ic-mops 2.12.2 → 2.13.0

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## Next
 
+## 2.13.0
+- Fix `mops update` and `mops outdated` jumping across major versions (or pre-1.0 minor versions) — they are now caret-bound by default, matching `cargo update`. For example, `core = "2.0.0"` now updates within `2.x.y` instead of jumping to a future `3.0.0`. Use `--major` to opt into cross-major updates.
+
+## 2.12.3
+- Fix `mops install --lock update` silently no-op'ing on a corrupt lockfile (#515)
+- `mops publish` no longer rejects unknown `mops.toml` sections, `package.*` keys, or `requirements.*` entries — these typo guards were the only place in the CLI that complained about unknown keys, drifted from the docs/types, and blocked publish on harmless local-only config like `[moc]`, `[canisters]`, `[build]`, and `[lint]` (#512)
+
 ## 2.12.2
 - Fix `mops install` (and any `--lock check` flow) failing with "Mismatched number of resolved packages" when a project's resolved dependencies include multiple aliases (e.g. `base`, `base@0`, `base@0.16`) that pin to the same `name@version`
 

package/cli.ts

@@ -627,14 +627,26 @@ program
 program
   .command("outdated")
   .description("Print outdated dependencies specified in mops.toml")
-  .action(async () => {
-    await outdated();
+  .addOption(
+    new Option(
+      "--major",
+      "Allow updates that cross the caret bound (major versions, or for 0.x.y packages, minor versions)",
+    ),
+  )
+  .action(async (options) => {
+    await outdated(options);
   });
 
 // update
 program
   .command("update [pkg]")
   .description("Update dependencies specified in mops.toml")
+  .addOption(
+    new Option(
+      "--major",
+      "Allow updates that cross the caret bound (major versions, or for 0.x.y packages, minor versions)",
+    ),
+  )
   .addOption(
     new Option("--lock <action>", "Lockfile action").choices([
       "update",

package/commands/available-updates.ts

@@ -1,14 +1,18 @@
 import process from "node:process";
 import chalk from "chalk";
+import semver from "semver";
 import { mainActor } from "../api/actors.js";
 import { Config } from "../types.js";
 import { getDepName, getDepPinnedVersion } from "../helpers/get-dep-name.js";
 import { SemverPart } from "../declarations/main/main.did.js";
 
+export type UpdateBound = "caret" | "major";
+
 // [pkg, oldVersion, newVersion]
 export async function getAvailableUpdates(
   config: Config,
   pkg?: string,
+  bound: UpdateBound = "caret",
 ): Promise<Array<[string, string, string]>> {
   let deps = Object.values(config.dependencies || {});
   let devDeps = Object.values(config["dev-dependencies"] || {});
@@ -46,8 +50,12 @@ export async function getAvailableUpdates(
           pinnedVersion.split(".").length === 1
             ? { minor: null }
             : { patch: null };
+      } else if (bound === "caret") {
+        // Caret (cargo-style): ^0.x.y -> 0.x.* (patch only); ^1+ -> same major (minor+patch)
+        let major = semver.major(dep.version!);
+        semverPart = major === 0 ? { patch: null } : { minor: null };
       }
-      return [name, dep.version || "", semverPart];
+      return [name, dep.version!, semverPart];
     }),
   );
 

package/commands/outdated.ts

@@ -3,13 +3,17 @@ import { checkConfigFile, readConfig } from "../mops.js";
 import { getAvailableUpdates } from "./available-updates.js";
 import { getDepName, getDepPinnedVersion } from "../helpers/get-dep-name.js";
 
-export async function outdated() {
+export async function outdated({ major }: { major?: boolean } = {}) {
   if (!checkConfigFile()) {
     return;
   }
   let config = readConfig();
 
