bun-workspaces 1.9.0 → 1.11.0

package/src/config/workspaceConfig/loadWorkspaceConfig.mjs

@@ -5,13 +5,14 @@ import {
 } from "./workspaceConfig.mjs";
 import { WORKSPACE_CONFIG_FILE_NAME } from "../../8529.mjs";
 
-const loadWorkspaceConfig = (workspacePath) => {
+const loadWorkspaceConfig = (workspacePath, loadOptions = {}) => {
   const config = loadConfig(
     "workspace",
     workspacePath,
     WORKSPACE_CONFIG_FILE_NAME,
     /* inlined export .WORKSPACE_CONFIG_PACKAGE_JSON_KEY */ "bw",
     (content) => resolveWorkspaceConfig(content),
+    loadOptions,
   );
   return config ?? createDefaultWorkspaceConfig();
 };

package/src/index.d.ts

@@ -600,6 +600,17 @@ export type CreateFileSystemProjectOptions = {
   name?: string;
   /** Whether to include the root workspace as a normal workspace. This overrides any config or env var settings. */
   includeRootWorkspace?: boolean;
+  /**
+   * When true, skip discovery of `.ts`/`.js` config files (`bw.root.{ts,js}`,
+   * `bw.workspace.{ts,js}`) so no executable code is loaded from the project,
+   * for untrusted contexts.
+   *
+   * `.jsonc`/`.json` configs and the `package.json` `bw` key still resolve.
+   *
+   * When omitted, the `BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT` user env var is
+   * consulted (`"true"` or `"false"`). If neither is set, defaults to false.
+   */
+  disableExecutableConfigs?: boolean;
 };
 export type InlineScriptOptions = {
   /** A name to act as a label for the inline script */

package/src/internal/core/language/string/index.mjs

@@ -1,3 +1,4 @@
 export * from "./id.mjs";
+export * from "./sanitizeOutput.mjs";
 
 export {};

package/src/internal/core/language/string/sanitizeOutput.mjs

@@ -0,0 +1,15 @@
+/**
+ * Strip ANSI escape sequences and other terminal-disruptive control
+ * characters from a string before rendering it. Use this for values
+ * sourced from package.json, config files, or other untrusted inputs to
+ * prevent terminal-escape injection in bw's CLI output (e.g., a workspace
+ * name containing `\x1b[2J` clearing the user's screen during `bw info`).
+ *
+ * Preserves `\n` and `\t`. Strips ANSI sequences plus C0/C1 controls
+ * other than newline and tab.
+ */ // eslint-disable-next-line no-control-regex
+const DISRUPTIVE_CONTROLS_REGEX = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x9F]/g;
+const sanitizeOutput = (value) =>
+  Bun.stripANSI(value).replace(DISRUPTIVE_CONTROLS_REGEX, "");
+
+export { sanitizeOutput };

package/src/internal/core/runtime/tempFile.mjs

@@ -7,7 +7,21 @@ import { BUN_WORKSPACES_VERSION } from "../../version.mjs";
 import { createShortId } from "../language/string/id.mjs";
 import { runOnExit } from "./onExit.mjs";
 
-const getTempBasePackageDir = () => path.join(os.tmpdir(), "bun-workspaces");
+/**
+ * Per-user suffix on the temp base dir prevents a different local user from
+ * pre-creating or symlink-squatting `/tmp/bun-workspaces` to steer our writes.
+ * On platforms without a numeric uid (Windows), `os.tmpdir()` is already
+ * per-user so the suffix becomes inert.
+ */ const getUserSuffix = () => {
+  try {
+    const { uid } = os.userInfo();
+    return uid >= 0 ? `-${uid}` : "";
+  } catch {
+    return "";
+  }
+};
+const getTempBasePackageDir = () =>
+  path.join(os.tmpdir(), `bun-workspaces${getUserSuffix()}`);
 const getTempParentDir = () =>
   path.join(getTempBasePackageDir(), BUN_WORKSPACES_VERSION);
 class TempDir {
@@ -18,10 +32,14 @@ class TempDir {
   }
   initialize(clean = false) {
     if (fs.existsSync(this.dir)) return;
+    // Pass mode at creation time so the dir is never briefly readable by
+    // other local users between mkdir and a subsequent chmod (closes the
+    // TOCTOU window where another process could enter the dir before the
+    // mode is tightened).
     fs.mkdirSync(this.dir, {
       recursive: true,
+      mode: 448,
     });
-    fs.chmodSync(this.dir, 448);
     if (clean) {
       for (const dir of fs.readdirSync(path.resolve(getTempBasePackageDir()))) {
         if (dir !== BUN_WORKSPACES_VERSION) {

