunks/handler71.js +322 -48
  63. package/dist/packem_chunks/handler72.js +48 -27
  64. package/dist/packem_chunks/handler73.js +27 -3
  65. package/dist/packem_chunks/handler74.js +3 -190
  66. package/dist/packem_chunks/handler75.js +189 -37
  67. package/dist/packem_chunks/handler76.js +38 -0
  68. package/dist/packem_chunks/handler8.js +1 -1
  69. package/dist/packem_chunks/handler9.js +1 -1
  70. package/dist/packem_chunks/heal-accept.js +1 -1
  71. package/dist/packem_chunks/help-command.js +1 -1
  72. package/dist/packem_chunks/list.js +1 -1
  73. package/dist/packem_chunks/loader.js +1 -1
  74. package/dist/packem_chunks/orchestrator.js +1 -1
  75. package/dist/packem_chunks/sync2.js +1 -1
  76. package/dist/packem_chunks/tripwire.js +1 -1
  77. package/dist/packem_chunks/verify-lockfile.js +1 -1
  78. package/dist/packem_chunks/version-resolver.js +1 -1
  79. package/dist/packem_shared/command-runtime-CR70qSUM.js +1 -0
  80. package/dist/packem_shared/{cyclonedx-kYozDyxp.js → cyclonedx-Cadls41z.js} +1 -1
  81. package/dist/packem_shared/{index-Du8RWawQ.js → index-3jMNqQom.js} +1 -1
  82. package/dist/packem_shared/index-Bt521H5J.js +30 -0
  83. package/dist/packem_shared/{index-CgcF6_wo.js → index-DGSsjmpV.js} +1 -1
  84. package/dist/packem_shared/{pm-runner-OGResYrA.js → pm-runner-BKZQo7Ts.js} +1 -1
  85. package/dist/packem_shared/{provenance-_CJjMKwu.js → provenance-BFEwKgI3.js} +1 -1
  86. package/dist/packem_shared/{resolve-explicit-CMDl55Nz.js → resolve-explicit-C6WM-I2u.js} +1 -1
  87. package/dist/packem_shared/{s1ngularity-Dhr3bPk0.js → s1ngularity-DCPmPE5M.js} +1 -1
  88. package/dist/packem_shared/{signatures-C730vkyK.js → signatures-Xpd6HjG_.js} +1 -1
  89. package/index.d.ts +201 -201
  90. package/index.js +26 -26
  91. package/package.json +13 -13
  92. package/schemas/vis-config.schema.json +12 -0
  93. package/dist/packem_shared/index-yBikBkHT.js +0 -30
@@ -1 +1 @@
1
- import{I as p,W as m}from"../packem_shared/pm-runner-OGResYrA.js";import{i as d}from"../packem_shared/utils-Cxree603.js";const v=async({argument:c,logger:l,options:e,visConfig:s,workspaceRoot:n})=>{const o=c;if(!o||o.length===0)throw new Error("No command specified. Usage: vis exec <command> [args...]");const[i,...t]=o,r=n??process.cwd(),f=p(r,{configBackend:s?.install?.backend,configCorepack:s?.install?.corepack}),a=m(f,{args:t,command:i,filter:d(e.filter),parallel:e.parallel||!1,recursive:e.recursive||!1,reverse:e.reverse||!1,shellMode:e.shellMode||!1,workspaceRoot:e.workspaceRoot||!1},r,l);a!==0&&(process.exitCode=a)};export{v as default};
1
+ import{I as p,W as d}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as g,a as k}from"../packem_shared/command-runtime-CR70qSUM.js";import{i as v}from"../packem_shared/utils-Cxree603.js";const h=async({argument:l,logger:a,options:e,visConfig:o,workspaceRoot:c})=>{const s=l;if(!s||s.length===0)throw new Error("No command specified. Usage: vis exec <command> [args...]");const[i,...t]=s,r=c??process.cwd(),m=g({logger:a,options:e,visConfig:o},r),f=p(r,{backend:k(m),configBackend:o?.install?.backend,configCorepack:o?.install?.corepack}),n=d(f,{args:t,command:i,filter:v(e.filter),parallel:e.parallel||!1,recursive:e.recursive||!1,reverse:e.reverse||!1,shellMode:e.shellMode||!1,workspaceRoot:e.workspaceRoot||!1},r,a);n!==0&&(process.exitCode=n)};export{h as default};
@@ -1 +1 @@
1
- import{I as g,P as l}from"../packem_shared/pm-runner-OGResYrA.js";const k=async({argument:e,logger:c,options:n,process:i,visConfig:a,workspaceRoot:r})=>{if(!e||e.length===0)throw new Error("No package specified. Usage: vis info <package> [field...]");const[p,...t]=e,s=r??i.cwd,f=g(s,{configBackend:a?.install?.backend,configCorepack:a?.install?.corepack}),o=l(f,{fields:t,json:n.json||!1,package:p},s,c);o!==0&&o!==1&&(process.exitCode=o)};export{k as default};
1
+ import{I as f,P as d}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as k,a as m}from"../packem_shared/command-runtime-CR70qSUM.js";const v=async({argument:o,logger:s,options:i,process:c,visConfig:e,workspaceRoot:r})=>{if(!o||o.length===0)throw new Error("No package specified. Usage: vis info <package> [field...]");const[t,...l]=o,a=r??c.cwd,p=k({logger:s,options:i,visConfig:e},a),g=f(a,{backend:m(p),configBackend:e?.install?.backend,configCorepack:e?.install?.corepack}),n=d(g,{fields:l,json:i.json||!1,package:t},a,s);n!==0&&n!==1&&(process.exitCode=n)};export{v as default};
@@ -1,4 +1,4 @@
1
- import{createRequire as A}from"node:module";import{m,y as N,f as $,T as S}from"../packem_shared/index-BDmTbWX1.js";import{b as F,q as h}from"./config.js";import{p as e}from"./bin.js";import{w as I}from"../packem_shared/pm-runner-OGResYrA.js";import{w as P}from"../packem_shared/build-scripts-CCCi8U66.js";import{O as R}from"../packem_shared/native-config-sync-BEkJW7g3.js";import{S as T}from"../packem_shared/min-release-age-D1alDE3K.js";const B=A(import.meta.url),g=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,x=t=>{if(typeof g<"u"&&g.versions&&g.versions.node){const[s,o]=g.versions.node.split(".").map(Number);if(s>22||s===22&&o>=3||s===20&&o>=16)return g.getBuiltinModule(t)}return B(t)},{execFileSync:E}=x("node:child_process"),{createInterface:M}=x("node:readline"),q=t=>{const s=[];return $(m(t,"turbo.json"))&&s.push("turborepo"),$(m(t,"nx.json"))&&s.push("nx"),$(m(t,".moon"))&&s.push("moon"),s},C=(t,s)=>new Promise(o=>{t.question(s,i=>{o(i.trim())})}),u=async(t,s,o=!0)=>{const i=await C(t,`${s} ${o?"[Y/n]":"[y/N]"} `);return i===""?o:i.toLowerCase()==="y"||i.toLowerCase()==="yes"},w=(t,s)=>{const o=[],i=Object.entries(s.allowBuilds).filter(([,l])=>l).map(([l])=>` "${l}": true,`).join(`
1
+ import{createRequire as A}from"node:module";import{m,y as N,f as $,T as S}from"../packem_shared/index-BDmTbWX1.js";import{b as F,q as h}from"./config.js";import{p as e}from"./bin.js";import{w as I}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{w as P}from"../packem_shared/build-scripts-CCCi8U66.js";import{O as R}from"../packem_shared/native-config-sync-BEkJW7g3.js";import{S as T}from"../packem_shared/min-release-age-D1alDE3K.js";const B=A(import.meta.url),g=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,x=t=>{if(typeof g<"u"&&g.versions&&g.versions.node){const[s,o]=g.versions.node.split(".").map(Number);if(s>22||s===22&&o>=3||s===20&&o>=16)return g.getBuiltinModule(t)}return B(t)},{execFileSync:E}=x("node:child_process"),{createInterface:M}=x("node:readline"),q=t=>{const s=[];return $(m(t,"turbo.json"))&&s.push("turborepo"),$(m(t,"nx.json"))&&s.push("nx"),$(m(t,".moon"))&&s.push("moon"),s},C=(t,s)=>new Promise(o=>{t.question(s,i=>{o(i.trim())})}),u=async(t,s,o=!0)=>{const i=await C(t,`${s} ${o?"[Y/n]":"[y/N]"} `);return i===""?o:i.toLowerCase()==="y"||i.toLowerCase()==="yes"},w=(t,s)=>{const o=[],i=Object.entries(s.allowBuilds).filter(([,l])=>l).map(([l])=>` "${l}": true,`).join(`
2
2
  `),a=[` installScripts: {
3
3
  allow: ${i?`{
4
4
  ${i}
@@ -1,4 +1,4 @@
1
- import{I as $,E as u,V as k,s as y}from"../packem_shared/Table-CcVkyULl-B_ef6zfS.js";import{p}from"./bin.js";import{r as N,M,a as R,b as S,c as x,d as A,e as V,f as b,g as C,h as E}from"../packem_shared/s1ngularity-Dhr3bPk0.js";import{g as P,a as j,r as B}from"../packem_shared/provenance-_CJjMKwu.js";import{r as D}from"../packem_shared/signatures-C730vkyK.js";const v=new Set(["archivedRepo","author","downloads","expiredDomains","metadata","newBin","provenance","s1ngularity","signatures"]),I=r=>{const s=r.trim();if(s==="")return;if(s.startsWith("@")){const o=s.indexOf("@",1);return o===-1?{name:s,spec:void 0}:{name:s.slice(0,o),spec:s.slice(o+1)||void 0}}const i=s.indexOf("@");return i===-1?{name:s,spec:void 0}:{name:s.slice(0,i),spec:s.slice(i+1)||void 0}},O=r=>{if(r===void 0||r.trim()==="")return;const s=new Set;for(const i of r.split(",")){const o=i.trim();if(!v.has(o))throw new Error(`Unknown marshall in --only: ${o}. Known: ${[...v].sort().join(", ")}.`);s.add(o)}return s},m=(r,s)=>r===void 0||r.has(s),F=r=>r?.has("signatures")??!1,H=async({argument:r,options:s,workspaceRoot:i})=>{if(!r||r.length===0)throw new Error("No package specified. Usage: vis inspect <package>[@<spec>]");const o=I(r[0]);if(o===void 0)throw new Error(`Invalid package argument: "${String(r[0])}". Usage: vis inspect <package>[@<spec>]`);const t=O(s.only),f=await P(o.name,{workspaceRoot:i});if(f===void 0){p.error(`Package ${o.name} not found in the registry.`),process.exitCode=2;return}const g=j(f,o.spec);if(g===void 0){p.error(`Could not resolve ${o.name}@${o.spec??"latest"} to a published version.`),process.exitCode=2;return}const c=[{name:o.name,version:g}],n=new M;if(m(t,"author")){const e=await N(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"author",message:a.message,packageName:a.packageName,severity:a.severity})}if(m(t,"provenance")){const e=await B(c);for(const a of e)n.add({marshall:"provenance",message:`Prior version ${a.priorVersionWithProvenance} had provenance but ${a.version} does not.`,packageName:a.packageName,severity:"error"})}if(m(t,"s1ngularity")){const e=await R(c,{workspaceRoot:i});for(const a of e){const d=a.hookChanges.map(w=>`${w.hook} (${w.kind})`).join(", "),l=a.hookChanges.length===1;n.add({marshall:"s1ngularity",message:`${a.version} ${l?"has an":"has"} install-script ${l?"change":"changes"} [${d}] AND dropped the provenance attestation that ${a.priorVersion} carried — this is the s1ngularity compromised-publish shape.`,packageName:a.packageName,severity:"error"})}}if(m(t,"newBin")){const e=await S(c);for(const a of e){const d=a.newBins.map(l=>l.command).join(", ");n.add({marshall:"newBin",message:`${a.toVersion} adds new bin script${a.newBins.length===1?"":"s"}: ${d} (prior: ${a.fromVersion}).`,packageName:a.packageName,severity:"warning"})}}if(m(t,"metadata")){const e=await x(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"metadata",message:`Missing/invalid metadata: ${a.issues.join(", ")}.`,packageName:a.packageName,severity:"warning"})}if(m(t,"downloads")){const e=await A([o.name]);for(const a of e){const d=a.downloadsLastMonth===void 0?"unknown":String(a.downloadsLastMonth);n.add({marshall:"downloads",message:a.kind==="no-data"?"npm stats API returned no monthly download data.":`Only ${d} downloads in the past month.`,packageName:a.packageName,severity:a.severity})}}if(m(t,"expiredDomains")){const e=await V(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"expiredDomains",message:a.kind==="expired"?`Maintainer email domain ${a.domain} (${a.maintainer}) is unregistered — potential hijack risk.`:`Could not verify maintainer email domain ${a.domain} (${a.maintainer}).`,packageName:a.packageName,severity:a.severity})}if(F(t)){const e=await D(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"signatures",message:a.message,packageName:a.packageName,severity:a.severity})}if(m(t,"archivedRepo")){const e=await b(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"archivedRepo",message:a.kind==="archived"?`Source repo ${a.owner}/${a.repo} is archived${a.archivedAt===void 0?"":` (since ${a.archivedAt})`}.`:`Source repo ${a.owner}/${a.repo} returned 404 from GitHub.`,packageName:a.packageName,severity:"warning"})}const h=n.all();if(s.json===!0)process.stdout.write(`${JSON.stringify(C(h),void 0,2)}
1
+ import{I as $,E as u,V as k,s as y}from"../packem_shared/Table-CcVkyULl-B_ef6zfS.js";import{p}from"./bin.js";import{r as N,M,a as R,b as S,c as x,d as A,e as V,f as b,g as C,h as E}from"../packem_shared/s1ngularity-DCPmPE5M.js";import{g as P,a as j,r as B}from"../packem_shared/provenance-BFEwKgI3.js";import{r as D}from"../packem_shared/signatures-Xpd6HjG_.js";const v=new Set(["archivedRepo","author","downloads","expiredDomains","metadata","newBin","provenance","s1ngularity","signatures"]),I=r=>{const s=r.trim();if(s==="")return;if(s.startsWith("@")){const o=s.indexOf("@",1);return o===-1?{name:s,spec:void 0}:{name:s.slice(0,o),spec:s.slice(o+1)||void 0}}const i=s.indexOf("@");return i===-1?{name:s,spec:void 0}:{name:s.slice(0,i),spec:s.slice(i+1)||void 0}},O=r=>{if(r===void 0||r.trim()==="")return;const s=new Set;for(const i of r.split(",")){const o=i.trim();if(!v.has(o))throw new Error(`Unknown marshall in --only: ${o}. Known: ${[...v].sort().join(", ")}.`);s.add(o)}return s},m=(r,s)=>r===void 0||r.has(s),F=r=>r?.has("signatures")??!1,H=async({argument:r,options:s,workspaceRoot:i})=>{if(!r||r.length===0)throw new Error("No package specified. Usage: vis inspect <package>[@<spec>]");const o=I(r[0]);if(o===void 0)throw new Error(`Invalid package argument: "${String(r[0])}". Usage: vis inspect <package>[@<spec>]`);const t=O(s.only),f=await P(o.name,{workspaceRoot:i});if(f===void 0){p.error(`Package ${o.name} not found in the registry.`),process.exitCode=2;return}const g=j(f,o.spec);if(g===void 0){p.error(`Could not resolve ${o.name}@${o.spec??"latest"} to a published version.`),process.exitCode=2;return}const c=[{name:o.name,version:g}],n=new M;if(m(t,"author")){const e=await N(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"author",message:a.message,packageName:a.packageName,severity:a.severity})}if(m(t,"provenance")){const e=await B(c);for(const a of e)n.add({marshall:"provenance",message:`Prior version ${a.priorVersionWithProvenance} had provenance but ${a.version} does not.`,packageName:a.packageName,severity:"error"})}if(m(t,"s1ngularity")){const e=await R(c,{workspaceRoot:i});for(const a of e){const d=a.hookChanges.map(w=>`${w.hook} (${w.kind})`).join(", "),l=a.hookChanges.length===1;n.add({marshall:"s1ngularity",message:`${a.version} ${l?"has an":"has"} install-script ${l?"change":"changes"} [${d}] AND dropped the provenance attestation that ${a.priorVersion} carried — this is the s1ngularity compromised-publish shape.`,packageName:a.packageName,severity:"error"})}}if(m(t,"newBin")){const e=await S(c);for(const a of e){const d=a.newBins.map(l=>l.command).join(", ");n.add({marshall:"newBin",message:`${a.toVersion} adds new bin script${a.newBins.length===1?"":"s"}: ${d} (prior: ${a.fromVersion}).`,packageName:a.packageName,severity:"warning"})}}if(m(t,"metadata")){const e=await x(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"metadata",message:`Missing/invalid metadata: ${a.issues.join(", ")}.`,packageName:a.packageName,severity:"warning"})}if(m(t,"downloads")){const e=await A([o.name]);for(const a of e){const d=a.downloadsLastMonth===void 0?"unknown":String(a.downloadsLastMonth);n.add({marshall:"downloads",message:a.kind==="no-data"?"npm stats API returned no monthly download data.":`Only ${d} downloads in the past month.`,packageName:a.packageName,severity:a.severity})}}if(m(t,"expiredDomains")){const e=await V(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"expiredDomains",message:a.kind==="expired"?`Maintainer email domain ${a.domain} (${a.maintainer}) is unregistered — potential hijack risk.`:`Could not verify maintainer email domain ${a.domain} (${a.maintainer}).`,packageName:a.packageName,severity:a.severity})}if(F(t)){const e=await D(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"signatures",message:a.message,packageName:a.packageName,severity:a.severity})}if(m(t,"archivedRepo")){const e=await b(c,{workspaceRoot:i});for(const a of e)n.add({marshall:"archivedRepo",message:a.kind==="archived"?`Source repo ${a.owner}/${a.repo} is archived${a.archivedAt===void 0?"":` (since ${a.archivedAt})`}.`:`Source repo ${a.owner}/${a.repo} returned 404 from GitHub.`,packageName:a.packageName,severity:"warning"})}const h=n.all();if(s.json===!0)process.stdout.write(`${JSON.stringify(C(h),void 0,2)}
2
2
  `);else{const e=`${o.name}@${g}`;if(h.length===0)p.info(`${$("✓")} ${e} — no findings.`);else{p.info(`${u("Inspecting")} ${e}`);for(const l of E(h))process.stdout.write(`${l}
3
3
  `);const a=n.errors().length,d=n.warnings().length;process.stdout.write(`
4
4
  ${u("Summary:")} ${k(`${String(a)} error${a===1?"":"s"}`)}, ${y(`${String(d)} warning${d===1?"":"s"}`)}.