-  let available = await getAvailableUpdates(config);
+  let available = await getAvailableUpdates(
+    config,
+    undefined,
+    major ? "major" : "caret",
+  );
 
   if (available.length === 0) {
     console.log(chalk.green("All dependencies are up to date!"));

package/commands/publish.ts

@@ -47,22 +47,6 @@ export async function publish(
 
   console.log(`Publishing ${config.package?.name}@${config.package?.version}`);
 
-  // validate
-  for (let key of Object.keys(config)) {
-    if (
-      ![
-        "package",
-        "dependencies",
-        "dev-dependencies",
-        "toolchain",
-        "requirements",
-      ].includes(key)
-    ) {
-      console.log(chalk.red("Error: ") + `Unknown config section [${key}]`);
-      process.exit(1);
-    }
-  }
-
   // required fields
   if (!config.package) {
     console.log(
@@ -97,29 +81,6 @@ export async function publish(
     }
   }
 
-  let packageKeys = [
-    "name",
-    "version",
-    "keywords",
-    "description",
-    "repository",
-    "documentation",
-    "homepage",
-    "baseDir",
-    "readme",
-    "license",
-    "files",
-    "dfx",
-    "moc",
-    "donation",
-  ];
-  for (let key of Object.keys(config.package)) {
-    if (!packageKeys.includes(key)) {
-      console.log(chalk.red("Error: ") + `Unknown config key 'package.${key}'`);
-      process.exit(1);
-    }
-  }
-
   // disabled fields
   for (let key of ["dfx", "moc", "homepage", "documentation", "donation"]) {
     if ((config.package as any)[key]) {
@@ -222,15 +183,6 @@ export async function publish(
     }
   }
 
-  if (config.requirements) {
-    Object.keys(config.requirements).forEach((name) => {
-      if (name !== "moc") {
-        console.log(chalk.red("Error: ") + `Unknown requirement "${name}"`);
-        return;
-      }
-    });
-  }
-
   let toBackendDep = (dep: Dependency): DependencyV2 => {
     return {
       ...dep,

package/commands/update.ts

@@ -14,9 +14,13 @@ type UpdateOptions = {
   verbose?: boolean;
   dev?: boolean;
   lock?: "update" | "ignore";
+  major?: boolean;
 };
 
-export async function update(pkg?: string, { lock }: UpdateOptions = {}) {
+export async function update(
+  pkg?: string,
+  { lock, major }: UpdateOptions = {},
+) {
   if (!checkConfigFile()) {
     return;
   }
@@ -59,7 +63,11 @@ export async function update(pkg?: string, { lock }: UpdateOptions = {}) {
   }
 
   // update mops packages
-  let available = await getAvailableUpdates(config, pkg);
+  let available = await getAvailableUpdates(
+    config,
+    pkg,
+    major ? "major" : "caret",
+  );
 
   if (available.length === 0) {
     if (pkg) {

package/dist/cli.js

@@ -492,13 +492,15 @@ program
 program
     .command("outdated")
     .description("Print outdated dependencies specified in mops.toml")
-    .action(async () => {
-    await outdated();
+    .addOption(new Option("--major", "Allow updates that cross the caret bound (major versions, or for 0.x.y packages, minor versions)"))
+    .action(async (options) => {
+    await outdated(options);
 });
 // update
 program
     .command("update [pkg]")
     .description("Update dependencies specified in mops.toml")
+    .addOption(new Option("--major", "Allow updates that cross the caret bound (major versions, or for 0.x.y packages, minor versions)"))
     .addOption(new Option("--lock <action>", "Lockfile action").choices([
     "update",
     "ignore",

package/dist/commands/available-updates.d.ts

@@ -1,2 +1,3 @@
 import { Config } from "../types.js";
-export declare function getAvailableUpdates(config: Config, pkg?: string): Promise<Array<[string, string, string]>>;
+export type UpdateBound = "caret" | "major";
+export declare function getAvailableUpdates(config: Config, pkg?: string, bound?: UpdateBound): Promise<Array<[string, string, string]>>;