package/src/internal/generated/aiDocs/docs.mjs

@@ -1,4 +1,4 @@
-// This file is generated by scripts/generateMcpDocs.ts. Do not edit manually.
+// This file is generated by scripts/createPublicAgentDocs.ts. Do not edit manually.
 const DOC_OVERVIEW = `## Project Overview
 
 bun-workspaces is a CLI and TypeScript API to help manage Bun monorepos. It reads \`bun.lock\` to find all workspaces in the project. It is referred to as "bw" for short, which is also the recommended CLI alias. The overall goal is a monorepo tool that is more lightweight than others, with still powerful comparable features, requiring no special config to get started, only a standard Bun repo using workspaces.
@@ -9,12 +9,15 @@ Three main domain terms to know:
 - Workspace: a nested package within a project. The root package.json can count as a workspace as well, but by default, only nested packages are considered workspaces.
 - Script: an entry in the \`scripts\` field of a workspace's \`package.json\` file. bw can also run one-off commands known as "inline scripts," which can use the Bun shell or system shell (\`sh -c\` or \`cmd /d /s /c\` for windows).
 
-bw also supports **affected workspace** detection: given a set of changed files (from a git diff or an explicit list), it determines which workspaces are meaningfully changed. This drives \`bw list-affected\`/\`bw run-affected\` for orchestrating builds, tests, etc. across only the workspaces that need them.`;
+bw also supports **affected workspace** detection: given a set of changed files (from a git diff or an explicit list), it determines which workspaces are meaningfully changed. This drives \`bw list-affected\`/\`bw run-affected\` for orchestrating builds, tests, etc. across only the workspaces that need them.
+`;
 const DOC_CONCEPTS = `## Concepts
 
 ### Workspace patterns
 
-Many features accept a list of workspace patterns to match a subset of workspaces.
+Many features accept a list of workspace patterns to match a subset of workspaces:
+
+\`[not:][(name|alias|path|tag):][re:]<value>\`
 
 By default, a pattern matches the workspace name or alias: \`my-workspace-name\` or \`my-alias-name\`. Aliases are defined in config explained below.
 
@@ -24,8 +27,12 @@ Patterns can include a wildcard to match only by workspace name: \`my-workspace-
 - Path pattern specifier (supports glob): \`path:packages/**/*\`.
 - Name pattern specifier: \`name:my-workspace-*\`.
 - Tag pattern specifier: \`tag:my-tag\`.
-- Special root workspace selector: \`@root\`.
 - Any pattern can start with \`not:\` to negate the pattern. (e.g. "not:my-workspace-name", "not:tag:my-tag-\\*") This excludes workspaces that match any other present patterns from a result.
+- Regex pattern modifier can be applied before the pattern value: \`re:\` (e.g. "re:^my-workspace-.+" or "not:alias:re:^my-alias-.+")
+
+#### Special selectors
+
+- Special root workspace selector: \`@root\`. This is a reference to the root workspace, whether it's included in a Project's workspace list or not.
 
 ### Workspace Script Metadata
 
@@ -82,7 +89,8 @@ There are two diff sources:
 - **git** (default): diff \`HEAD\` against the configured base ref (default \`main\`, configurable via \`affectedBaseRef\` in the root config or \`BW_AFFECTED_BASE_REF_DEFAULT\` env var). Uncommitted changes (staged, unstaged, untracked) are included by default. Gitignored files never participate.
 - **fileList**: pass changed files explicitly (paths, dirs, or globs) — bypasses git entirely.
 
-Use \`--explain\` for a per-workspace summary of changed inputs and dep cascade reasons, and \`--explain --detailed\` for full per-file/edge breakdowns including the affected-dep chain.`;
+Use \`--explain\` for a per-workspace summary of changed inputs and dep cascade reasons, and \`--explain --detailed\` for full per-file/edge breakdowns including the affected-dep chain.
+`;
 const DOC_CLI = `### CLI examples:
 
 \`\`\`bash
@@ -208,7 +216,8 @@ bw --no-include-root ls # override config/env var setting
 # Log level (debug|info|warn|error|silent, default info)
 bw --log-level=silent ls
 bw -l silent ls
-\`\`\``;
+\`\`\`
+`;
 const DOC_API = `### API examples:
 
 The API is held in close parity with the CLI. It is developed first so that the CLI is a thin wrapper around the API.
@@ -337,7 +346,8 @@ project.runAffectedWorkspaceScript({
     },
   ],
 }
-\`\`\``;
+\`\`\`
+`;
 const DOC_CONFIG = `## Root config
 