@@ -1 +1 @@
1
- import{m as v,f as D,H,j as L}from"../packem_shared/index-BDmTbWX1.js";import{p as t}from"./bin.js";import{w as _,I as A,p as B,h as F}from"../packem_shared/pm-runner-OGResYrA.js";import{s as T}from"../packem_shared/typosquats-DN78xx1x.js";import{h as G,P as J}from"../packem_shared/peer-warnings-BXAzXqY3.js";import{i as M}from"../packem_shared/utils-Cxree603.js";const N=["pnpm-lock.yaml","yarn.lock","package-lock.json","npm-shrinkwrap.json","bun.lock","bun.lockb"],W=a=>{let r=a;for(;;){for(const i of N)if(D(v(r,i)))return!0;const n=H(r);if(n===r||L(r).root===r)return!1;r=n}},h=new Set(["aube","auto","bun","npm","pnpm","yarn"]),Z=async a=>{const{argument:r,fs:n,logger:i,options:e,visConfig:c,workspaceRoot:w}=a,s=w??process.cwd();if(r&&r.length>0){const o=e,{default:S}=await import("./handler16.js"),R=o.marshallCheck===!1||o["no-marshall-check"]===!0?!1:void 0,q=o.socketCheck===!1||o["no-socket-check"]===!0?!1:void 0,z=o.typosquatCheck===!1||o["no-typosquat-check"]===!0?!1:void 0,E=o.runScripts===!0||o["run-scripts"]===!0,I=o.workspaceRoot===!0||o["workspace-root"]===!0,P=o.saveOptional===!0||o["save-optional"]===!0,$=e.dev===!0,j={autoInstallPeers:!1,exact:o.exact===!0,filter:e.filter,global:!1,marshallCheck:R,runScripts:E,saveDev:$,saveOptional:P,savePeer:!1,socketCheck:q,to:void 0,typosquatCheck:z,workspace:!1,workspaceRoot:I};await S({...a,argument:r,options:j});return}if(e.typosquatCheck!==!1&&!await T(s,c?.security?.typosquatAllowlist)){process.exitCode=1;return}const l=e.installer;if(l&&!h.has(l)){t.error(`Invalid --installer value: "${l}". Expected one of: ${[...h].join(", ")}.`),process.exitCode=1;return}const g=l,y=e.aube===!1;let f;try{f=y?_(s):A(s,{backend:g,configBackend:c?.install?.backend,configCorepack:c?.install?.corepack})}catch(o){t.error(o instanceof Error?o.message:String(o)),process.exitCode=1;return}const k=B(s,f);k&&t.warn(k);const C=M(e.filter),p=e.ci||!1,d=e.frozenLockfile||p,b=e.frozenLockfile===!1||e.force||e.lockfileOnly,x=W(s),m=d||!b&&x;if(!d&&m&&!e.silent&&t.info("Defaulting to frozen lockfile (pass --no-frozen-lockfile to allow lockfile updates)."),p){t.info("Clean install: removing node_modules...");try{await n.rm(v(s,"node_modules"),{force:!0,recursive:!0})}catch(o){t.error(`Failed to remove node_modules: ${o instanceof Error?o.message:String(o)}`),process.exitCode=1;return}}const{code:u,output:O}=await F(f,{dev:e.dev||!1,filter:C,force:e.force||!1,frozenLockfile:m,ignoreScripts:!e.runScripts,lockfileOnly:e.lockfileOnly||!1,noOptional:e.optional===!1,offline:e.offline||!1,prod:e.prod||!1,recursive:e.recursive||!1,silent:e.silent||!1,workspaceRoot:e.workspaceRoot||!1},s,i,{ciMode:p,preferOffline:e.preferOffline||!1});u!==0&&(process.exitCode=u),u===0&&!e.silent&&G(O)&&t.info(J)};export{Z as default};
1
+ import{m as w,f as _,H as B,j as A}from"../packem_shared/index-BDmTbWX1.js";import{p as t}from"./bin.js";import{w as F,I as h,p as H,h as T}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{a as M,r as N}from"../packem_shared/command-runtime-CR70qSUM.js";import{s as Q}from"../packem_shared/typosquats-DN78xx1x.js";import{h as U,P as V}from"../packem_shared/peer-warnings-BXAzXqY3.js";import{i as W}from"../packem_shared/utils-Cxree603.js";const G=["pnpm-lock.yaml","yarn.lock","package-lock.json","npm-shrinkwrap.json","bun.lock","bun.lockb"],J=a=>{let r=a;for(;;){for(const l of G)if(_(w(r,l)))return!0;const n=B(r);if(n===r||A(r).root===r)return!1;r=n}},g=new Set(["aube","auto","bun","npm","pnpm","yarn"]),se=async a=>{const{argument:r,fs:n,logger:l,options:e,visConfig:i,workspaceRoot:C}=a,s=C??process.cwd();if(r&&r.length>0){const o=e,{default:q}=await import("./handler16.js"),I=o.marshallCheck===!1||o["no-marshall-check"]===!0?!1:void 0,z=o.socketCheck===!1||o["no-socket-check"]===!0?!1:void 0,E=o.typosquatCheck===!1||o["no-typosquat-check"]===!0?!1:void 0,P=o.runScripts===!0||o["run-scripts"]===!0,j=o.workspaceRoot===!0||o["workspace-root"]===!0,D=o.saveOptional===!0||o["save-optional"]===!0,$=e.dev===!0,L={autoInstallPeers:!1,exact:o.exact===!0,filter:e.filter,global:!1,marshallCheck:I,runScripts:P,saveDev:$,saveOptional:D,savePeer:!1,socketCheck:z,to:void 0,typosquatCheck:E,workspace:!1,workspaceRoot:j};await q({...a,argument:r,options:L});return}if(e.typosquatCheck!==!1&&!await Q(s,i?.security?.typosquatAllowlist)){process.exitCode=1;return}const c=e.installer;if(c&&!g.has(c)){t.error(`Invalid --installer value: "${c}". Expected one of: ${[...g].join(", ")}.`),process.exitCode=1;return}const y=c,b=e.aube===!1,f=M(N({logger:l,options:e,visConfig:i},s));let p;try{p=b?f===void 0?F(s):h(s,{backend:f}):h(s,{backend:y??f,configBackend:i?.install?.backend,configCorepack:i?.install?.corepack})}catch(o){t.error(o instanceof Error?o.message:String(o)),process.exitCode=1;return}const m=H(s,p);m&&t.warn(m);const x=W(e.filter),u=e.ci||!1,d=e.frozenLockfile||u,O=e.frozenLockfile===!1||e.force||e.lockfileOnly,R=J(s),v=d||!O&&R;if(!d&&v&&!e.silent&&t.info("Defaulting to frozen lockfile (pass --no-frozen-lockfile to allow lockfile updates)."),u){t.info("Clean install: removing node_modules...");try{await n.rm(w(s,"node_modules"),{force:!0,recursive:!0})}catch(o){t.error(`Failed to remove node_modules: ${o instanceof Error?o.message:String(o)}`),process.exitCode=1;return}}const{code:k,output:S}=await T(p,{dev:e.dev||!1,filter:x,force:e.force||!1,frozenLockfile:v,ignoreScripts:!e.runScripts,lockfileOnly:e.lockfileOnly||!1,noOptional:e.optional===!1,offline:e.offline||!1,prod:e.prod||!1,recursive:e.recursive||!1,silent:e.silent||!1,workspaceRoot:e.workspaceRoot||!1},s,l,{ciMode:u,preferOffline:e.preferOffline||!1});k!==0&&(process.exitCode=k),k===0&&!e.silent&&U(S)&&t.info(V)};export{se as default};
@@ -1 +1 @@
1
- import{createRequire as E}from"node:module";import{I as x,E as j,V as T,s as A}from"../packem_shared/Table-CcVkyULl-B_ef6zfS.js";import{m as L,O as N}from"../packem_shared/index-BDmTbWX1.js";import{l as b,c as B,p as f,f as F,b as z,P as U,R as V,Y,Z as H,_ as C,a0 as J,a1 as W,a2 as $,B as Z,a3 as G}from"./bin.js";import"../packem_shared/public-api-WqUCiyIe.js";import{I as K,M as Q,R as X}from"../packem_shared/pm-runner-OGResYrA.js";import{r as P,a as ee,p as se,b as oe}from"../packem_shared/resolve-explicit-CMDl55Nz.js";import{r as te}from"../packem_shared/typosquats-DN78xx1x.js";import{f as _,i as R}from"../packem_shared/utils-Cxree603.js";import{a as ne}from"./config.js";const q=E(import.meta.url),w=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,I=o=>{if(typeof w<"u"&&w.versions&&w.versions.node){const[c,e]=w.versions.node.split(".").map(Number);if(c>22||c===22&&e>=3||c===20&&e>=16)return w.getBuiltinModule(o)}return q(o)},{createInterface:O}=I("node:readline"),S=o=>o==="default"?"catalog:":`catalog:${o}`,v=o=>o==="default"?"default catalog":`catalog "${o}"`,ae=(o,c)=>{const e=[];for(const[s,n]of c)s.includes(":")||n.has(o)&&e.push(s);if(e.length===0)return;if(e.length===1){const[s]=e;return{source:v(s),spec:S(s)}}const a=e.find(s=>s==="default")??e[0],i=e.filter(s=>s!==a);return{candidates:[...e],conflict:!0,source:`${v(a)} (also in: ${i.map(s=>v(s)).join(", ")})`,spec:S(a)}},ie=(o,c)=>{const e=new Map;for(const[r,l]of c){if(!r.includes(":"))continue;const d=l.get(o);d!==void 0&&e.set(d,(e.get(d)??0)+1)}if(e.size===0)return;const a=[...e.entries()],i=a.reduce((r,[,l])=>r+l,0);if(a.length===1){const[[r]]=a;return{source:`siblings (${String(i)} pkg${i===1?"":"s"} on ${r})`,spec:r}}const s=[...a].sort((r,l)=>l[1]-r[1]),[n,t]=s[0],p=s.slice(1).map(([r,l])=>`${r} (×${String(l)})`);return{candidates:s.map(([r])=>r),conflict:!0,source:`siblings (most common: ${n} ×${String(t)}; conflicts: ${p.join(", ")})`,spec:n}},re=(o,c)=>ae(o,c)||ie(o,c),ce=(o,c,e)=>{const a=[];for(const i of o.values()){const{overall:s}=i.score,n=Z(s),t=`${String(Math.round(s*100))}%`,p=i.alerts.length,r=$(i),l=H(r,i.version,e),d=n==="red"?T:n==="yellow"?A:x;if(l?f.info(` ${d(t)} ${C(i)} ${j(`[accepted: ${l.reason}]`)}`):f.info(` ${d(t)} ${C(i)}`),p>0){const u=i.alerts.filter(g=>g.severity==="critical"||g.severity==="high").length;u>0&&f.warn(` ${String(u)} critical/high alert${u===1?"":"s"}`)}s<c&&!l&&a.push(i)}return a},le=async(o,c)=>{const e=O({input:process.stdin,output:process.stdout}),a=t=>new Promise(p=>{e.question(t,r=>{p(r.trim())})}),i=String(Math.round(c*100));f.warn(""),f.warn(`${String(o.length)} package${o.length===1?"":"s"} scored below the minimum threshold (${i}%):`);for(const t of o){const p=$(t),r=`${String(Math.round(t.score.overall*100))}%`;f.warn(` • ${p}@${t.version} — score: ${r} (${J(t.score.overall)})`)}f.warn("");const s=await a("Continue adding these packages? [y/N] ");if(s.toLowerCase()!=="y"&&s.toLowerCase()!=="yes")return e.close(),!1;const n=await a("Remember this decision? (prints config snippet) [y/N] ");if(e.close(),n.toLowerCase()==="y"||n.toLowerCase()==="yes"){f.notice(""),f.notice("Add the following to security.acceptedRisks in vis.config.ts:"),f.notice("");for(const t of o){const p=$(t),r=W(p,t.version,t.score.overall,"Reviewed and accepted");f.notice(r)}f.notice("")}return!0},pe=async(o,c,e,a)=>{const i=await P(o);if(i.length===0)return!0;f.info(""),f.info(`${c.map(t=>t.displayName).join(" + ")} security check:`);const s=await F(c,i);if(s.size===0)return f.info(" Could not fetch security data. Proceeding."),!0;const n=ce(s,e,a);return n.length===0?(f.info(""),!0):process.stdin.isTTY?le(n,e):(f.warn(`Aborting: ${String(n.length)} package${n.length===1?"":"s"} below minimum score. Use --no-socket-check to skip.`),!1)},fe=["dependencies","devDependencies","peerDependencies","optionalDependencies"],de=o=>o.savePeer?"peerDependencies":o.saveOptional?"optionalDependencies":o.saveDev?"devDependencies":"dependencies",D=(o,c)=>o.startsWith("catalog:")||!c?o:o.replace(/^[\^~]/,""),ue=async(o,c)=>{const e=[];for(const s of o){const{name:n,versionSpec:t}=_(s);if(!n)continue;if(t!==void 0){e.push({explicit:t,name:n});continue}const p=re(n,c);if(p){p.conflict&&f.warn(`${n}: ambiguous constraint — picking ${p.spec} (${p.source}). Pass ${n}@<version> to override.`),e.push({entry:{name:n,source:p.source,spec:p.spec},kind:"resolved",name:n});continue}e.push({kind:"missing",name:n})}const a=e.filter(s=>"kind"in s&&s.kind==="missing").map(s=>s.name),i=a.length>0?await oe(a):new Map;return e.map(s=>{if("explicit"in s)return{name:s.name,source:"explicit",spec:s.explicit};if(s.kind==="resolved")return s.entry;const n=i.get(s.name);if(n===void 0)throw new Error(`--to: cannot resolve a version for "${s.name}" (not in any catalog or sibling, and registry lookup failed). Pass ${s.name}@<version> explicitly.`);const t=`^${n}`;return f.info(`${s.name}: no existing constraint — using registry latest (${t}). Add to a catalog to share this version across workspace packages.`),{name:s.name,source:"registry latest",spec:t}})},ge=(o,c,e,a)=>{for(const{name:i,spec:s}of c){const n=D(s,a);for(const p of fe){if(p===e)continue;const r=o[p];r?.[i]!==void 0&&(delete r[i],Object.keys(r).length===0&&delete o[p])}let t=o[e];t===void 0&&(t={},o[e]=t),t[i]=n}},me=async({ignoreScripts:o,logger:c,options:e,packages:a,pm:i,target:s,visConfig:n,workspaceRoot:t})=>{const{workspace:p}=z(t,n??{}),r=p.projects[s];if(!r){const m=Object.keys(p.projects).sort();throw new Error(`--to: workspace package "${s}" not found. Available: ${m.length>0?m.slice(0,10).join(", "):"(none)"}${m.length>10?`, ... (${String(m.length-10)} more)`:""}.`)}const l=L(t,r.root,"package.json"),{packageManager:d}=U(t),u=V(t,d),g=de(e),h=e.exact??!1,k=await ue(a,u);if(k.length===0)return 0;const y=ne(l);ge(y,k,g,h),N(l,y,{indent:Y(l,{useEditorconfig:n?.editorconfig??!0}),overwrite:!0});for(const m of k){const M=D(m.spec,h);f.info(`${x("+")} ${m.name}@${M} → ${s}/${g} (${j(m.source)})`)}return X(i,{dev:!1,filter:[],force:!1,frozenLockfile:!1,ignoreScripts:o,lockfileOnly:!1,noOptional:!1,offline:!1,prod:!1,recursive:!1,silent:!1,workspaceRoot:!1},t,c)},xe=async({argument:o,logger:c,options:e,visConfig:a,workspaceRoot:i})=>{let s=o;if(!s||s.length===0)throw new Error("No packages specified. Usage: vis add <packages...>");if(e.typosquatCheck!==!1){const l=s.map(u=>_(u)),d=await te(l.map(u=>u.name),a?.security?.typosquatAllowlist);if(!d.ok){process.exitCode=1;return}s=l.map((u,g)=>{const h=d.packages[g];return h!==u.name?u.versionSpec?`${h}@${u.versionSpec}`:h??"":s[g]??""})}if(e.marshallCheck!==!1){const l=await P(s);if(l.length>0){const d=await ee(l,{config:a?.security?.marshalls,workspaceRoot:i});if(!await se(d)){process.exitCode=1;return}}}if(e.socketCheck!==!1){const l=new Set;b("socket")&&l.add("socket"),b("depsDev")&&l.add("deps-dev");const d=B(a?.security,{disabled:l,minimumScore:a?.security?.policies?.score?.minimum});if(d.length>0){const u=a?.security?.policies?.score?.minimum??G;if(!await pe(s,d,u,a?.security?.acceptedRisks)){process.exitCode=1;return}}}const n=process.cwd(),t=K(i??n,{configBackend:a?.install?.backend,configCorepack:a?.install?.corepack}),p=!e.runScripts;if(e.to){if(e.global||e.workspaceRoot)throw new Error("--to is incompatible with --global / --workspace-root.");if(e.filter&&R(e.filter).length>0)throw new Error("--to and --filter are mutually exclusive — --to already targets one package.");if(!i)throw new Error("--to requires a monorepo workspace. Run from inside a pnpm/bun/yarn/npm workspace.");const l=await me({ignoreScripts:p,logger:c,options:e,packages:s,pm:t,target:e.to,visConfig:a,workspaceRoot:i});l!==0&&(process.exitCode=l);return}const r=Q(t,{exact:e.exact||!1,filter:R(e.filter),global:e.global||!1,optional:e.saveOptional||!1,packages:s,peer:e.savePeer||!1,saveDev:e.saveDev||!1,workspace:e.workspace||!1,workspaceRoot:e.workspaceRoot||!1},n,c,{autoInstallPeers:e.autoInstallPeers||!1,ignoreScripts:p});r!==0&&(process.exitCode=r)};export{xe as default};