package/dist/commands/available-updates.js

@@ -1,9 +1,10 @@
 import process from "node:process";
 import chalk from "chalk";
+import semver from "semver";
 import { mainActor } from "../api/actors.js";
 import { getDepName, getDepPinnedVersion } from "../helpers/get-dep-name.js";
 // [pkg, oldVersion, newVersion]
-export async function getAvailableUpdates(config, pkg) {
+export async function getAvailableUpdates(config, pkg, bound = "caret") {
     let deps = Object.values(config.dependencies || {});
     let devDeps = Object.values(config["dev-dependencies"] || {});
     let allDeps = [...deps, ...devDeps].filter((dep) => dep.version);
@@ -34,7 +35,12 @@ export async function getAvailableUpdates(config, pkg) {
                     ? { minor: null }
                     : { patch: null };
         }
-        return [name, dep.version || "", semverPart];
+        else if (bound === "caret") {
+            // Caret (cargo-style): ^0.x.y -> 0.x.* (patch only); ^1+ -> same major (minor+patch)
+            let major = semver.major(dep.version);
+            semverPart = major === 0 ? { patch: null } : { minor: null };
+        }
+        return [name, dep.version, semverPart];
     }));
     if ("err" in res) {
         console.log(chalk.red("Error:"), res.err);

package/dist/commands/outdated.d.ts

@@ -1 +1,3 @@
-export declare function outdated(): Promise<void>;
+export declare function outdated({ major }?: {
+    major?: boolean;
+}): Promise<void>;

package/dist/commands/outdated.js

@@ -2,12 +2,12 @@ import chalk from "chalk";
 import { checkConfigFile, readConfig } from "../mops.js";
 import { getAvailableUpdates } from "./available-updates.js";
 import { getDepName, getDepPinnedVersion } from "../helpers/get-dep-name.js";
-export async function outdated() {
+export async function outdated({ major } = {}) {
     if (!checkConfigFile()) {
         return;
     }
     let config = readConfig();
-    let available = await getAvailableUpdates(config);
+    let available = await getAvailableUpdates(config, undefined, major ? "major" : "caret");
     if (available.length === 0) {
         console.log(chalk.green("All dependencies are up to date!"));
     }

package/dist/commands/publish.js

@@ -22,19 +22,6 @@ export async function publish(options = {}) {
     let rootDir = getRootDir();
     let config = readConfig();
     console.log(`Publishing ${config.package?.name}@${config.package?.version}`);
-    // validate
-    for (let key of Object.keys(config)) {
-        if (![
-            "package",
-            "dependencies",
-            "dev-dependencies",
-            "toolchain",
-            "requirements",
-        ].includes(key)) {
-            console.log(chalk.red("Error: ") + `Unknown config section [${key}]`);
-            process.exit(1);
-        }
-    }
     // required fields
     if (!config.package) {
         console.log(chalk.red("Error: ") +
@@ -63,28 +50,6 @@ export async function publish(options = {}) {
             }
         }
     }
-    let packageKeys = [
-        "name",
-        "version",
-        "keywords",
-        "description",
-        "repository",
-        "documentation",
-        "homepage",
-        "baseDir",
-        "readme",
-        "license",
-        "files",
-        "dfx",
-        "moc",
-        "donation",
-    ];
-    for (let key of Object.keys(config.package)) {
-        if (!packageKeys.includes(key)) {
-            console.log(chalk.red("Error: ") + `Unknown config key 'package.${key}'`);
-            process.exit(1);
-        }
-    }
     // disabled fields
     for (let key of ["dfx", "moc", "homepage", "documentation", "donation"]) {
         if (config.package[key]) {
@@ -167,14 +132,6 @@ export async function publish(options = {}) {
             }
         }
     }
-    if (config.requirements) {
-        Object.keys(config.requirements).forEach((name) => {
-            if (name !== "moc") {
-                console.log(chalk.red("Error: ") + `Unknown requirement "${name}"`);
-                return;
-            }
-        });
-    }
     let toBackendDep = (dep) => {
         return {
             ...dep,