 Optional project config can be placed in \`bw.root.ts\`/\`bw.root.js\`/\`bw.root.jsonc\`/\`bw.root.json\` in the root directory, or in the \`"bw"\` key of \`package.json\`.
@@ -522,6 +532,7 @@ export default defineRootConfig({
     parallelMax: 5,
   },
 });
-\`\`\``;
+\`\`\`
+`;
 
 export { DOC_API, DOC_CLI, DOC_CONCEPTS, DOC_CONFIG, DOC_OVERVIEW };

package/src/project/implementations/fileSystemProject/affectedWorkspaces.mjs

@@ -167,6 +167,7 @@ const determineAffectedWorkspaces = async (project, options) => {
         workspacesOptions: {
           workspaceInputs,
           workspaces: project.workspaces,
+          rootWorkspace: project.rootWorkspace,
           ignoreWorkspaceDependencies,
           ignoreExternalDependencies,
         },
@@ -209,6 +210,7 @@ const determineAffectedWorkspaces = async (project, options) => {
     rootDirectory: project.rootDirectory,
     workspaceInputs,
     changedFilePaths: expandedChangedFilePaths,
+    rootWorkspace: project.rootWorkspace,
     externalDepChangesByWorkspace,
     ignoreWorkspaceDependencies,
   });

package/src/project/implementations/fileSystemProject/fileSystemProject.mjs

@@ -1,7 +1,10 @@
 import fs from "fs";
 import path from "path";
 import { loadRootConfig } from "../../../config/index.mjs";
-import { getUserEnvVar } from "../../../config/userEnvVars/index.mjs";
+import {
+  getUserBoolEnvVar,
+  getUserEnvVar,
+} from "../../../config/userEnvVars/index.mjs";
 import { parse, quote } from "../../../internal/bundledDeps/shellQuote.mjs";
 import {
   DEFAULT_TEMP_DIR,
@@ -70,17 +73,22 @@ const serializeArgs = (args, metadata, shell) => {
     return args
       .map((arg) =>
         quoteArg(
-          interpolateWorkspaceScriptMetadata(arg, metadata, shell),
+          interpolateWorkspaceScriptMetadata({
+            text: arg,
+            metadata,
+            shell,
+          }),
           shell,
         ),
       )
       .join(" ");
   }
-  const interpolated = interpolateWorkspaceScriptMetadata(
-    args,
+  const interpolated = interpolateWorkspaceScriptMetadata({
+    text: args,
     metadata,
     shell,
-  );
+    quoteValues: true,
+  });
   // Escape backslashes in interpolated values before POSIX parse on Windows,
   // so that path separators survive parse's escape processing (\\→\)
   const parseInput =
@@ -128,6 +136,11 @@ class _FileSystemProject extends ProjectBase {
           typeofName: "boolean",
           optional: true,
         },
+        "disableExecutableConfigs option": {
+          value: options.disableExecutableConfigs,
+          typeofName: "boolean",
+          optional: true,
+        },
       },
       {
         throw: true,
@@ -141,7 +154,16 @@ class _FileSystemProject extends ProjectBase {
       process.cwd(),
       expandHomePath(options.rootDirectory ?? ""),
     );
-    const rootConfig = loadRootConfig(this.rootDirectory);
+    // Root config can't supply a default for this — the config file itself
+    // is what we're deciding whether to evaluate. Precedence is therefore
+    // option > BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT env var > false.
+    const loadConfigOptions = {
+      disableExecutableConfigs:
+        options.disableExecutableConfigs ??
+        getUserBoolEnvVar("disableExecutableConfigsDefault") ??
+        false,
+    };
+    const rootConfig = loadRootConfig(this.rootDirectory, loadConfigOptions);
     const { workspaces, workspaceMap, rootWorkspace } = findWorkspaces({
       rootDirectory: this.rootDirectory,
       includeRootWorkspace:
@@ -149,6 +171,7 @@ class _FileSystemProject extends ProjectBase {
         rootConfig.defaults.includeRootWorkspace ??
         getUserEnvVar("includeRootWorkspaceDefault") === "true",
       workspacePatternConfigs: rootConfig.workspacePatternConfigs,
+      loadConfigOptions,
     });
     this.rootWorkspace = rootWorkspace;
     this.workspaces = workspaces;
@@ -262,11 +285,12 @@ class _FileSystemProject extends ProjectBase {
     };
     const args = serializeArgs(options.args, workspaceScriptMetadata, shell);
     const script = options.inline
-      ? interpolateWorkspaceScriptMetadata(
-          options.script,
-          workspaceScriptMetadata,
+      ? interpolateWorkspaceScriptMetadata({
+          text: options.script,
+          metadata: workspaceScriptMetadata,
           shell,
-        ) + (args ? " " + args : "")
+          quoteValues: true,
+        }) + (args ? " " + args : "")
       : options.script;
     if (!options.inline && checkIsRecursiveScript(workspace.name, script)) {
       throw new PROJECT_ERRORS.RecursiveWorkspaceScript(
@@ -473,11 +497,12 @@ class _FileSystemProject extends ProjectBase {
           shell,
         );
         const script = options.inline
-          ? interpolateWorkspaceScriptMetadata(
-              options.script,
-              workspaceScriptMetadata,
+          ? interpolateWorkspaceScriptMetadata({
+              text: options.script,
+              metadata: workspaceScriptMetadata,
               shell,
-            ) + (args ? " " + args : "")
+              quoteValues: true,
+            }) + (args ? " " + args : "")
           : options.script;
         const scriptCommand = options.inline
           ? {