1
+ import{createRequire as E}from"node:module";import{I as x,E as j,V as T,s as A}from"../packem_shared/Table-CcVkyULl-B_ef6zfS.js";import{m as L,O as B}from"../packem_shared/index-BDmTbWX1.js";import{l as b,c as N,p as f,f as F,b as z,P as U,R as V,Y,Z as H,_ as C,a0 as J,a1 as W,a2 as $,B as Z,a3 as G}from"./bin.js";import"../packem_shared/public-api-WqUCiyIe.js";import{I as K,M as Q,R as X}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as ee,a as se}from"../packem_shared/command-runtime-CR70qSUM.js";import{r as P,a as oe,p as te,b as ne}from"../packem_shared/resolve-explicit-C6WM-I2u.js";import{r as re}from"../packem_shared/typosquats-DN78xx1x.js";import{f as _,i as R}from"../packem_shared/utils-Cxree603.js";import{a as ae}from"./config.js";const q=E(import.meta.url),w=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,I=o=>{if(typeof w<"u"&&w.versions&&w.versions.node){const[c,e]=w.versions.node.split(".").map(Number);if(c>22||c===22&&e>=3||c===20&&e>=16)return w.getBuiltinModule(o)}return q(o)},{createInterface:O}=I("node:readline"),S=o=>o==="default"?"catalog:":`catalog:${o}`,v=o=>o==="default"?"default catalog":`catalog "${o}"`,ie=(o,c)=>{const e=[];for(const[s,t]of c)s.includes(":")||t.has(o)&&e.push(s);if(e.length===0)return;if(e.length===1){const[s]=e;return{source:v(s),spec:S(s)}}const r=e.find(s=>s==="default")??e[0],a=e.filter(s=>s!==r);return{candidates:[...e],conflict:!0,source:`${v(r)} (also in: ${a.map(s=>v(s)).join(", ")})`,spec:S(r)}},ce=(o,c)=>{const e=new Map;for(const[i,u]of c){if(!i.includes(":"))continue;const p=u.get(o);p!==void 0&&e.set(p,(e.get(p)??0)+1)}if(e.size===0)return;const r=[...e.entries()],a=r.reduce((i,[,u])=>i+u,0);if(r.length===1){const[[i]]=r;return{source:`siblings (${String(a)} pkg${a===1?"":"s"} on ${i})`,spec:i}}const s=[...r].sort((i,u)=>u[1]-i[1]),[t,n]=s[0],l=s.slice(1).map(([i,u])=>`${i} (×${String(u)})`);return{candidates:s.map(([i])=>i),conflict:!0,source:`siblings (most common: ${t} ×${String(n)}; conflicts: ${l.join(", ")})`,spec:t}},le=(o,c)=>ie(o,c)||ce(o,c),pe=(o,c,e)=>{const r=[];for(const a of o.values()){const{overall:s}=a.score,t=Z(s),n=`${String(Math.round(s*100))}%`,l=a.alerts.length,i=$(a),u=H(i,a.version,e),p=t==="red"?T:t==="yellow"?A:x;if(u?f.info(` ${p(n)} ${C(a)} ${j(`[accepted: ${u.reason}]`)}`):f.info(` ${p(n)} ${C(a)}`),l>0){const g=a.alerts.filter(d=>d.severity==="critical"||d.severity==="high").length;g>0&&f.warn(` ${String(g)} critical/high alert${g===1?"":"s"}`)}s<c&&!u&&r.push(a)}return r},fe=async(o,c)=>{const e=O({input:process.stdin,output:process.stdout}),r=n=>new Promise(l=>{e.question(n,i=>{l(i.trim())})}),a=String(Math.round(c*100));f.warn(""),f.warn(`${String(o.length)} package${o.length===1?"":"s"} scored below the minimum threshold (${a}%):`);for(const n of o){const l=$(n),i=`${String(Math.round(n.score.overall*100))}%`;f.warn(` • ${l}@${n.version} — score: ${i} (${J(n.score.overall)})`)}f.warn("");const s=await r("Continue adding these packages? [y/N] ");if(s.toLowerCase()!=="y"&&s.toLowerCase()!=="yes")return e.close(),!1;const t=await r("Remember this decision? (prints config snippet) [y/N] ");if(e.close(),t.toLowerCase()==="y"||t.toLowerCase()==="yes"){f.notice(""),f.notice("Add the following to security.acceptedRisks in vis.config.ts:"),f.notice("");for(const n of o){const l=$(n),i=W(l,n.version,n.score.overall,"Reviewed and accepted");f.notice(i)}f.notice("")}return!0},ue=async(o,c,e,r)=>{const a=await P(o);if(a.length===0)return!0;f.info(""),f.info(`${c.map(n=>n.displayName).join(" + ")} security check:`);const s=await F(c,a);if(s.size===0)return f.info(" Could not fetch security data. Proceeding."),!0;const t=pe(s,e,r);return t.length===0?(f.info(""),!0):process.stdin.isTTY?fe(t,e):(f.warn(`Aborting: ${String(t.length)} package${t.length===1?"":"s"} below minimum score. Use --no-socket-check to skip.`),!1)},de=["dependencies","devDependencies","peerDependencies","optionalDependencies"],ge=o=>o.savePeer?"peerDependencies":o.saveOptional?"optionalDependencies":o.saveDev?"devDependencies":"dependencies",D=(o,c)=>o.startsWith("catalog:")||!c?o:o.replace(/^[\^~]/,""),me=async(o,c)=>{const e=[];for(const s of o){const{name:t,versionSpec:n}=_(s);if(!t)continue;if(n!==void 0){e.push({explicit:n,name:t});continue}const l=le(t,c);if(l){l.conflict&&f.warn(`${t}: ambiguous constraint — picking ${l.spec} (${l.source}). Pass ${t}@<version> to override.`),e.push({entry:{name:t,source:l.source,spec:l.spec},kind:"resolved",name:t});continue}e.push({kind:"missing",name:t})}const r=e.filter(s=>"kind"in s&&s.kind==="missing").map(s=>s.name),a=r.length>0?await ne(r):new Map;return e.map(s=>{if("explicit"in s)return{name:s.name,source:"explicit",spec:s.explicit};if(s.kind==="resolved")return s.entry;const t=a.get(s.name);if(t===void 0)throw new Error(`--to: cannot resolve a version for "${s.name}" (not in any catalog or sibling, and registry lookup failed). Pass ${s.name}@<version> explicitly.`);const n=`^${t}`;return f.info(`${s.name}: no existing constraint — using registry latest (${n}). Add to a catalog to share this version across workspace packages.`),{name:s.name,source:"registry latest",spec:n}})},he=(o,c,e,r)=>{for(const{name:a,spec:s}of c){const t=D(s,r);for(const l of de){if(l===e)continue;const i=o[l];i?.[a]!==void 0&&(delete i[a],Object.keys(i).length===0&&delete o[l])}let n=o[e];n===void 0&&(n={},o[e]=n),n[a]=t}},ke=async({ignoreScripts:o,logger:c,options:e,packages:r,pm:a,target:s,visConfig:t,workspaceRoot:n})=>{const{workspace:l}=z(n,t??{}),i=l.projects[s];if(!i){const m=Object.keys(l.projects).sort();throw new Error(`--to: workspace package "${s}" not found. Available: ${m.length>0?m.slice(0,10).join(", "):"(none)"}${m.length>10?`, ... (${String(m.length-10)} more)`:""}.`)}const u=L(n,i.root,"package.json"),{packageManager:p}=U(n),g=V(n,p),d=ge(e),k=e.exact??!1,h=await me(r,g);if(h.length===0)return 0;const y=ae(u);he(y,h,d,k),B(u,y,{indent:Y(u,{useEditorconfig:t?.editorconfig??!0}),overwrite:!0});for(const m of h){const M=D(m.spec,k);f.info(`${x("+")} ${m.name}@${M} → ${s}/${d} (${j(m.source)})`)}return X(a,{dev:!1,filter:[],force:!1,frozenLockfile:!1,ignoreScripts:o,lockfileOnly:!1,noOptional:!1,offline:!1,prod:!1,recursive:!1,silent:!1,workspaceRoot:!1},n,c)},_e=async({argument:o,logger:c,options:e,visConfig:r,workspaceRoot:a})=>{let s=o;if(!s||s.length===0)throw new Error("No packages specified. Usage: vis add <packages...>");if(e.typosquatCheck!==!1){const p=s.map(d=>_(d)),g=await re(p.map(d=>d.name),r?.security?.typosquatAllowlist);if(!g.ok){process.exitCode=1;return}s=p.map((d,k)=>{const h=g.packages[k];return h!==d.name?d.versionSpec?`${h}@${d.versionSpec}`:h??"":s[k]??""})}if(e.marshallCheck!==!1){const p=await P(s);if(p.length>0){const g=await oe(p,{config:r?.security?.marshalls,workspaceRoot:a});if(!await te(g)){process.exitCode=1;return}}}if(e.socketCheck!==!1){const p=new Set;b("socket")&&p.add("socket"),b("depsDev")&&p.add("deps-dev");const g=N(r?.security,{disabled:p,minimumScore:r?.security?.policies?.score?.minimum});if(g.length>0){const d=r?.security?.policies?.score?.minimum??G;if(!await ue(s,g,d,r?.security?.acceptedRisks)){process.exitCode=1;return}}}const t=process.cwd(),n=ee({logger:c,options:e,visConfig:r},a??t),l=K(a??t,{backend:se(n),configBackend:r?.install?.backend,configCorepack:r?.install?.corepack}),i=!e.runScripts;if(e.to){if(e.global||e.workspaceRoot)throw new Error("--to is incompatible with --global / --workspace-root.");if(e.filter&&R(e.filter).length>0)throw new Error("--to and --filter are mutually exclusive — --to already targets one package.");if(!a)throw new Error("--to requires a monorepo workspace. Run from inside a pnpm/bun/yarn/npm workspace.");const p=await ke({ignoreScripts:i,logger:c,options:e,packages:s,pm:l,target:e.to,visConfig:r,workspaceRoot:a});p!==0&&(process.exitCode=p);return}const u=Q(l,{exact:e.exact||!1,filter:R(e.filter),global:e.global||!1,optional:e.saveOptional||!1,packages:s,peer:e.savePeer||!1,saveDev:e.saveDev||!1,workspace:e.workspace||!1,workspaceRoot:e.workspaceRoot||!1},t,c,{autoInstallPeers:e.autoInstallPeers||!1,ignoreScripts:i});u!==0&&(process.exitCode=u)};export{_e as default};
@@ -1 +1 @@
1
- import{I as l,j as i}from"../packem_shared/pm-runner-OGResYrA.js";const g=async({argument:e,logger:s,visConfig:o,workspaceRoot:a})=>{const r=e?.[0]??null,c=a??process.cwd(),t=l(c,{configBackend:o?.install?.backend,configCorepack:o?.install?.corepack}),n=i(t,r,c,s);n!==0&&(process.exitCode=n)};export{g as default};
1
+ import{I as m,j as p}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as g,a as d}from"../packem_shared/command-runtime-CR70qSUM.js";const u=async({argument:s,logger:e,options:r,visConfig:o,workspaceRoot:t})=>{const c=s?.[0]??null,n=t??process.cwd(),i=g({logger:e,options:r,visConfig:o},n),l=m(n,{backend:d(i),configBackend:o?.install?.backend,configCorepack:o?.install?.corepack}),a=p(l,c,n,e);a!==0&&(process.exitCode=a)};export{u as default};
@@ -1 +1 @@
1
- import{I as p,B as g}from"../packem_shared/pm-runner-OGResYrA.js";const u=async({argument:c,logger:i,visConfig:e,workspaceRoot:s})=>{const o=c;if(!o||o.length===0)throw new Error("No subcommand specified. Available: cache, publish, audit, list, view, config, whoami, login, logout, pack, owner, dist-tag, search, fund, ping, token, deprecate, rebuild, prune, plugin");const[t,...r]=o,n=s??process.cwd(),l=p(n,{configBackend:e?.install?.backend,configCorepack:e?.install?.corepack}),a=g(l,t,r,n,i);a!==0&&(process.exitCode=a)};export{u as default};
1
+ import{I as g,B as m}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as u,a as f}from"../packem_shared/command-runtime-CR70qSUM.js";const b=async({argument:s,logger:i,options:t,visConfig:e,workspaceRoot:c})=>{const o=s;if(!o||o.length===0)throw new Error("No subcommand specified. Available: cache, publish, audit, list, view, config, whoami, login, logout, pack, owner, dist-tag, search, fund, ping, token, deprecate, rebuild, prune, plugin");const[r,...l]=o,n=c??process.cwd(),p=u({logger:i,options:t,visConfig:e},n),d=g(n,{backend:f(p),configBackend:e?.install?.backend,configCorepack:e?.install?.corepack}),a=m(d,r,l,n,i);a!==0&&(process.exitCode=a)};export{b as default};
@@ -1 +1 @@
1
- import{I as n,D as f}from"../packem_shared/pm-runner-OGResYrA.js";import{i as p}from"../packem_shared/utils-Cxree603.js";const v=async({argument:c,logger:i,options:e,visConfig:s,workspaceRoot:t})=>{const o=c;if(!o||o.length===0)throw new Error("No packages specified. Usage: vis remove <packages...>");const a=process.cwd(),l=n(t??a,{configBackend:s?.install?.backend,configCorepack:s?.install?.corepack}),r=f(l,{filter:p(e.filter),global:e.global||!1,packages:o,recursive:e.recursive||!1,saveDev:e.saveDev||!1,workspaceRoot:e.workspaceRoot||!1},a,i);r!==0&&(process.exitCode=r)};export{v as default};
1
+ import{I as p,D as f}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as g,a as k}from"../packem_shared/command-runtime-CR70qSUM.js";import{i as m}from"../packem_shared/utils-Cxree603.js";const w=async({argument:t,logger:r,options:e,visConfig:o,workspaceRoot:n})=>{const a=t;if(!a||a.length===0)throw new Error("No packages specified. Usage: vis remove <packages...>");const s=process.cwd(),c=g({logger:r,options:e,visConfig:o},n??s),l=p(n??s,{backend:k(c),configBackend:o?.install?.backend,configCorepack:o?.install?.corepack}),i=f(l,{filter:m(e.filter),global:e.global||!1,packages:a,recursive:e.recursive||!1,saveDev:e.saveDev||!1,workspaceRoot:e.workspaceRoot||!1},s,r);i!==0&&(process.exitCode=i)};export{w as default};
@@ -1,2 +1,2 @@
1