package/dist/commands/update.d.ts

@@ -2,6 +2,7 @@ type UpdateOptions = {
     verbose?: boolean;
     dev?: boolean;
     lock?: "update" | "ignore";
+    major?: boolean;
 };
-export declare function update(pkg?: string, { lock }?: UpdateOptions): Promise<void>;
+export declare function update(pkg?: string, { lock, major }?: UpdateOptions): Promise<void>;
 export {};

package/dist/commands/update.js

@@ -4,7 +4,7 @@ import { add } from "./add.js";
 import { getAvailableUpdates } from "./available-updates.js";
 import { checkIntegrity } from "../integrity.js";
 import { getDepName, getDepPinnedVersion } from "../helpers/get-dep-name.js";
-export async function update(pkg, { lock } = {}) {
+export async function update(pkg, { lock, major } = {}) {
     if (!checkConfigFile()) {
         return;
     }
@@ -36,7 +36,7 @@ export async function update(pkg, { lock } = {}) {
         }
     }
     // update mops packages
-    let available = await getAvailableUpdates(config, pkg);
+    let available = await getAvailableUpdates(config, pkg, major ? "major" : "caret");
     if (available.length === 0) {
         if (pkg) {
             console.log(chalk.green(`Package "${pkg}" is up to date!`));

package/dist/integrity.d.ts

@@ -20,6 +20,8 @@ export declare function getLocalFileHash(fileId: string): string;
 export declare function checkRemote(): Promise<void>;
 export declare function readLockFile(): LockFile | null;
 export declare function checkLockFileLight(): boolean;
-export declare function updateLockFile(): Promise<void>;
+export declare function updateLockFile({ force, }?: {
+    force?: boolean;
+}): Promise<void>;
 export declare function checkLockFile(force?: boolean): Promise<void>;
 export {};

package/dist/integrity.js

@@ -13,7 +13,7 @@ export async function checkIntegrity(lock) {
         lock = process.env["CI"] ? "check" : "update";
     }
     if (lock === "update") {
-        await updateLockFile();
+        await updateLockFile({ force });
         await checkLockFile(force);
     }
     else if (lock === "check") {
@@ -108,9 +108,11 @@ export function checkLockFileLight() {
     }
     return false;
 }
-export async function updateLockFile() {
+export async function updateLockFile({ force = false, } = {}) {
     // if lock file exists and mops.toml hasn't changed, don't update it
-    if (checkLockFileLight()) {
+    // (unless forced: `--lock update` must unconditionally regenerate so users
+    // can recover from a corrupt lockfile without `rm mops.lock`)
+    if (!force && checkLockFileLight()) {
         return;
     }
     let resolvedDeps = await resolvePackages();
@@ -228,6 +230,9 @@ export async function checkLockFile(force = false) {
                 console.error(`Mismatched hash for ${fileId}`);
                 console.error(`Locked hash: ${lockedHash}`);
                 console.error(`Actual hash: ${localHash}`);
+                console.error("");
+                console.error("If you have not modified files under .mops/, your lockfile may be stale or corrupt.");
+                console.error("Run `mops install --lock update` to regenerate it.");
                 process.exit(1);
             }
         }

package/dist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ic-mops",
-  "version": "2.12.2",
+  "version": "2.13.0",
   "type": "module",
   "bin": {
     "mops": "bin/mops.js",