package/src/project/implementations/projectBase.mjs

@@ -130,24 +130,18 @@ class ProjectBase {
     return this.workspaces.filter((workspace) => workspace.tags.includes(tag));
   }
   findWorkspacesByPattern(...workspacePatterns) {
-    const workspaces = [];
-    if (
-      workspacePatterns.includes(
-        /* inlined export .ROOT_WORKSPACE_SELECTOR */ "@root",
-      )
-    ) {
-      workspaces.push(this.rootWorkspace);
-      workspacePatterns = workspacePatterns.filter(
-        (pattern) =>
-          pattern !== /* inlined export .ROOT_WORKSPACE_SELECTOR */ "@root",
-      );
-    }
-    workspaces.push(
-      ...sortWorkspaces(
-        matchWorkspacesByPatterns(workspacePatterns, this.workspaces),
-      ),
+    const matched = matchWorkspacesByPatterns(
+      workspacePatterns,
+      this.workspaces,
+      this.rootWorkspace,
+    );
+    // Preserve historical ordering: root workspace first, then sorted others.
+    const rootName = this.rootWorkspace.name;
+    const rootMatch = matched.find((workspace) => workspace.name === rootName);
+    const rest = sortWorkspaces(
+      matched.filter((workspace) => workspace.name !== rootName),
     );
-    return workspaces;
+    return rootMatch ? [rootMatch, ...rest] : rest;
   }
   createScriptCommand(options) {
     validateJSTypes(

package/src/runScript/scriptExecution.mjs

@@ -19,7 +19,7 @@ const createShellScript = (command) => {
   return DEFAULT_TEMP_DIR.createFile({
     name: fileName,
     content: command,
-    mode: 493,
+    mode: 448,
   });
 };
 const createScriptExecutor = (command, shell) => {

package/src/runScript/workspaceScriptMetadata.mjs

@@ -1,6 +1,16 @@
+import { quote } from "../internal/bundledDeps/shellQuote.mjs";
 import { BunWorkspacesError, IS_WINDOWS } from "../internal/core/index.mjs";
 import { getWorkspaceScriptMetadataConfig } from "../3725.mjs";
 
+/**
+ * Wrap a value so that, when it is concatenated into a shell command for
+ * `shell`, the receiving shell parses it as a single literal token. Used
+ * when substituted metadata values land in a shell-interpretable context
+ * (inline command bodies, string-form `--args` before POSIX parse).
+ */ const quoteShellValue = (value, shell) =>
+  IS_WINDOWS && shell === "system"
+    ? `"${value.replace(/"/g, '""')}"`
+    : quote([value]);
 const createScriptRuntimeEnvVars = (metadata) => {
   const keys = [
     "projectPath",
@@ -16,7 +26,12 @@ const createScriptRuntimeEnvVars = (metadata) => {
     return acc;
   }, {});
 };
-const interpolateWorkspaceScriptMetadata = (text, metadata, shell) => {
+const interpolateWorkspaceScriptMetadata = ({
+  text,
+  metadata,
+  shell,
+  quoteValues = false,
+}) => {
   const keys = [
     "projectPath",
     "projectName",
@@ -33,6 +48,13 @@ const interpolateWorkspaceScriptMetadata = (text, metadata, shell) => {
       (k) => getWorkspaceScriptMetadataConfig(k).inlineName === match,
     );
     const value = metadata[key];
+    if (quoteValues) {
+      // Preserve "empty substitution is invisible" — quoting an empty value
+      // would inject a literal `''` shell token (an empty positional arg),
+      // which changes argv length for commands like `echo <scriptName>`
+      // when no inline scriptName is set.
+      return value === "" ? "" : quoteShellValue(value, shell);
+    }
     if (IS_WINDOWS && shell === "bun") {
       return value.replace(/\\/g, "\\\\");
     }
@@ -57,4 +79,5 @@ export {
   createScriptRuntimeEnvVars,
   getWorkspaceScriptMetadata,
   interpolateWorkspaceScriptMetadata,
+  quoteShellValue,
 };