- import{B as k,a as B,H as g}from"../packem_shared/index-BDmTbWX1.js";import{b as h,O as j,p as m}from"./bin.js";import{b as v,s as y}from"../packem_shared/cyclonedx-kYozDyxp.js";const l=["json","xml"],C=n=>l.includes(n),R=async({fs:n,options:e,visConfig:d,workspaceRoot:o})=>{if(!o)throw new Error("Could not determine workspace root. Run inside a monorepo.");const{packageJsons:f,workspace:i}=h(o,d),u=j(o,i,f),c=e.focus,w=c?c.split(",").map(b=>b.trim()).filter(Boolean):void 0,s=(e.format??"json").toLowerCase();if(!C(s))throw new Error(`Unknown --format: "${s}". Expected one of: ${l.join(", ")}.`);const t=v({focus:w,includeDev:!!e.includeDev,projectGraph:u,workspace:i,workspaceRoot:o}),a=s==="xml"?y(t):`${JSON.stringify(t,void 0,2)}
1
+ import{B as k,a as B,H as g}from"../packem_shared/index-BDmTbWX1.js";import{b as h,O as j,p as m}from"./bin.js";import{b as v,s as y}from"../packem_shared/cyclonedx-Cadls41z.js";const l=["json","xml"],C=n=>l.includes(n),R=async({fs:n,options:e,visConfig:d,workspaceRoot:o})=>{if(!o)throw new Error("Could not determine workspace root. Run inside a monorepo.");const{packageJsons:f,workspace:i}=h(o,d),u=j(o,i,f),c=e.focus,w=c?c.split(",").map(b=>b.trim()).filter(Boolean):void 0,s=(e.format??"json").toLowerCase();if(!C(s))throw new Error(`Unknown --format: "${s}". Expected one of: ${l.join(", ")}.`);const t=v({focus:w,includeDev:!!e.includeDev,projectGraph:u,workspace:i,workspaceRoot:o}),a=s==="xml"?y(t):`${JSON.stringify(t,void 0,2)}
2
2
  `,p=e.output??(s==="xml"?"sbom.cdx.xml":"sbom.cdx.json");if(p==="-"){process.stdout.write(a);return}const r=k(o,p);B(g(r)),await n.writeFile(r,a,"utf8");const x=t.components?.length??0,$=t.dependencies?.length??0;m.success(`SBOM written to ${r}`),m.notice(`${x} components, ${$} dependency edges`)};export{R as default};
@@ -1 +1 @@
1
- import{I as p,S as l}from"../packem_shared/pm-runner-OGResYrA.js";const g=async({argument:c,logger:a,options:n,visConfig:o,workspaceRoot:r})=>{const i=c||[],e=r??process.cwd(),t=p(e,{configBackend:o?.install?.backend,configCorepack:o?.install?.corepack}),s=l(t,i,n.recursive||!1,e,a);s!==0&&(process.exitCode=s)};export{g as default};
1
+ import{I as m,S as p}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as g,a as d}from"../packem_shared/command-runtime-CR70qSUM.js";const u=async({argument:r,logger:s,options:a,visConfig:e,workspaceRoot:i})=>{const t=r||[],o=i??process.cwd(),c=g({logger:s,options:a,visConfig:e},o),l=m(o,{backend:d(c),configBackend:e?.install?.backend,configCorepack:e?.install?.corepack}),n=p(l,t,a.recursive||!1,o,s);n!==0&&(process.exitCode=n)};export{u as default};
@@ -1,3 +1,3 @@
1
- import{createRequire as u}from"node:module";import{c as p}from"../packem_shared/index-yBikBkHT.js";const f=u(import.meta.url),r=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,a=s=>{if(typeof r<"u"&&r.versions&&r.versions.node){const[e,i]=r.versions.node.split(".").map(Number);if(e>22||e===22&&i>=3||e===20&&i>=16)return r.getBuiltinModule(s)}return f(s)},{execSync:d,spawnSync:l}=a("node:child_process"),v=async({argument:s,logger:e,options:i})=>{const t=s?.[0];e.info("info: checking for updates...");const n=p.version;let o;try{const c=d("npm view @visulima/vis version",{encoding:"utf8"}).trim();o=t??c}catch{throw new Error("Failed to query npm registry. Check your network connection.")}if(n===o&&!i.force){e.info(`
1
+ import{createRequire as u}from"node:module";import{c as p}from"../packem_shared/index-Bt521H5J.js";const f=u(import.meta.url),r=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,a=s=>{if(typeof r<"u"&&r.versions&&r.versions.node){const[e,i]=r.versions.node.split(".").map(Number);if(e>22||e===22&&i>=3||e===20&&i>=16)return r.getBuiltinModule(s)}return f(s)},{execSync:d,spawnSync:l}=a("node:child_process"),v=async({argument:s,logger:e,options:i})=>{const t=s?.[0];e.info("info: checking for updates...");const n=p.version;let o;try{const c=d("npm view @visulima/vis version",{encoding:"utf8"}).trim();o=t??c}catch{throw new Error("Failed to query npm registry. Check your network connection.")}if(n===o&&!i.force){e.info(`
2
2
  ✓ Already up to date (${n})`);return}if(i.check){n===o?e.info(`✓ Already up to date (${n})`):e.info(`info: found @visulima/vis@${o} (current: ${n})`);return}if(e.info(`info: found @visulima/vis@${o} (current: ${n})`),e.info("info: installing..."),l("npm",["install","-g",`@visulima/vis@${o}`],{encoding:"utf8",stdio:"inherit"}).status!==0)throw new Error("Failed to update. Try running with sudo or fix npm permissions.");e.info(`
3
3
  ✓ Updated @visulima/vis from ${n} → ${o}`)};export{v as default};
@@ -1 +1 @@
1
- import{I as c,E as f}from"../packem_shared/pm-runner-OGResYrA.js";import{i as d}from"../packem_shared/utils-Cxree603.js";const v=async({argument:r,logger:n,options:o,process:i,visConfig:s,workspaceRoot:p})=>{const a=r;if(!a||a.length===0)throw new Error("No packages specified. Usage: vis why <package...>");const l=p??i.cwd,t=c(l,{configBackend:s?.install?.backend,configCorepack:s?.install?.corepack}),e=f(t,{depth:o.depth===void 0?void 0:Number(o.depth),dev:o.dev||!1,filter:d(o.filter),global:o.global||!1,json:o.json||!1,long:o.long||!1,noOptional:o.optional===!1,packages:a,parseable:o.parseable||!1,prod:o.prod||!1,recursive:o.recursive||!1},l,n);e!==0&&e!==1&&(process.exitCode=e)};export{v as default};
1
+ import{I as f,E as d}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{r as g,a as m}from"../packem_shared/command-runtime-CR70qSUM.js";import{i as k}from"../packem_shared/utils-Cxree603.js";const h=async({argument:r,logger:n,options:o,process:i,visConfig:a,workspaceRoot:t})=>{const e=r;if(!e||e.length===0)throw new Error("No packages specified. Usage: vis why <package...>");const s=t??i.cwd,p=g({logger:n,options:o,visConfig:a},s),c=f(s,{backend:m(p),configBackend:a?.install?.backend,configCorepack:a?.install?.corepack}),l=d(c,{depth:o.depth===void 0?void 0:Number(o.depth),dev:o.dev||!1,filter:k(o.filter),global:o.global||!1,json:o.json||!1,long:o.long||!1,noOptional:o.optional===!1,packages:e,parseable:o.parseable||!1,prod:o.prod||!1,recursive:o.recursive||!1},s,n);l!==0&&l!==1&&(process.exitCode=l)};export{h as default};
@@ -1,2 +1 @@
1
- import{createRequire as R}from"node:module";import{DEFAULT_CHANGES_DIR as C}from"./DEFAULT_CLEAN_KEEP.js";import{b as E,f as B}from"./orchestrator.js";import{r as T}from"../packem_shared/slug-DoueYuLo.js";import{VisReleaseError as w}from"../packem_shared/VisReleaseError-DMGRBTNO.js";const S=R(import.meta.url),u=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,$=e=>{if(typeof u<"u"&&u.versions&&u.versions.node){const[o,n]=u.versions.node.split(".").map(Number);if(o>22||o===22&&n>=3||o===20&&n>=16)return u.getBuiltinModule(e)}return S(e)},{mkdir:V,writeFile:O}=$("node:fs/promises"),{resolve:b,sep:k,join:P}=$("node:path");let y;const W=e=>{y=e},_=async()=>y||(await import("./shell-runner.js")).createShellRunner(),v=e=>!e||!/^[\dv]/i.test(e)?!1:/^[\d.+\-a-z]+$/i.test(e),D=e=>{const o=e.trim(),n=/^(?:[a-z]+(?:\([^)]+\))?:\s+)?[Bb]ump\s+(?<dep>\S+)\s+from\s+(?<fromVersion>\S+)\s+to\s+(?<toVersion>\S+)(?:\s+in\s+\S+)?$/.exec(o);if(n?.groups){const t=n.groups.toVersion;return v(t)?{dep:n.groups.dep,fromVersion:n.groups.fromVersion,toVersion:t}:void 0}const s=/^(?:[a-z]+(?:\([^)]+\))?:\s+)?[Uu]pdate\s+(?:dependency|module)\s+(?<dep>\S+)\s+to\s+(?<toVersion>\S+)(?:\s+\S.*)?$/.exec(o);if(s?.groups){const t=s.groups.toVersion;return v(t)?{dep:s.groups.dep,fromVersion:"",toVersion:t}:void 0}},A=async e=>{const o=process.env.PR_NUMBER;if(o&&/^\d+$/.test(o))return Number.parseInt(o,10);const n=process.env.GITHUB_REF;if(n){const s=/^refs\/pull\/(\d+)\//.exec(n);if(s)return Number.parseInt(s[1],10)}try{const s=await(await _()).run("gh",["pr","view","--json","number"],{cwd:e,silent:!0});if(s.exitCode===0){const t=JSON.parse(s.stdout.trim());if(typeof t.number=="number")return t.number}}catch{}},L=async(e,o)=>{try{const n=await(await _()).run("gh",["pr","view",String(o),"--json","title,body,author"],{cwd:e,silent:!0});return n.exitCode!==0?void 0:JSON.parse(n.stdout.trim())}catch{return}},U=(e,o)=>{const n=[];for(const s of o){const{manifest:t}=s;(Object.hasOwn(t.dependencies??{},e)||Object.hasOwn(t.devDependencies??{},e)||Object.hasOwn(t.peerDependencies??{},e)||Object.hasOwn(t.optionalDependencies??{},e))&&n.push(s.name)}return n},F=e=>{const o={};for(const n of e.split(",")){const s=n.trim();if(!s)continue;const t=s.lastIndexOf(":");if(t<1)throw new w({code:"BUMP_FILE_INVALID",message:`Invalid --packages entry: ${JSON.stringify(s)}. Expected "package:level".`});const i=s.slice(0,t).trim(),r=s.slice(t+1).trim();if(r!=="major"&&r!=="minor"&&r!=="patch"&&r!=="none")throw new w({code:"BUMP_FILE_INVALID",message:`Invalid bump level: ${JSON.stringify(r)}. Expected major|minor|patch|none.`});o[i]=r}return o},M=async e=>{const{multiSelectPrompt:o,selectPrompt:n,textPrompt:s}=await import("./prompts.js"),t=await o("Which packages to bump?",e.map(p=>({label:p,value:p}))),i={};for(const p of t){const f=await n(`Bump level for ${p}?`,[{label:"patch — bug fixes only",value:"patch"},{label:"minor — new feature, backward-compatible",value:"minor"},{label:"major — breaking change",value:"major"},{label:"none — acknowledged, no direct bump",value:"none"}]);i[p]=f}const r=await s("Changelog entry (markdown):","");return{bumps:i,message:r}},Y=async({logger:e,options:o,workspaceRoot:n})=>{const s=n??process.cwd(),t=await E({cwd:s,skipRegistryLookup:!0});let i={},r=o.message??"";if(o.fromBotPr){const c=await A(s);if(c===void 0){e.error("No PR found. Set PR_NUMBER, run inside a GitHub Actions PR workflow, or check `gh pr view` works on this branch."),process.exitCode=1;return}const a=await L(s,c);if(!a||typeof a.title!="string"){e.error(`Could not fetch PR #${c} via \`gh pr view\`. Ensure gh is on PATH and authenticated.`),process.exitCode=1;return}const d=D(a.title);if(!d){e.info(`PR #${c} title is not a recognised Dependabot / Renovate pattern; skipping.`),e.info(`Title: ${a.title}`),process.exitCode=0;return}const h=U(d.dep,t.packages),N=d.fromVersion?`from ${d.fromVersion} to ${d.toVersion}`:`to ${d.toVersion}`;if(r=r||`Updated ${d.dep} ${N}`,h.length===0){const g=t.packages[0]?.name;if(!g){e.error("Workspace has no packages — cannot author an acknowledging change file."),process.exitCode=1;return}i={[g]:"none"},r=`${r} (no workspace package depends on ${d.dep})`}else for(const g of h)i[g]="patch"}else if(o.empty)i={},r=r||"Empty change file (no release).";else if(o.packages){i=F(o.packages);const c=new Set(t.packages.map(a=>a.name));for(const a of Object.keys(i))if(!c.has(a))throw new w({code:"BUMP_FILE_INVALID",message:`Unknown workspace package in --packages: ${JSON.stringify(a)}.`,packageName:a})}else{if(!process.stdout.isTTY){e.error("--packages is required when stdin is not a TTY."),e.error("Example: vis release add --packages '@scope/cerebro:minor' --message 'Add X'"),process.exitCode=1;return}const c=await M(t.packages.map(a=>a.name));i=c.bumps,r=r||c.message}if(Object.keys(i).length===0){e.error("No bumps specified."),process.exitCode=1;return}const p=t.config.changesDir??C,f=(o.name??T()).replaceAll(/[^a-z0-9-]/gi,"-"),l=b(s),x=l.endsWith(k)?l:`${l}${k}`,m=b(s,p);if(m!==l&&!m.startsWith(x))throw new w({code:"CONFIG_INVALID",message:`changesDir resolves outside the workspace: ${m} (workspace: ${l}).`});const j=P(m,`${f}.md`),I=B({bumps:i},r);await V(m,{recursive:!0}),await O(j,I,{flag:"wx"}),e.info(`Created ${p}/${f}.md`),e.info("");for(const[c,a]of Object.entries(i))e.info(` ${c}: ${a}`);r&&(e.info(""),e.info(` Body: ${r.split(`
2
- `)[0]?.slice(0,80)??""}`))};export{W as __setBotPrRunnerForTests,Y as default,D as parseBotPrTitle};
1
+ import{createRequire as h}from"node:module";import{A as b,B as v}from"../packem_shared/index-BDmTbWX1.js";import{r as y}from"../packem_shared/command-runtime-CR70qSUM.js";const w=h(import.meta.url),n=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,_=o=>{if(typeof n<"u"&&n.versions&&n.versions.node){const[r,s]=n.versions.node.split(".").map(Number);if(r>22||r===22&&s>=3||r===20&&s>=16)return n.getBuiltinModule(o)}return w(o)},{spawnSync:l}=_("node:child_process"),x=["--experimental-transform-types","--disable-warning=ExperimentalWarning"],E=(o,r,s)=>{const e=l(process.execPath,[...x,o,...r],{cwd:s,stdio:"inherit"});if(e.error)throw e.error;return e.status??(e.signal?1:0)},j=(o,r,s)=>{const e=l("bun",["run",o,...r],{cwd:s,stdio:"inherit"});if(e.error){const{code:c}=e.error;throw c==="ENOENT"?new Error("Runtime is set to bun but the `bun` binary is not on PATH. Install it from https://bun.sh."):e.error}return e.status??(e.signal?1:0)},N=async({argument:o,logger:r,options:s,rawUnknown:e,visConfig:c,workspaceRoot:d})=>{const f=o??[],[t,...m]=f;if(t===void 0)throw new Error("No file specified. Usage: vis x <file> [args...]");const i=process.cwd(),a=b(t)?t:v(i,t),u=[...m,...e??[]],{runtime:g}=y({logger:r,options:s,visConfig:c},d??i),p=g==="bun"?j(a,u,i):E(a,u,i);p!==0&&(process.exitCode=p)};export{N as default};
@@ -1,2 +1,2 @@
1