package/dist/tests/cli.test.js

@@ -1,7 +1,7 @@
 import { describe, expect, jest, test } from "@jest/globals";
-import { existsSync, rmSync } from "node:fs";
+import { existsSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import path from "path";
-import { cli } from "./helpers";
+import { cli, normalizePaths } from "./helpers";
 describe("cli", () => {
     test("--version", async () => {
         expect((await cli(["--version"])).stdout).toMatch(/CLI \d+\.\d+\.\d+/);
@@ -86,4 +86,109 @@ describe("install", () => {
             rmSync(path.join(cwd, ".mops"), { recursive: true, force: true });
         }
     });
+    // Regression: `install --lock update` used to early-return if mops.toml's
+    // deps hash was unchanged, even when the lockfile's per-file hashes were
+    // stale/corrupt. The subsequent checkLockFile would then fail and exit 1,
+    // so `--lock update` could never recover a broken lock — the only escape
+    // was `rm mops.lock`. See issue #514.
+    test("--lock update rewrites a lockfile with a corrupt file hash", async () => {
+        const cwd = path.join(import.meta.dirname, "install/success");
+        const lockFile = path.join(cwd, "mops.lock");
+        rmSync(lockFile, { force: true });
+        try {
+            const first = await cli(["install"], { cwd, env: { CI: undefined } });
+            expect(first.exitCode).toBe(0);
+            expect(existsSync(lockFile)).toBe(true);
+            const bad = "BAD0000000000000000000000000000000000000000000000000000000000BAD";
+            const original = readFileSync(lockFile, "utf8");
+            const corrupted = original.replace(/"core@1\.0\.0\/mops\.toml":\s*"[0-9a-f]{64}"/, `"core@1.0.0/mops.toml": "${bad}"`);
+            expect(corrupted).not.toBe(original);
+            writeFileSync(lockFile, corrupted);
+            const result = await cli(["install", "--lock", "update"], {
+                cwd,
+                env: { CI: undefined },
+            });
+            expect(result.exitCode).toBe(0);
+            expect(readFileSync(lockFile, "utf8")).not.toContain(bad);
+        }
+        finally {
+            rmSync(lockFile, { force: true });
+            rmSync(path.join(cwd, ".mops"), { recursive: true, force: true });
+        }
+    });
+});
+// `mops update` and `mops outdated` default to caret-bound resolution: stay
+// within `0.x.y` (or `1.x.y`) and never cross majors. Fixture pins:
+//   base = "0.14.5"  -> caret bumps within 0.14.x; --major jumps past it
+//   core = "1.0.0"   -> caret stays put (no 1.x.y > 1.0.0); --major jumps to 2.x
+describe("update / outdated bounds", () => {
+    jest.setTimeout(120_000);
+    const cwd = path.join(import.meta.dirname, "install/update-bound");
+    const tomlFile = path.join(cwd, "mops.toml");
+    const original = readFileSync(tomlFile, "utf8");
+    const cleanup = () => {
+        rmSync(path.join(cwd, "mops.lock"), { force: true });
+        rmSync(path.join(cwd, ".mops"), { recursive: true, force: true });
+        writeFileSync(tomlFile, original);
+    };
+    const baseVersion = (toml) => toml.match(/base = "(0\.\d+\.\d+)"/)?.[1];
+    const coreMajor = (toml) => parseInt(toml.match(/core = "(\d+)\./)?.[1] ?? "0");
+    test("mops update stays within the caret bound by default", async () => {
+        cleanup();
+        try {
+            await cli(["install"], { cwd, env: { CI: undefined } });
+            const result = await cli(["update"], { cwd, env: { CI: undefined } });
+            expect(result.exitCode).toBe(0);
+            const after = readFileSync(tomlFile, "utf8");
+            // base (pre-1.0): bumped within 0.14.x (patch bumps allowed)
+            expect(baseVersion(after)).toMatch(/^0\.14\./);
+            expect(baseVersion(after)).not.toBe("0.14.5");
+            // core (1.x): no 1.x.y > 1.0.0 published, so no bump across majors
+            expect(coreMajor(after)).toBe(1);
+        }
+        finally {
+            cleanup();
+        }
+    });
+    test("mops update --major crosses the caret bound", async () => {
+        cleanup();
+        try {
+            await cli(["install"], { cwd, env: { CI: undefined } });
+            const result = await cli(["update", "--major"], {
+                cwd,
+                env: { CI: undefined },
+            });
+            expect(result.exitCode).toBe(0);
+            const after = readFileSync(tomlFile, "utf8");
+            // base: jumps past 0.14.x (next minor or major)
+            const baseMinor = parseInt(after.match(/base = "0\.(\d+)\./)?.[1] ?? "0");
+            expect(baseMinor).toBeGreaterThanOrEqual(15);
+            // core: jumps to 2.x or later
+            expect(coreMajor(after)).toBeGreaterThanOrEqual(2);
+        }
+        finally {
+            cleanup();
+        }
+    });
+    test("mops outdated honors --major flag", async () => {
+        cleanup();
+        try {
+            await cli(["install"], { cwd, env: { CI: undefined } });
+            const caret = normalizePaths((await cli(["outdated"], { cwd, env: { CI: undefined } })).stdout);
+            const major = normalizePaths((await cli(["outdated", "--major"], { cwd, env: { CI: undefined } }))
+                .stdout);
+            // caret-bound: base bumps within 0.14.x; core (if reported) stays in 1.x
+            expect(caret).toMatch(/base 0\.14\.5 -> 0\.14\./);
+            const caretCore = caret.match(/core 1\.0\.0 -> (\d+)\./)?.[1];
+            if (caretCore) {
+                expect(parseInt(caretCore)).toBe(1);
+            }
+            // --major: both bump across their major bounds
+            expect(major).toMatch(/base 0\.14\.5 -> 0\.(1[5-9]|[2-9]\d)/);
+            expect(major).toMatch(/core 1\.0\.0 -> [2-9]/);
+        }
+        finally {
+            cleanup();
+        }
+    });
 });