package/src/workspaces/applyWorkspacePatternConfigs.mjs

@@ -33,9 +33,14 @@ const applyWorkspacePatternConfigs = (
   workspaceMap,
   workspaceAliases,
   patternConfigs,
+  rootWorkspace,
 ) => {
   for (const entry of patternConfigs) {
-    const matched = matchWorkspacesByPatterns(entry.patterns, workspaces);
+    const matched = matchWorkspacesByPatterns(
+      entry.patterns,
+      workspaces,
+      rootWorkspace,
+    );
     for (const workspace of matched) {
       const mapEntry = workspaceMap[workspace.name];
       const prevConfig = mapEntry.config;

package/src/workspaces/dependencyGraph/validateDependencyRules.mjs

@@ -17,7 +17,7 @@ const getTransitiveDeps = (workspaceName, workspaceMap, chain, visited) => {
   }
   return result;
 };
-const validateWorkspaceDependencyRules = ({ workspaceMap }) => {
+const validateWorkspaceDependencyRules = ({ workspaceMap, rootWorkspace }) => {
   const violations = [];
   for (const [workspaceName, { config }] of Object.entries(workspaceMap)) {
     const rule = config.rules?.workspaceDependencies;
@@ -32,10 +32,15 @@ const validateWorkspaceDependencyRules = ({ workspaceMap }) => {
       const depWorkspace = workspaceMap[depName]?.workspace;
       if (!depWorkspace) continue;
       const chainStr = chain.join(" -> ");
+      // matchWorkspacesByPatterns can inject the root workspace when an
+      // "@root" pattern is present, even if it isn't in the input universe.
+      // We're only asking "does the single dep match?" so confirm by name.
       if (rule.allowPatterns) {
-        const isAllowed =
-          matchWorkspacesByPatterns(rule.allowPatterns, [depWorkspace]).length >
-          0;
+        const isAllowed = matchWorkspacesByPatterns(
+          rule.allowPatterns,
+          [depWorkspace],
+          rootWorkspace,
+        ).some((matched) => matched.name === depWorkspace.name);
         if (!isAllowed) {
           violations.push(
             `"${workspaceName}" violates workspaceDependencies rule: workspace "${depName}" is not permitted by allowPatterns (dependency chain: ${chainStr})`,
@@ -44,9 +49,11 @@ const validateWorkspaceDependencyRules = ({ workspaceMap }) => {
         }
       }
       if (rule.denyPatterns) {
-        const isDenied =
-          matchWorkspacesByPatterns(rule.denyPatterns, [depWorkspace]).length >
-          0;
+        const isDenied = matchWorkspacesByPatterns(
+          rule.denyPatterns,
+          [depWorkspace],
+          rootWorkspace,
+        ).some((matched) => matched.name === depWorkspace.name);
         if (isDenied) {
           violations.push(
             `"${workspaceName}" violates workspaceDependencies rule: workspace "${depName}" is denied by denyPatterns (dependency chain: ${chainStr})`,

package/src/workspaces/findWorkspaces.mjs

@@ -67,6 +67,7 @@ const findWorkspaces = ({
   workspaceGlobs: _workspaceGlobs,
   includeRootWorkspace = false,
   workspacePatternConfigs,
+  loadConfigOptions,
 }) => {
   rootDirectory = path.resolve(rootDirectory);
   logger.debug(`Finding workspaces in ${rootDirectory}`);
@@ -109,6 +110,7 @@ const findWorkspaces = ({
       );
       const workspaceConfig = loadWorkspaceConfig(
         path.dirname(packageJsonPath),
+        loadConfigOptions,
       );
       if (workspaceConfig) {
         for (const alias of workspaceConfig.aliases) {
@@ -178,10 +180,12 @@ const findWorkspaces = ({
       workspaceMap,
       workspaceAliases,
       workspacePatternConfigs,
+      rootWorkspace,
     );
   }
   validateWorkspaceDependencyRules({
     workspaceMap,
+    rootWorkspace,
   });
   validateWorkspaceAliases(workspaces, workspaceAliases, rootWorkspace.name);
   logger.debug(