- import{releaseChangelog as l}from"../packem_shared/ReleaseClient-YHzBIxYS.js";const c=async({logger:o,options:t,workspaceRoot:r})=>{const s=r??process.cwd(),i=t.filter?t.filter.split(",").map(e=>e.trim()).filter(Boolean):void 0,n=await l({channel:t.channel,cwd:s,projects:i});if(t.json){process.stdout.write(`${JSON.stringify(n,null,2)}
2
- `),n.projectChangelogs.length===0&&(process.exitCode=1);return}if(n.projectChangelogs.length===0){o.info("No pending releases — no changelog entries to render."),process.exitCode=1;return}for(const e of n.projectChangelogs)o.info(`# ${e.package} → ${e.file}`),o.info(""),o.info(e.content),o.info("")};export{c as default};
1
+ import{createRequire as R}from"node:module";import{DEFAULT_CHANGES_DIR as C}from"./DEFAULT_CLEAN_KEEP.js";import{b as E,f as B}from"./orchestrator.js";import{r as T}from"../packem_shared/slug-DoueYuLo.js";import{VisReleaseError as w}from"../packem_shared/VisReleaseError-DMGRBTNO.js";const S=R(import.meta.url),u=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,$=e=>{if(typeof u<"u"&&u.versions&&u.versions.node){const[o,n]=u.versions.node.split(".").map(Number);if(o>22||o===22&&n>=3||o===20&&n>=16)return u.getBuiltinModule(e)}return S(e)},{mkdir:V,writeFile:O}=$("node:fs/promises"),{resolve:b,sep:k,join:P}=$("node:path");let y;const W=e=>{y=e},_=async()=>y||(await import("./shell-runner.js")).createShellRunner(),v=e=>!e||!/^[\dv]/i.test(e)?!1:/^[\d.+\-a-z]+$/i.test(e),D=e=>{const o=e.trim(),n=/^(?:[a-z]+(?:\([^)]+\))?:\s+)?[Bb]ump\s+(?<dep>\S+)\s+from\s+(?<fromVersion>\S+)\s+to\s+(?<toVersion>\S+)(?:\s+in\s+\S+)?$/.exec(o);if(n?.groups){const t=n.groups.toVersion;return v(t)?{dep:n.groups.dep,fromVersion:n.groups.fromVersion,toVersion:t}:void 0}const s=/^(?:[a-z]+(?:\([^)]+\))?:\s+)?[Uu]pdate\s+(?:dependency|module)\s+(?<dep>\S+)\s+to\s+(?<toVersion>\S+)(?:\s+\S.*)?$/.exec(o);if(s?.groups){const t=s.groups.toVersion;return v(t)?{dep:s.groups.dep,fromVersion:"",toVersion:t}:void 0}},A=async e=>{const o=process.env.PR_NUMBER;if(o&&/^\d+$/.test(o))return Number.parseInt(o,10);const n=process.env.GITHUB_REF;if(n){const s=/^refs\/pull\/(\d+)\//.exec(n);if(s)return Number.parseInt(s[1],10)}try{const s=await(await _()).run("gh",["pr","view","--json","number"],{cwd:e,silent:!0});if(s.exitCode===0){const t=JSON.parse(s.stdout.trim());if(typeof t.number=="number")return t.number}}catch{}},L=async(e,o)=>{try{const n=await(await _()).run("gh",["pr","view",String(o),"--json","title,body,author"],{cwd:e,silent:!0});return n.exitCode!==0?void 0:JSON.parse(n.stdout.trim())}catch{return}},U=(e,o)=>{const n=[];for(const s of o){const{manifest:t}=s;(Object.hasOwn(t.dependencies??{},e)||Object.hasOwn(t.devDependencies??{},e)||Object.hasOwn(t.peerDependencies??{},e)||Object.hasOwn(t.optionalDependencies??{},e))&&n.push(s.name)}return n},F=e=>{const o={};for(const n of e.split(",")){const s=n.trim();if(!s)continue;const t=s.lastIndexOf(":");if(t<1)throw new w({code:"BUMP_FILE_INVALID",message:`Invalid --packages entry: ${JSON.stringify(s)}. Expected "package:level".`});const i=s.slice(0,t).trim(),r=s.slice(t+1).trim();if(r!=="major"&&r!=="minor"&&r!=="patch"&&r!=="none")throw new w({code:"BUMP_FILE_INVALID",message:`Invalid bump level: ${JSON.stringify(r)}. Expected major|minor|patch|none.`});o[i]=r}return o},M=async e=>{const{multiSelectPrompt:o,selectPrompt:n,textPrompt:s}=await import("./prompts.js"),t=await o("Which packages to bump?",e.map(p=>({label:p,value:p}))),i={};for(const p of t){const f=await n(`Bump level for ${p}?`,[{label:"patch — bug fixes only",value:"patch"},{label:"minor — new feature, backward-compatible",value:"minor"},{label:"major — breaking change",value:"major"},{label:"none — acknowledged, no direct bump",value:"none"}]);i[p]=f}const r=await s("Changelog entry (markdown):","");return{bumps:i,message:r}},Y=async({logger:e,options:o,workspaceRoot:n})=>{const s=n??process.cwd(),t=await E({cwd:s,skipRegistryLookup:!0});let i={},r=o.message??"";if(o.fromBotPr){const c=await A(s);if(c===void 0){e.error("No PR found. Set PR_NUMBER, run inside a GitHub Actions PR workflow, or check `gh pr view` works on this branch."),process.exitCode=1;return}const a=await L(s,c);if(!a||typeof a.title!="string"){e.error(`Could not fetch PR #${c} via \`gh pr view\`. Ensure gh is on PATH and authenticated.`),process.exitCode=1;return}const d=D(a.title);if(!d){e.info(`PR #${c} title is not a recognised Dependabot / Renovate pattern; skipping.`),e.info(`Title: ${a.title}`),process.exitCode=0;return}const h=U(d.dep,t.packages),N=d.fromVersion?`from ${d.fromVersion} to ${d.toVersion}`:`to ${d.toVersion}`;if(r=r||`Updated ${d.dep} ${N}`,h.length===0){const g=t.packages[0]?.name;if(!g){e.error("Workspace has no packages — cannot author an acknowledging change file."),process.exitCode=1;return}i={[g]:"none"},r=`${r} (no workspace package depends on ${d.dep})`}else for(const g of h)i[g]="patch"}else if(o.empty)i={},r=r||"Empty change file (no release).";else if(o.packages){i=F(o.packages);const c=new Set(t.packages.map(a=>a.name));for(const a of Object.keys(i))if(!c.has(a))throw new w({code:"BUMP_FILE_INVALID",message:`Unknown workspace package in --packages: ${JSON.stringify(a)}.`,packageName:a})}else{if(!process.stdout.isTTY){e.error("--packages is required when stdin is not a TTY."),e.error("Example: vis release add --packages '@scope/cerebro:minor' --message 'Add X'"),process.exitCode=1;return}const c=await M(t.packages.map(a=>a.name));i=c.bumps,r=r||c.message}if(Object.keys(i).length===0){e.error("No bumps specified."),process.exitCode=1;return}const p=t.config.changesDir??C,f=(o.name??T()).replaceAll(/[^a-z0-9-]/gi,"-"),l=b(s),x=l.endsWith(k)?l:`${l}${k}`,m=b(s,p);if(m!==l&&!m.startsWith(x))throw new w({code:"CONFIG_INVALID",message:`changesDir resolves outside the workspace: ${m} (workspace: ${l}).`});const j=P(m,`${f}.md`),I=B({bumps:i},r);await V(m,{recursive:!0}),await O(j,I,{flag:"wx"}),e.info(`Created ${p}/${f}.md`),e.info("");for(const[c,a]of Object.entries(i))e.info(` ${c}: ${a}`);r&&(e.info(""),e.info(` Body: ${r.split(`
2
+ `)[0]?.slice(0,80)??""}`))};export{W as __setBotPrRunnerForTests,Y as default,D as parseBotPrTitle};
@@ -1,2 +1,2 @@
1
- import{DEFAULT_CHANGES_DIR as R}from"./DEFAULT_CLEAN_KEEP.js";import{b as D,r as F,c as b}from"./orchestrator.js";import{createShellRunner as E}from"./shell-runner.js";const y=async({logger:r,options:d,workspaceRoot:$})=>{const s=$??process.cwd(),p=d.noFail===!0,u=d.strict===!0,t=await D({cwd:s}),{printConfigIfRequested:x}=await import("./print-config.js");if(x(d,t,r))return;const{files:i}=await F({changesDir:t.config.changesDir,cwd:s});if(i.length===0){u?(r.error("No change files present and --strict is set."),r.error(`Run \`vis release add\` to author one in ${t.config.changesDir??R}.`),process.exitCode=p?0:1):(r.warn("No change files present. PR will not produce a release."),process.exitCode=0);return}if(!u){r.info(`${i.length} change file(s) present. ✓`),process.exitCode=0;return}const m=t.config.baseBranch??"main",g=await E().run("git",["diff","--name-only",`${m}...HEAD`],{cwd:s,silent:!0});if(g.exitCode!==0){r.warn(`Could not run git diff vs ${m}: ${g.stderr}`),process.exitCode=0;return}const f=g.stdout.split(`
2
- `).map(e=>e.trim()).filter(Boolean);if(f.length===0){r.info("No source files changed."),process.exitCode=0;return}const{default:w}=await import("./index.js"),k=t.config.changedFilePatterns??["**"],v=(e,n,l)=>{if(!e.startsWith(`${n}/`))return!1;const h=e.slice(n.length+1);return l.some(o=>w(o,h))},C=new Set(b(i).keys()),c=new Set;for(const e of f){const n=t.packages.find(o=>{const a=o.dir.startsWith(s)?o.dir.slice(s.length).replace(/^[/\\]/,""):o.dir;return e===`${a}/package.json`||e.startsWith(`${a}/`)});for(const o of t.packages){const a=t.perPackageConfig.get(o.name)?.additionalPaths;!a||a.length===0||a.some(P=>w(P,e))&&!C.has(o.name)&&c.add(o.name)}if(!n)continue;const l=n.dir.startsWith(s)?n.dir.slice(s.length).replace(/^[/\\]/,""):n.dir,h=t.perPackageConfig.get(n.name)?.changedFilePatterns??k;e!==`${l}/package.json`&&!v(e,l,h)||C.has(n.name)||c.add(n.name)}if(c.size>0){r.error("The following packages have changes but no covering change file:");for(const e of c)r.error(` - ${e}`);r.error("Run `vis release add` to author one."),process.exitCode=p?0:1;return}r.info(`${i.length} change file(s); ${f.length} changed file(s) all covered. ✓`),process.exitCode=0};export{y as default};
1
+ import{releaseChangelog as l}from"../packem_shared/ReleaseClient-YHzBIxYS.js";const c=async({logger:o,options:t,workspaceRoot:r})=>{const s=r??process.cwd(),i=t.filter?t.filter.split(",").map(e=>e.trim()).filter(Boolean):void 0,n=await l({channel:t.channel,cwd:s,projects:i});if(t.json){process.stdout.write(`${JSON.stringify(n,null,2)}
2
+ `),n.projectChangelogs.length===0&&(process.exitCode=1);return}if(n.projectChangelogs.length===0){o.info("No pending releases — no changelog entries to render."),process.exitCode=1;return}for(const e of n.projectChangelogs)o.info(`# ${e.package} ${e.file}`),o.info(""),o.info(e.content),o.info("")};export{c as default};
@@ -1,3 +1,2 @@
1
- import{b as h}from"./orchestrator.js";import{escapeMarkdown as f}from"./security.js";import{createShellRunner as g}from"./shell-runner.js";import{d as w,a as R,u as $}from"../packem_shared/sticky-comment-D6_7-w8T.js";const k=(o,a)=>{const e=["### 🚀 Release Plan",""];if(a&&(e.push(`Channel: \`${a}\``),e.push("")),o.releases.length===0)return e.push("_No pending releases._ (Add a change file via `vis release add` to mark this PR as releasing.)"),e.join(`
2
- `);const n={major:[],minor:[],patch:[]};for(const s of o.releases)n[s.type].push(s);for(const s of["major","minor","patch"])if(n[s].length!==0){e.push(`#### ${s.charAt(0).toUpperCase()}${s.slice(1)}`),e.push("");for(const r of n[s]){const t=[];r.isCascadeBump&&t.push("cascade"),r.isGroupBump&&t.push("group"),r.isDependencyBump&&!r.isCascadeBump&&t.push("dep-bump");const i=t.length>0?` _(${t.join(", ")})_`:"";e.push(`- \`${r.name}\`: ${r.oldVersion} → **${r.newVersion}**${i}`)}e.push("")}if(o.warnings.length>0){e.push("#### ⚠️ Warnings"),e.push("");for(const s of o.warnings)e.push(`- ${f(s)}`)}return e.join(`
3
- `)},v=async({logger:o,options:a,workspaceRoot:e})=>{const n=e??process.cwd(),s=a.noFail===!0,r=a.strict===!0,t=g(),i=await w(t,n),c=R(process.env);(!i||!c)&&o.warn("Not running in a PR context (GITHUB_REF / PR_NUMBER missing or `gh repo view` failed). Falling back to local print.");const p=await h({cwd:n,skipRegistryLookup:!0}),{printConfigIfRequested:d}=await import("./print-config.js");if(d(a,p,o))return;const m=p.config.versionPr?.commentMarker??"<!-- vis-release-comment -->",l=k(p.plan,p.channel?.tag);if(i&&c){const u=await $({body:l,cwd:n,issueNumber:c,marker:m,repo:i,runner:t});if(u)o.info(`${u.created?"Posted":"Updated"} release-plan comment on PR #${c} (id: ${u.id}).`);else{o.error("Failed to post / update PR comment."),process.exitCode=s?0:1;return}}else o.info(l);r&&p.plan.releases.length===0&&(o.error("--strict and no pending releases."),process.exitCode=s?0:1)};export{v as default};
1
+ import{DEFAULT_CHANGES_DIR as R}from"./DEFAULT_CLEAN_KEEP.js";import{b as D,r as F,c as b}from"./orchestrator.js";import{createShellRunner as E}from"./shell-runner.js";const y=async({logger:r,options:d,workspaceRoot:$})=>{const s=$??process.cwd(),p=d.noFail===!0,u=d.strict===!0,t=await D({cwd:s}),{printConfigIfRequested:x}=await import("./print-config.js");if(x(d,t,r))return;const{files:i}=await F({changesDir:t.config.changesDir,cwd:s});if(i.length===0){u?(r.error("No change files present and --strict is set."),r.error(`Run \`vis release add\` to author one in ${t.config.changesDir??R}.`),process.exitCode=p?0:1):(r.warn("No change files present. PR will not produce a release."),process.exitCode=0);return}if(!u){r.info(`${i.length} change file(s) present. ✓`),process.exitCode=0;return}const m=t.config.baseBranch??"main",g=await E().run("git",["diff","--name-only",`${m}...HEAD`],{cwd:s,silent:!0});if(g.exitCode!==0){r.warn(`Could not run git diff vs ${m}: ${g.stderr}`),process.exitCode=0;return}const f=g.stdout.split(`
2
+ `).map(e=>e.trim()).filter(Boolean);if(f.length===0){r.info("No source files changed. ✓"),process.exitCode=0;return}const{default:w}=await import("./index.js"),k=t.config.changedFilePatterns??["**"],v=(e,n,l)=>{if(!e.startsWith(`${n}/`))return!1;const h=e.slice(n.length+1);return l.some(o=>w(o,h))},C=new Set(b(i).keys()),c=new Set;for(const e of f){const n=t.packages.find(o=>{const a=o.dir.startsWith(s)?o.dir.slice(s.length).replace(/^[/\\]/,""):o.dir;return e===`${a}/package.json`||e.startsWith(`${a}/`)});for(const o of t.packages){const a=t.perPackageConfig.get(o.name)?.additionalPaths;!a||a.length===0||a.some(P=>w(P,e))&&!C.has(o.name)&&c.add(o.name)}if(!n)continue;const l=n.dir.startsWith(s)?n.dir.slice(s.length).replace(/^[/\\]/,""):n.dir,h=t.perPackageConfig.get(n.name)?.changedFilePatterns??k;e!==`${l}/package.json`&&!v(e,l,h)||C.has(n.name)||c.add(n.name)}if(c.size>0){r.error("The following packages have changes but no covering change file:");for(const e of c)r.error(` - ${e}`);r.error("Run `vis release add` to author one."),process.exitCode=p?0:1;return}r.info(`${i.length} change file(s); ${f.length} changed file(s) all covered. ✓`),process.exitCode=0};export{y as default};
@@ -1,6 +1,3 @@
1
- import{createRequire as _}from"node:module";import{b as y}from"./orchestrator.js";const m=_(import.meta.url),r=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,g=n=>{if(typeof r<"u"&&r.versions&&r.versions.node){const[o,i]=r.versions.node.split(".").map(Number);if(o>22||o===22&&i>=3||o===20&&i>=16)return r.getBuiltinModule(n)}return m(n)},{appendFileSync:f}=g("node:fs"),B=async({logger:n,options:o,workspaceRoot:i})=>{const l=i??process.cwd(),s=await y({cwd:l,skipRegistryLookup:!0}),{printConfigIfRequested:u}=await import("./print-config.js");if(u(o,s,n))return;const t=s.plan.releases.length===0?"nothing":s.channel?.mode==="version-pr"?"version-pr":"publish",a=s.plan.releases.map(e=>e.name),p={channel:s.channel?.tag,mode:t,packages:a,plan:s.plan.releases.map(e=>({isCascadeBump:e.isCascadeBump,isDependencyBump:e.isDependencyBump,isGroupBump:e.isGroupBump,name:e.name,newVersion:e.newVersion,oldVersion:e.oldVersion,type:e.type})),prerelease:s.channel?.prerelease,warnings:s.plan.warnings};process.stdout.write(`${JSON.stringify(p,null,2)}
2
- `);const c=process.env.GITHUB_OUTPUT;if(c){const e=[`mode=${t}`,`packages=${a.join(",")}`,`json<<__VIS_RELEASE_EOF__
3
- ${JSON.stringify(p)}
4
- __VIS_RELEASE_EOF__`];try{f(c,`${e.join(`
5
- `)}
6
- `)}catch(d){n.warn(`Could not write $GITHUB_OUTPUT: ${d.message}`)}}};export{B as default};
1
+ import{b as h}from"./orchestrator.js";import{escapeMarkdown as f}from"./security.js";import{createShellRunner as g}from"./shell-runner.js";import{d as w,a as R,u as $}from"../packem_shared/sticky-comment-D6_7-w8T.js";const k=(o,a)=>{const e=["### 🚀 Release Plan",""];if(a&&(e.push(`Channel: \`${a}\``),e.push("")),o.releases.length===0)return e.push("_No pending releases._ (Add a change file via `vis release add` to mark this PR as releasing.)"),e.join(`
2
+ `);const n={major:[],minor:[],patch:[]};for(const s of o.releases)n[s.type].push(s);for(const s of["major","minor","patch"])if(n[s].length!==0){e.push(`#### ${s.charAt(0).toUpperCase()}${s.slice(1)}`),e.push("");for(const r of n[s]){const t=[];r.isCascadeBump&&t.push("cascade"),r.isGroupBump&&t.push("group"),r.isDependencyBump&&!r.isCascadeBump&&t.push("dep-bump");const i=t.length>0?` _(${t.join(", ")})_`:"";e.push(`- \`${r.name}\`: ${r.oldVersion} → **${r.newVersion}**${i}`)}e.push("")}if(o.warnings.length>0){e.push("#### ⚠️ Warnings"),e.push("");for(const s of o.warnings)e.push(`- ${f(s)}`)}return e.join(`
3
+ `)},v=async({logger:o,options:a,workspaceRoot:e})=>{const n=e??process.cwd(),s=a.noFail===!0,r=a.strict===!0,t=g(),i=await w(t,n),c=R(process.env);(!i||!c)&&o.warn("Not running in a PR context (GITHUB_REF / PR_NUMBER missing or `gh repo view` failed). Falling back to local print.");const p=await h({cwd:n,skipRegistryLookup:!0}),{printConfigIfRequested:d}=await import("./print-config.js");if(d(a,p,o))return;const m=p.config.versionPr?.commentMarker??"<!-- vis-release-comment -->",l=k(p.plan,p.channel?.tag);if(i&&c){const u=await $({body:l,cwd:n,issueNumber:c,marker:m,repo:i,runner:t});if(u)o.info(`${u.created?"Posted":"Updated"} release-plan comment on PR #${c} (id: ${u.id}).`);else{o.error("Failed to post / update PR comment."),process.exitCode=s?0:1;return}}else o.info(l);r&&p.plan.releases.length===0&&(o.error("--strict and no pending releases."),process.exitCode=s?0:1)};export{v as default};
@@ -1 +1,6 @@
1
- import{b as f}from"./orchestrator.js";import{createShellRunner as g}from"./shell-runner.js";const p=async({logger:r,options:n,workspaceRoot:l})=>{const t=l??process.cwd(),i=g(),s=await f({cwd:t}),e=n.branch??s.config.versionPr?.branch??"vis-release/version-packages",o=n.base??s.config.baseBranch??"main";r.info(`Rebasing ${e} onto ${o}...`);const a=await i.run("git",["fetch","origin",`${e}:${e}`,o],{cwd:t,silent:!0});if(a.exitCode!==0){r.info(`No remote branch ${e} to rebase (${a.stderr.trim()||"fetch failed"}). Skipping.`);return}const c=await i.run("git",["switch",e],{cwd:t,silent:!0});if(c.exitCode!==0){r.error(`Could not switch to ${e}: ${c.stderr.trim()}`),process.exitCode=1;return}if((await i.run("git",["rebase",`origin/${o}`],{cwd:t,silent:!0})).exitCode!==0){await i.run("git",["rebase","--abort"],{cwd:t,silent:!0}),r.error("Rebase produced conflicts; aborting. Resolve manually, or let the next `vis release ci release` recompute the version PR from scratch."),process.exitCode=1;return}const u=await i.run("git",["rev-list","--count",`origin/${e}..${e}`],{cwd:t,silent:!0});if(u.exitCode===0&&u.stdout.trim()==="0"){r.info(`${e} is already up to date with ${o}. Nothing to push.`);return}const d=await i.run("git",["push","--force-with-lease","origin",`${e}:${e}`],{cwd:t,silent:!0});if(d.exitCode!==0){r.error(`Failed to force-push ${e}: ${d.stderr.trim()}`),process.exitCode=1;return}r.info(`Force-pushed ${e} after rebasing onto ${o}.`)};export{p as default};
1
+ import{createRequire as _}from"node:module";import{b as y}from"./orchestrator.js";const m=_(import.meta.url),r=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,g=n=>{if(typeof r<"u"&&r.versions&&r.versions.node){const[o,i]=r.versions.node.split(".").map(Number);if(o>22||o===22&&i>=3||o===20&&i>=16)return r.getBuiltinModule(n)}return m(n)},{appendFileSync:f}=g("node:fs"),B=async({logger:n,options:o,workspaceRoot:i})=>{const l=i??process.cwd(),s=await y({cwd:l,skipRegistryLookup:!0}),{printConfigIfRequested:u}=await import("./print-config.js");if(u(o,s,n))return;const t=s.plan.releases.length===0?"nothing":s.channel?.mode==="version-pr"?"version-pr":"publish",a=s.plan.releases.map(e=>e.name),p={channel:s.channel?.tag,mode:t,packages:a,plan:s.plan.releases.map(e=>({isCascadeBump:e.isCascadeBump,isDependencyBump:e.isDependencyBump,isGroupBump:e.isGroupBump,name:e.name,newVersion:e.newVersion,oldVersion:e.oldVersion,type:e.type})),prerelease:s.channel?.prerelease,warnings:s.plan.warnings};process.stdout.write(`${JSON.stringify(p,null,2)}
2
+ `);const c=process.env.GITHUB_OUTPUT;if(c){const e=[`mode=${t}`,`packages=${a.join(",")}`,`json<<__VIS_RELEASE_EOF__
3
+ ${JSON.stringify(p)}
4
+ __VIS_RELEASE_EOF__`];try{f(c,`${e.join(`
5
+ `)}
6
+ `)}catch(d){n.warn(`Could not write $GITHUB_OUTPUT: ${d.message}`)}}};export{B as default};
@@ -1,42 +1 @@
1
- const i=`
2
- 🔧 vis release CI setup
3
-
4
- 1. Workflow permissions
5
- Add to .github/workflows/vis-release.yml:
6
- permissions:
7
- contents: write
8
- pull-requests: write
9
- id-token: write # required for OIDC trusted publishing on npm
10
-
11
- 2. Secrets
12
- Required:
13
- - VIS_GH_TOKEN — PAT or GitHub App token. Used to force-push the
14
- version-PR branch and create/edit the version PR. The default
15
- \${{ github.token }} is anti-recursion-locked and cannot trigger
16
- downstream workflows on the version-PR.
17
- - GH_TOKEN — \${{ github.token }} works for read-only / commenting.
18
- Optional:
19
- - NPM_TOKEN — fallback when OIDC is not available. Trusted Publishing
20
- (id-token: write) is preferred.
21
-
22
- 3. Trusted Publishing on npm
23
- For each published package:
24
- a. https://npmjs.com/package/<name>/access → Publishing access
25
- b. Add a Trusted Publisher with provider=GitHub Actions
26
- c. Repository: visulima/visulima
27
- d. Workflow filename: vis-release.yml
28
- e. Environment name: (leave blank unless you use one)
29
-
30
- 4. Concurrency group (recommended)
31
- concurrency:
32
- group: vis-release-\${{ github.ref }}
33
- cancel-in-progress: false
34
-
35
- 5. Husky pre-commit gate (optional)
36
- Add to .husky/pre-commit:
37
- vis release check --hook pre-commit --no-fail
38
- (Or run \`vis release init\` and confirm the prompt — it'll auto-wire
39
- the hook if you say yes.)
40
-
41
- 📚 RFC: packages/tooling/vis/rfc/design-release-manager.md (§16)
42
- `,o=async({logger:e})=>{e.info(i)};export{o as default};
1
+ import{b as f}from"./orchestrator.js";import{createShellRunner as g}from"./shell-runner.js";const p=async({logger:r,options:n,workspaceRoot:l})=>{const t=l??process.cwd(),i=g(),s=await f({cwd:t}),e=n.branch??s.config.versionPr?.branch??"vis-release/version-packages",o=n.base??s.config.baseBranch??"main";r.info(`Rebasing ${e} onto ${o}...`);const a=await i.run("git",["fetch","origin",`${e}:${e}`,o],{cwd:t,silent:!0});if(a.exitCode!==0){r.info(`No remote branch ${e} to rebase (${a.stderr.trim()||"fetch failed"}). Skipping.`);return}const c=await i.run("git",["switch",e],{cwd:t,silent:!0});if(c.exitCode!==0){r.error(`Could not switch to ${e}: ${c.stderr.trim()}`),process.exitCode=1;return}if((await i.run("git",["rebase",`origin/${o}`],{cwd:t,silent:!0})).exitCode!==0){await i.run("git",["rebase","--abort"],{cwd:t,silent:!0}),r.error("Rebase produced conflicts; aborting. Resolve manually, or let the next `vis release ci release` recompute the version PR from scratch."),process.exitCode=1;return}const u=await i.run("git",["rev-list","--count",`origin/${e}..${e}`],{cwd:t,silent:!0});if(u.exitCode===0&&u.stdout.trim()==="0"){r.info(`${e} is already up to date with ${o}. Nothing to push.`);return}const d=await i.run("git",["push","--force-with-lease","origin",`${e}:${e}`],{cwd:t,silent:!0});if(d.exitCode!==0){r.error(`Failed to force-push ${e}: ${d.stderr.trim()}`),process.exitCode=1;return}r.info(`Force-pushed ${e} after rebasing onto ${o}.`)};export{p as default};
@@ -1,8 +1,42 @@
1
- import{b as g}from"./orchestrator.js";import{detectRemoteProvider as h,createRemoteClient as $}from"./detect2.js";import{createShellRunner as w}from"./shell-runner.js";import{runSnapshot as R}from"./snapshot.js";const y=(r,o)=>{if(r.length===0)return"_No packages were affected by this PR._";const n=["### 📦 Preview Packages",""];for(const e of r){const t=`${e.name}@${e.version}`;n.push(`- \`${e.name}\` → \`${e.version}\``),o?n.push(` \`\`\`sh
2
- npm i ${t} --registry ${o}
3
- \`\`\``):n.push(` \`\`\`sh
4
- npm i ${t}
5
- \`\`\``)}return n.join(`
6
- `)},S=async({logger:r,options:o,workspaceRoot:n})=>{const e=n??process.cwd(),t=w(),l=await h(e,t),a=$(l),s=a.detectPullRequestNumber(process.env),p=o.tag??(s?`pr-${s}`:void 0);if(!p){r.error("Could not determine snapshot tag. Pass --tag or run in a PR context (GITHUB_REF=refs/pull/<n>/merge)."),process.exitCode=1;return}if(o.onClose){await C(e,t,a,s,r);return}let c,u;try{c=await g({cwd:e});const{printConfigIfRequested:i}=await import("./print-config.js");if(i(o,c,r))return;u=await R({context:c,runner:t,tag:p})}catch(i){r.error(`Snapshot failed: ${i.message}`),process.exitCode=1;return}if(r.info(`Snapshotted ${u.published.length} package(s) at version ${u.snapshotVersion} → tag "${u.tag}"`),!s)return;const d=await a.detectRepoSlug(e,t);if(!d){r.warn("Could not detect repo slug — skipping sticky PR comment.");return}const m="<!-- vis-release-snapshot-comment -->",f=`${m}
7
-
8
- ${y(u.published,c.config.snapshot?.registry)}`;try{const i=await a.upsertStickyComment(t,{body:f,cwd:e,issueNumber:s,marker:m,repo:d});i&&r.info(`${i.created?"Posted":"Updated"} snapshot comment on PR #${s}.`)}catch(i){r.warn(`upsertStickyComment failed (publish already succeeded): ${i.message}`)}},C=async(r,o,n,e,t)=>{if(!e){t.error("PR-close cleanup requires a PR context."),process.exitCode=1;return}const l=await n.detectRepoSlug(r,o);if(!l){t.warn("Could not detect repo slug — skipping cleanup.");return}const a=await o.run("gh",["api",`repos/${l}/pulls/${e}/commits`,"--paginate"],{cwd:r,silent:!0});if(a.exitCode!==0){t.warn(`gh api failed: ${a.stderr}`);return}let s;try{s=JSON.parse(a.stdout)}catch{t.warn("Could not parse gh api output.");return}const p=[`pr-${e}`];for(const c of s)p.push(c.sha,c.sha.slice(0,7));t.info(`Cleanup intent for PR #${e}: ${p.length} tag pattern(s) across ${s.length} commit(s)`),t.info("Default backend (pkg-pr-new) auto-cleans by TTL — no DELETE issued. Implement a custom backend's delete endpoint to enable real cleanup.")};export{S as default};
1
+ const i=`
2
+ 🔧 vis release CI setup
3
+
4
+ 1. Workflow permissions
5
+ Add to .github/workflows/vis-release.yml:
6
+ permissions:
7
+ contents: write
8
+ pull-requests: write
9
+ id-token: write # required for OIDC trusted publishing on npm
10
+
11
+ 2. Secrets
12
+ Required:
13
+ - VIS_GH_TOKEN — PAT or GitHub App token. Used to force-push the
14
+ version-PR branch and create/edit the version PR. The default
15
+ \${{ github.token }} is anti-recursion-locked and cannot trigger
16
+ downstream workflows on the version-PR.
17
+ - GH_TOKEN — \${{ github.token }} works for read-only / commenting.
18
+ Optional:
19
+ - NPM_TOKEN — fallback when OIDC is not available. Trusted Publishing
20
+ (id-token: write) is preferred.
21
+
22
+ 3. Trusted Publishing on npm
23
+ For each published package:
24
+ a. https://npmjs.com/package/<name>/access → Publishing access
25
+ b. Add a Trusted Publisher with provider=GitHub Actions
26
+ c. Repository: visulima/visulima
27
+ d. Workflow filename: vis-release.yml
28
+ e. Environment name: (leave blank unless you use one)
29
+
30
+ 4. Concurrency group (recommended)
31
+ concurrency:
32
+ group: vis-release-\${{ github.ref }}
33
+ cancel-in-progress: false
34
+
35
+ 5. Husky pre-commit gate (optional)
36
+ Add to .husky/pre-commit:
37
+ vis release check --hook pre-commit --no-fail
38
+ (Or run \`vis release init\` and confirm the prompt — it'll auto-wire
39
+ the hook if you say yes.)
40
+
41
+ 📚 RFC: packages/tooling/vis/rfc/design-release-manager.md (§16)
42
+ `,o=async({logger:e})=>{e.info(i)};export{o as default};
@@ -1,9 +1,8 @@
1
- import{b as j}from"./orchestrator.js";const A=async({logger:u,options:m,workspaceRoot:h})=>{const c=h??process.cwd(),a=[];let n;try{n=await j({cwd:c}),a.push({message:"vis.config.ts loaded; release block parsed.",name:"config-loads",severity:"error",status:"pass"})}catch(e){a.push({message:`Config failed to load: ${e.message}`,name:"config-loads",severity:"error",status:"fail"}),await $(u,m,a),process.exitCode=1;return}n.packages.length===0?a.push({message:"No packages discovered. Ensure your package manager's workspace block resolves.",name:"workspace-discovered",severity:"error",status:"fail"}):a.push({message:`Discovered ${n.packages.length} workspace package(s).`,name:"workspace-discovered",severity:"info",status:"pass"});try{const e=await n.pm.detectVersion(c);e?a.push({message:`${n.pm.id}@${e} (min required: ${n.pm.minVersion})`,name:"pm-version",severity:"info",status:"pass"}):a.push({message:`Could not detect ${n.pm.id} version.`,name:"pm-version",severity:"warn",status:"skip"})}catch(e){a.push({message:`Skipped: ${e.message}`,name:"pm-version",severity:"warn",status:"skip"})}n.branch&&n.channel?a.push({message:`Branch "${n.branch}" channel ${n.channel.tag}${n.channel.prerelease?` (preid: ${n.channel.prerelease})`:""}, mode: ${n.channel.mode}`,name:"branch-channel",severity:"info",status:"pass"}):n.branch&&!n.channel?a.push({message:`Branch "${n.branch}" does not match any configured channel. Releases will use dist-tag "latest" by default.`,name:"branch-channel",severity:"warn",status:"fail"}):a.push({message:"No branch detected (detached HEAD or non-git workspace).",name:"branch-channel",severity:"warn",status:"skip"});try{await import("node:child_process").then(({execSync:e})=>{try{return e("gh --version",{stdio:"ignore"}),!0}catch{return!1}})?a.push({message:"gh CLI is on PATH.",name:"gh-cli-available",severity:"info",status:"pass"}):a.push({message:"gh CLI not found. GH releases / PR comments will be skipped.",name:"gh-cli-available",severity:"warn",status:"fail"})}catch{}if(process.env.CI==="true"||process.env.GITHUB_ACTIONS==="true")try{const{createShellRunner:e}=await import("./shell-runner.js"),i=await e().run("gh",["auth","status","--show-token"],{cwd:c,silent:!0}),t=`${i.stdout}
2
- ${i.stderr}`,s=/Token scopes:\s*(.+)/.exec(t);if(i.exitCode!==0||!s)a.push({message:"Skipped: `gh auth status` did not return a parseable Token scopes line. (Fine-grained tokens / OIDC-only auth fall in this bucket.)",name:"github.token-scopes",severity:"info",status:"skip"});else{const r=s[1].split(",").map(l=>l.trim().replaceAll(/^['"]|['"]$/g,"")).filter(Boolean),o=new Set(["admin:org","admin:repo_hook","delete_repo","repo","site_admin"]),g=r.filter(l=>o.has(l));g.length>0?a.push({message:`Token carries broader scopes than vis needs: ${g.join(", ")}. The release flow needs only contents:write + pull-requests:write (+ optional id-token:write for OIDC). Consider provisioning a fine-grained PAT or scoping the workflow's permissions block.`,name:"github.token-scopes",severity:"warn",status:"fail"}):a.push({message:`Token scopes look appropriately narrow: ${r.join(", ")||"(none)"}.`,name:"github.token-scopes",severity:"info",status:"pass"})}}catch{a.push({message:"Skipped: gh auth status could not be invoked.",name:"github.token-scopes",severity:"info",status:"skip"})}(process.env.CI==="true"||process.env.GITHUB_ACTIONS==="true")&&(process.env.ACTIONS_ID_TOKEN_REQUEST_URL?a.push({message:"GitHub Actions OIDC env vars present.",name:"oidc-available",severity:"info",status:"pass"}):process.env.NPM_TOKEN?a.push({message:"OIDC env vars missing; falling back to NPM_TOKEN. Add `permissions: { id-token: write }` to the workflow to enable trusted publishing.",name:"oidc-available",severity:"warn",status:"fail"}):a.push({message:"Neither OIDC env vars nor NPM_TOKEN are set in CI. Publish will fail.",name:"oidc-available",severity:"error",status:"fail"}));const y=await import("node:fs/promises"),b=await import("node:path");for(const e of n.packages){if(e.manifest.napi===void 0)continue;const i=b.join(e.dir,"npm");try{const t=(await y.readdir(i,{withFileTypes:!0})).filter(g=>g.isDirectory());if(t.length===0){a.push({message:`${e.name} has a napi field but no npm/<platform>/ subdirs. Run pnpm exec napi artifacts before publishing.`,name:`napi-${e.name}-platforms`,severity:"warn",status:"fail"});continue}const s=[];for(const g of t){const l=b.join(i,g.name,"package.json");try{const p=JSON.parse(await y.readFile(l,"utf8"));p.version!==e.version&&s.push(`${g.name} (${p.version} vs parent ${e.version})`)}catch{s.push(`${g.name} (unreadable manifest)`)}}s.length>0?a.push({message:`${e.name}: platform versions out of sync — ${s.join(", ")}. They'll be re-synced on next publish.`,name:`napi-${e.name}-versions`,severity:"warn",status:"fail"}):a.push({message:`${e.name}: ${t.length} platform package(s), all versions in sync.`,name:`napi-${e.name}`,severity:"info",status:"pass"});const r=e.manifest.optionalDependencies??{},o=[];for(const g of t)try{const l=JSON.parse(await y.readFile(b.join(i,g.name,"package.json"),"utf8"));Object.hasOwn(r,l.name)||o.push(l.name)}catch{}o.length>0&&a.push({message:`${e.name}: missing optionalDependencies entries for: ${o.join(", ")}. Consumers won't get the right binary.`,name:`napi-${e.name}-optdeps`,severity:"error",status:"fail"})}catch{a.push({message:`${e.name}: could not read npm/ subdir.`,name:`napi-${e.name}-platforms`,severity:"warn",status:"skip"})}}{const{resolveVersionActionsId:e}=await import("./orchestrator.js").then(t=>t.w),i=n.packages.filter(t=>e(t,n.perPackageConfig.get(t.name)??{})==="jsr");for(const t of i){const s=n.perPackageConfig.get(t.name)??{},r=["jsr","publish","--dry-run","--allow-dirty"],o=s.jsrConfigPath;o!==void 0&&o!=="jsr.json"&&r.push("--config",o);for(const g of s.jsrPublishArgs??[])r.push(g);try{const g=await n.pm.runner.run("npx",r,{cwd:t.dir,silent:!0});g.exitCode===0?a.push({message:`${t.name}: \`jsr publish --dry-run\` passed.`,name:`jsr-dry-run/${t.name}`,severity:"info",status:"pass"}):a.push({message:`${t.name}: \`jsr publish --dry-run\` reported issues (slow types / exports / auth?): ${(g.stderr||g.stdout).trim().slice(0,300)}`,name:`jsr-dry-run/${t.name}`,severity:"warn",status:"fail"})}catch(g){a.push({message:`${t.name}: could not run \`npx jsr publish --dry-run\` (${g.message}). Install the jsr CLI / check network to enable this pre-flight.`,name:`jsr-dry-run/${t.name}`,severity:"warn",status:"skip"})}}}if(n.plan.warnings.length>0)for(const e of n.plan.warnings)a.push({message:e,name:"plan-warning",severity:"warn",status:"fail"});else a.push({message:n.plan.releases.length===0?"No pending releases.":`Plan resolves ${n.plan.releases.length} release(s).`,name:"plan-readable",severity:"info",status:"pass"});const d=n.config.publish?.guards;if(d?.packSecretScan)try{await import("@visulima/secret-scanner"),a.push({message:"@visulima/secret-scanner resolves; pack-set secret scanning will run.",name:"publish-guards.packSecretScan",severity:"info",status:"pass"})}catch{a.push({message:"publish.guards.packSecretScan is enabled but @visulima/secret-scanner is not installed. pnpm add -D @visulima/secret-scanner, or set the gate to false.",name:"publish-guards.packSecretScan",severity:"error",status:"fail"})}d?.audit&&d.audit!=="off"&&a.push({message:`Runtime npm audit gate active at "${d.audit}" severity.`,name:"publish-guards.audit",severity:"info",status:"pass"});const f=n.config.publish?.releaseAssets;if((f?.stampHashes||f?.uploadTarball)&&a.push({message:`Release-asset attestation: stampHashes=${f.stampHashes??!1}, uploadTarball=${f.uploadTarball??!1}.`,name:"publish-releaseAssets",severity:"info",status:"pass"}),n.config.publish?.stage){try{const{execSync:r}=await import("node:child_process"),o=r("npm --version",{stdio:["ignore","pipe","ignore"]}).toString().trim(),[g="0",l="0"]=o.split("."),p=Number.parseInt(g,10)>11||Number.parseInt(g,10)===11&&Number.parseInt(l,10)>=15;a.push({message:p?`npm ${o} supports \`npm stage publish\`.`:`npm ${o} is too old for staged publishing. Upgrade to npm ≥ 11.15.0.`,name:"publish-stage.npm-version",severity:p?"info":"error",status:p?"pass":"fail"})}catch{a.push({message:"publish.stage is enabled but npm is not on PATH.",name:"publish-stage.npm-version",severity:"error",status:"fail"})}const e=n.config.publish?.registry??"https://registry.npmjs.org/",i=/(?:^|:\/\/)registry\.npmjs\.(?:org|com)\//.test(e);a.push({message:i?"Registry is npmjs.com; staging is supported.":`publish.stage is enabled but registry "${e}" is not npmjs.com. Staging is npm Inc-specific; the request will be rejected.`,name:"publish-stage.registry",severity:i?"info":"warn",status:i?"pass":"fail"});const t=n.packages.filter(r=>r.manifest.publishConfig?.access==="restricted"),s=!!process.env.ACTIONS_ID_TOKEN_REQUEST_URL&&!process.env.NPM_TOKEN;t.length>0&&s&&a.push({message:`${t.length} package(s) have publishConfig.access: "restricted" and OIDC trusted publishing is active. Staging this combo is not supported in v1 (no static token for the post-decision read). Set NPM_TOKEN, or disable publish.stage for these packages.`,name:"publish-stage.oidc-restricted",severity:"error",status:"fail"})}try{const{DEFAULT_CHANGES_DIR:e}=await import("./DEFAULT_CLEAN_KEEP.js"),{readStagedRegistry:i}=await import("./staged-registry.js"),t=await i(c,n.config.changesDir??e);if(t.pending.length>0){const s=t.pending.map(r=>`${r.name}@${r.version} (${r.reason})`).join(", ");a.push({message:`${t.pending.length} pending stage(s) recorded in .vis/release/staged.json: ${s}. Approve / reject before the next release: vis release stage approve --all`,name:"publish-stage.pending",severity:"warn",status:"fail"})}}catch{}try{const{DEFAULT_CHANGES_DIR:e}=await import("./DEFAULT_CLEAN_KEEP.js"),{readFile:i}=await import("node:fs/promises"),{join:t}=await import("node:path"),s=t(c,n.config.changesDir??e,".state.json"),r=await i(s,"utf8"),o=JSON.parse(r);Array.isArray(o.stagedIds)&&o.stagedIds.length>0&&a.push({message:`Found ${o.stagedIds.length} legacy stage id(s) in .state.json#stagedIds: ${o.stagedIds.join(", ")}. The new registry lives in .vis/release/staged.json. Approve / reject these via npmjs.com or \`vis release stage approve <id>\` to avoid losing them.`,name:"publish-stage.legacy-stagedIds",severity:"warn",status:"fail"})}catch{}{const e=n.packages.filter(i=>n.perPackageConfig.get(i.name)?.versionActions==="shell");for(const i of e){const t=n.perPackageConfig.get(i.name)??{},s=n.config.allowCustomCommands,r=s===!0||Array.isArray(s)&&s.includes(i.name),o=t.publishCommand!==void 0&&t.publishCommand!=="";r||a.push({message:`${i.name} uses versionActions: "shell" but release.allowCustomCommands does not permit it. Set allowCustomCommands: true or include "${i.name}" in the array.`,name:`shell-actions.${i.name}.trust-gate`,severity:"error",status:"fail"}),o?r&&a.push({message:`${i.name} → shell publish (${Array.isArray(t.publishCommand)?`${t.publishCommand.length} commands`:"1 command"}).`,name:`shell-actions.${i.name}`,severity:"info",status:"pass"}):a.push({message:`${i.name} uses versionActions: "shell" but no publishCommand is configured. Set release.packages["${i.name}"].publishCommand.`,name:`shell-actions.${i.name}.publish-command`,severity:"error",status:"fail"})}}if(!n.config.gitUser)try{const{createShellRunner:e}=await import("./shell-runner.js"),i=e(),t=await i.run("git",["config","user.name"],{cwd:c,silent:!0}),s=await i.run("git",["config","user.email"],{cwd:c,silent:!0}),r=t.exitCode===0&&t.stdout.trim().length>0,o=s.exitCode===0&&s.stdout.trim().length>0;!r||!o?a.push({message:`git config user.name/user.email is not set (name=${r?"ok":"missing"}, email=${o?"ok":"missing"}). vis auto-commits staged.json and version bumps — these will fail without an identity. Set release.gitUser in vis.config.ts or configure git globally.`,name:"git.identity",severity:"warn",status:"fail"}):a.push({message:`git identity: ${t.stdout.trim()} <${s.stdout.trim()}>.`,name:"git.identity",severity:"info",status:"pass"})}catch{}if(n.config.signing){const{signing:e}=n.config;try{const{createShellRunner:i}=await import("./shell-runner.js"),t=i(),s=await t.run("git",["config","user.signingkey"],{cwd:c,silent:!0}),r=await t.run("git",["config","gpg.format"],{cwd:c,silent:!0}),o=s.exitCode===0?s.stdout.trim():"",g=r.exitCode===0?r.stdout.trim():"",l=o.length>0||!!e.key;if(e.mode==="ssh")g!=="ssh"||!l?a.push({message:`release.signing.mode is "ssh" but git config is incomplete (gpg.format=${g||"<unset>"}, user.signingkey=${l?"ok":"missing"}). Run \`git config gpg.format ssh\` and \`git config user.signingkey <path-to-key>\` before releasing.`,name:"git.signing",severity:"warn",status:"fail"}):a.push({message:"git signing: ssh mode active (gpg.format=ssh, signingkey configured).",name:"git.signing",severity:"info",status:"pass"});else if(e.mode==="sigstore"){const{gitsignAvailable:p}=await import("./git.js");await p({cwd:c,runner:t})?a.push({message:"git signing: sigstore mode (preview); gitsign is on PATH.",name:"git.signing",severity:"info",status:"pass"}):a.push({message:'release.signing.mode is "sigstore" (preview) but gitsign is not on PATH. Tags will fall back to GPG signing with a warning. Install gitsign: https://github.com/sigstore/gitsign',name:"git.signing",severity:"warn",status:"fail"})}else if(l){const p=e.key?/[\\/]/.test(e.key)||/\.(?:pem|gpg|key|asc|p12|pfx)$/i.test(e.key)||e.key.length<8?"configured":`…${e.key.slice(-4)}`:"from git config";a.push({message:`git signing: gpg mode active (key: ${p}).`,name:"git.signing",severity:"info",status:"pass"})}else a.push({message:'release.signing.mode is "gpg" but neither release.signing.key nor git config user.signingkey is set. Configure one before releasing.',name:"git.signing",severity:"warn",status:"fail"})}catch(i){a.push({message:`Could not verify git signing config: ${i.message}.`,name:"git.signing",severity:"warn",status:"skip"})}}if(n.config.floatingMajorTag===!0&&n.config.signing?.mode==="sigstore"&&a.push({message:`release.floatingMajorTag and release.signing.mode="sigstore" are both enabled. The floating-tag retarget force-pushes <unscoped-name>-v<major> (e.g. acme-action-v1) on every release, which appends a new sigstore transparency-log entry to Rekor each time (Rekor is append-only — entries are never removed). Over a long-lived major you'll accumulate one log entry per release. Consider either dropping floatingMajorTag (and pin consumers to a specific tag) or switching to gpg/ssh signing if the Rekor footprint matters for your project.`,name:"floating-major-tag.signing-risk",severity:"warn",status:"fail"}),n.config.floatingMajorTag===!0)try{const{createShellRunner:e}=await import("./shell-runner.js"),i=await e().run("git",["tag","--list","v*"],{cwd:c,silent:!0});if(i.exitCode===0){const t=i.stdout.split(`
3
- `).map(s=>s.trim()).filter(s=>/^v\d+$/.test(s));if(t.length===0)a.push({message:"No legacy `v<major>` tags found; floating-tag migration is clean.",name:"floating-major-tag.legacy-tags",severity:"info",status:"pass"});else{const s=t.slice(0,5),r=t.length>5?` (+${t.length-5} more)`:"",o=t[0],g=o.slice(1);a.push({message:`Legacy floating-major tags detected (${s.join(", ")}${r}). After upgrading the floating-tag format to \`<safe-name>-v<major>\`, these legacy tags are no longer updated. Consumers pinning \`<repo>@${o}\` will silently freeze at the pre-upgrade commit. Migration:
4
- 1. Re-tag the legacy tag to point at the new floating tag:
5
- git tag -f ${o} <safe-name>-v${g}
6
- git push --force origin ${o}
7
- 2. Or sunset the legacy tag and announce the new pin to consumers.`,name:"floating-major-tag.legacy-tags",severity:"warn",status:"fail"})}}else a.push({message:`Skipped: \`git tag --list "v*"\` exited ${i.exitCode}.`,name:"floating-major-tag.legacy-tags",severity:"info",status:"skip"})}catch(e){a.push({message:`Skipped: could not list git tags: ${e.message}.`,name:"floating-major-tag.legacy-tags",severity:"info",status:"skip"})}if(m.firstRelease===!0){const e=[];try{const{createShellRunner:i}=await import("./shell-runner.js"),t=i(),s=new Set,r=n.config.releaseTagPattern??"{name}@{version}";s.add(r);for(const o of n.packages){const g=n.perPackageConfig.get(o.name)?.releaseTagPattern??r;s.add(g)}for(const o of s){const g=o.replaceAll(/\{(?:name|unscopedName|version|major|minor|patch|date|channel)\}/g,()=>"*"),l=await t.run("git",["tag","--list",g],{cwd:c,silent:!0});if(l.exitCode!==0)continue;const p=l.stdout.split(`
8
- `).map(v=>v.trim()).filter(Boolean);p.length>0&&e.push(`Found ${p.length} git tag(s) matching "${o}": ${p.slice(0,5).join(", ")}${p.length>5?` (+${p.length-5} more)`:""}.`)}}catch(i){e.push(`Could not scan git tags: ${i.message}.`)}try{const{resolveVersionActionsId:i}=await import("./orchestrator.js").then(s=>s.w),{createVersionActions:t}=await import("../packem_shared/createVersionActions-BK43SNDH.js");for(const s of n.packages){const r=n.perPackageConfig.get(s.name),o=i(s,r??{});let g;try{g=t(o)}catch{continue}let l;try{l=await g.readPublishedVersion.call(g,{perPackageConfig:r,pkg:s,pm:n.pm})}catch{continue}l&&l.length>0&&e.push(`${s.name} is already published at version ${l}.`)}}catch(i){e.push(`Could not probe published versions: ${i.message}.`)}e.length>0?a.push({message:`--first-release is set but the workspace is NOT greenfield: ${e.join(" ")} Remove --first-release and run a normal release, or roll back the existing tags / unpublish before bootstrapping.`,name:"first-release.repo-not-greenfield",severity:"error",status:"fail"}):a.push({message:"Workspace looks greenfield (no matching release tags, no published versions detected). Safe to use --first-release.",name:"first-release.repo-not-greenfield",severity:"info",status:"pass"})}if(n.config.gitlabHost){const{detectRemoteProvider:e}=await import("./detect2.js"),{createShellRunner:i}=await import("./shell-runner.js"),t=await e(c,i(),n.config.provider);t==="gitlab"?a.push({message:`Self-hosted GitLab host configured: ${n.config.gitlabHost}.`,name:"gitlab-host",severity:"info",status:"pass"}):a.push({message:`release.gitlabHost is set ("${n.config.gitlabHost}") but the resolved provider is "${t}". The host will be ignored. Either set release.provider: "gitlab" or remove gitlabHost.`,name:"gitlab-host",severity:"warn",status:"fail"})}if(n.config.githubHost){const{detectRemoteProvider:e}=await import("./detect2.js"),{createShellRunner:i}=await import("./shell-runner.js"),t=await e(c,i(),n.config.provider);t==="github"?await import("node:child_process").then(({execSync:s})=>{try{return s("gh --version",{stdio:"ignore"}),!0}catch{return!1}})?a.push({message:`Self-hosted GitHub Enterprise host configured: ${n.config.githubHost}.`,name:"github-host",severity:"info",status:"pass"}):a.push({message:`release.githubHost is set ("${n.config.githubHost}") but the gh CLI is not on PATH. Install gh and run \`gh auth login --hostname ${n.config.githubHost}\` before releasing.`,name:"github-host",severity:"error",status:"fail"}):a.push({message:`release.githubHost is set ("${n.config.githubHost}") but the resolved provider is "${t}". The host will be ignored. Either set release.provider: "github" or remove githubHost.`,name:"github-host",severity:"warn",status:"fail"})}{const e=await import("node:fs/promises"),i=await import("node:path");let t;for(const s of n.packages){const r=n.perPackageConfig.get(s.name);if(r){if(r.uvLockPath){const o=i.isAbsolute(r.uvLockPath)?r.uvLockPath:i.join(s.dir,r.uvLockPath);try{await e.access(o),a.push({message:`uv.lock present at ${o}.`,name:`uv-lockfile/${s.name}`,severity:"info",status:"pass"})}catch{a.push({message:`${s.name}: configured uvLockPath "${r.uvLockPath}" doesn't exist (expected ${o}). Run \`uv lock\` to generate it, or remove uvLockPath if the lockfile lives elsewhere.`,name:`uv-lockfile/${s.name}`,severity:"warn",status:"fail"})}}if(r.uvWorkspace?.root){const o=i.resolve(s.dir,r.uvWorkspace.root),g=i.relative(o,s.dir).replaceAll("\\","/");switch(t||({checkUvWorkspaceMembership:t}=await import("./registry.js").then(l=>l.g)),await t(o,g)){case"member":{a.push({message:`${s.name} is a member of the uv workspace rooted at ${o}.`,name:`uv-workspace/${s.name}`,severity:"info",status:"pass"});break}case"no-root-pyproject":{a.push({message:`${s.name}: uvWorkspace.root points at ${o} but no pyproject.toml was found there. Verify the path is correct.`,name:`uv-workspace/${s.name}`,severity:"warn",status:"fail"});break}case"no-workspace":{a.push({message:`${s.name}: uvWorkspace.root points at ${o} but that pyproject.toml has no [tool.uv.workspace] block. Add one with a "members" list, or drop the uvWorkspace setting.`,name:`uv-workspace/${s.name}`,severity:"warn",status:"fail"});break}default:a.push({message:`${s.name}: uv workspace root at ${o} has [tool.uv.workspace] but its "members" list doesn't include "${g}". Add the package to members or correct uvWorkspace.root.`,name:`uv-workspace/${s.name}`,severity:"warn",status:"fail"})}}}}}const{execFileSync:w}=await import("node:child_process"),k=(e,i)=>{const t=e.split(".").map(r=>Number.parseInt(r,10)),s=i.split(".").map(r=>Number.parseInt(r,10));for(const[r,o]of s.entries()){const g=t[r]??0;if(g!==(o??0))return g>(o??0)}return!0};{const e=process.versions.node,[i=0,t=0]=e.split(".").map(r=>Number.parseInt(r,10)),s=i===22&&t>=14||i>=24||i===23;a.push({message:`node@${e} (min: 22.14.0 || >=24.10.0)`,name:"node-version",severity:s?"info":"error",status:s?"pass":"fail"})}for(const[e,i,t]of[["git","2.31","git-version"],["gh","2.40","gh-version"]])try{const s=w(e,["--version"],{stdio:["ignore","pipe","ignore"]}).toString(),r=/(\d+\.\d+\.\d+)/.exec(s);if(!r)continue;const o=k(r[1],i);a.push({message:`${e}@${r[1]} (min: ${i})`,name:t,severity:o?"info":e==="git"?"error":"warn",status:o?"pass":"fail"})}catch{}{const e=new Set([n.config.publish?.registry??"https://registry.npmjs.org"]);for(const i of n.packages){const t=n.perPackageConfig.get(i.name)?.registry;t&&e.add(t)}for(const i of e)try{const t=i.replace(/\/+$/,""),s=await fetch(`${t}/-/ping`,{method:"HEAD",signal:AbortSignal.timeout(3e3)});a.push({message:`${i} reachable (HTTP ${s.status}).`,name:"registry-reachable",severity:s.ok||s.status===404?"info":"warn",status:"pass"})}catch(t){a.push({message:`${i} not reachable: ${t.message}. Publishing may fail (or you're offline — this is a warning).`,name:"registry-reachable",severity:"warn",status:"fail"})}}try{const e=w("git",["tag","--list"],{cwd:c,stdio:["ignore","pipe","ignore"]}).toString().split(/\r?\n/).map(s=>s.trim()).filter(Boolean),i=/(?:^|@)\d+\.\d+\.\d+(?:[-+].+)?$/,t=e.filter(s=>!i.test(s)&&!/^v?\d+\.\d+\.\d+/.test(s));a.push({message:e.length===0?"No git tags yet (fresh repo).":`${e.length-t.length}/${e.length} tags parse as a release tag${t.length>0?` (unrecognised: ${t.slice(0,3).join(", ")}${t.length>3?"…":""})`:""}.`,name:"tags-parseable",severity:"warn",status:t.length>0?"fail":"pass"})}catch{}{const{readFile:e}=await import("node:fs/promises"),i=await import("node:path");let t=0,s=0;for(const r of n.packages)try{const o=await e(i.join(r.dir,"CHANGELOG.md"),"utf8");s+=1,/^#{1,2}\s/m.test(o)&&(t+=1)}catch{}s>0&&a.push({message:`${t}/${s} existing CHANGELOG.md file(s) have a recognised heading structure.`,name:"changelog-format",severity:"info",status:t===s?"pass":"fail"})}try{const e=await n.pm.readCatalogYaml(c);if(e){const{parseCatalogs:i}=await import("./registry.js").then(r=>r.f),t=i(e),s=[];for(const r of n.packages)for(const o of["dependencies","devDependencies","peerDependencies","optionalDependencies"]){const g=r.manifest[o];if(!(!g||typeof g!="object"))for(const[l,p]of Object.entries(g)){if(typeof p!="string"||!p.startsWith("catalog:"))continue;const v=p.slice(8)||"default";(v==="default"?t.default?.[l]:t.named?.[v]?.[l])||s.push(`${r.name} ${l} (${p})`)}}a.push({message:s.length===0?"All catalog: references resolve against pnpm-workspace.yaml.":`${s.length} catalog: reference(s) don't resolve: ${s.slice(0,3).join("; ")}${s.length>3?"…":""}`,name:"catalog-consistency",severity:"warn",status:s.length===0?"pass":"fail"})}}catch{}await $(u,m,a);const C=a.some(e=>e.severity==="error"&&e.status==="fail");process.exitCode=C?1:0},$=async(u,m,h)=>{if(m.json){process.stdout.write(`${JSON.stringify({checks:h},null,2)}
9
- `);return}for(const c of h){const a=`${c.status==="pass"?"✓":c.status==="fail"?"✗":"—"} [${c.severity}] ${c.name}: ${c.message}`;c.severity==="error"&&c.status==="fail"?u.error(a):c.severity==="warn"&&c.status==="fail"?u.warn(a):u.info(a)}};export{A as default};
1
+ import{b as g}from"./orchestrator.js";import{detectRemoteProvider as h,createRemoteClient as $}from"./detect2.js";import{createShellRunner as w}from"./shell-runner.js";import{runSnapshot as R}from"./snapshot.js";const y=(r,o)=>{if(r.length===0)return"_No packages were affected by this PR._";const n=["### 📦 Preview Packages",""];for(const e of r){const t=`${e.name}@${e.version}`;n.push(`- \`${e.name}\`\`${e.version}\``),o?n.push(` \`\`\`sh
2
+ npm i ${t} --registry ${o}
3
+ \`\`\``):n.push(` \`\`\`sh
4
+ npm i ${t}
5
+ \`\`\``)}return n.join(`
6
+ `)},S=async({logger:r,options:o,workspaceRoot:n})=>{const e=n??process.cwd(),t=w(),l=await h(e,t),a=$(l),s=a.detectPullRequestNumber(process.env),p=o.tag??(s?`pr-${s}`:void 0);if(!p){r.error("Could not determine snapshot tag. Pass --tag or run in a PR context (GITHUB_REF=refs/pull/<n>/merge)."),process.exitCode=1;return}if(o.onClose){await C(e,t,a,s,r);return}let c,u;try{c=await g({cwd:e});const{printConfigIfRequested:i}=await import("./print-config.js");if(i(o,c,r))return;u=await R({context:c,runner:t,tag:p})}catch(i){r.error(`Snapshot failed: ${i.message}`),process.exitCode=1;return}if(r.info(`Snapshotted ${u.published.length} package(s) at version ${u.snapshotVersion} → tag "${u.tag}"`),!s)return;const d=await a.detectRepoSlug(e,t);if(!d){r.warn("Could not detect repo slug — skipping sticky PR comment.");return}const m="<!-- vis-release-snapshot-comment -->",f=`${m}
7
+
8
+ ${y(u.published,c.config.snapshot?.registry)}`;try{const i=await a.upsertStickyComment(t,{body:f,cwd:e,issueNumber:s,marker:m,repo:d});i&&r.info(`${i.created?"Posted":"Updated"} snapshot comment on PR #${s}.`)}catch(i){r.warn(`upsertStickyComment failed (publish already succeeded): ${i.message}`)}},C=async(r,o,n,e,t)=>{if(!e){t.error("PR-close cleanup requires a PR context."),process.exitCode=1;return}const l=await n.detectRepoSlug(r,o);if(!l){t.warn("Could not detect repo slug skipping cleanup.");return}const a=await o.run("gh",["api",`repos/${l}/pulls/${e}/commits`,"--paginate"],{cwd:r,silent:!0});if(a.exitCode!==0){t.warn(`gh api failed: ${a.stderr}`);return}let s;try{s=JSON.parse(a.stdout)}catch{t.warn("Could not parse gh api output.");return}const p=[`pr-${e}`];for(const c of s)p.push(c.sha,c.sha.slice(0,7));t.info(`Cleanup intent for PR #${e}: ${p.length} tag pattern(s) across ${s.length} commit(s)`),t.info("Default backend (pkg-pr-new) auto-cleans by TTL no DELETE issued. Implement a custom backend's delete endpoint to enable real cleanup.")};export{S as default};