package/integrity.ts

@@ -41,7 +41,7 @@ export async function checkIntegrity(lock?: "check" | "update" | "ignore") {
   }
 
   if (lock === "update") {
-    await updateLockFile();
+    await updateLockFile({ force });
     await checkLockFile(force);
   } else if (lock === "check") {
     await checkLockFile(force);
@@ -159,9 +159,13 @@ export function checkLockFileLight(): boolean {
   return false;
 }
 
-export async function updateLockFile() {
+export async function updateLockFile({
+  force = false,
+}: { force?: boolean } = {}) {
   // if lock file exists and mops.toml hasn't changed, don't update it
-  if (checkLockFileLight()) {
+  // (unless forced: `--lock update` must unconditionally regenerate so users
+  // can recover from a corrupt lockfile without `rm mops.lock`)
+  if (!force && checkLockFileLight()) {
     return;
   }
 
@@ -313,6 +317,11 @@ export async function checkLockFile(force = false) {
         console.error(`Mismatched hash for ${fileId}`);
         console.error(`Locked hash: ${lockedHash}`);
         console.error(`Actual hash: ${localHash}`);
+        console.error("");
+        console.error(
+          "If you have not modified files under .mops/, your lockfile may be stale or corrupt.",
+        );
+        console.error("Run `mops install --lock update` to regenerate it.");
         process.exit(1);
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ic-mops",
-  "version": "2.12.2",
+  "version": "2.13.0",
   "type": "module",
   "bin": {
     "mops": "dist/bin/mops.js",

package/tests/cli.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, jest, test } from "@jest/globals";
-import { existsSync, rmSync } from "node:fs";
+import { existsSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import path from "path";
-import { cli } from "./helpers";
+import { cli, normalizePaths } from "./helpers";
 
 describe("cli", () => {
   test("--version", async () => {
@@ -92,4 +92,125 @@ describe("install", () => {
       rmSync(path.join(cwd, ".mops"), { recursive: true, force: true });
     }
   });
+
+  // Regression: `install --lock update` used to early-return if mops.toml's
+  // deps hash was unchanged, even when the lockfile's per-file hashes were
+  // stale/corrupt. The subsequent checkLockFile would then fail and exit 1,
+  // so `--lock update` could never recover a broken lock — the only escape
+  // was `rm mops.lock`. See issue #514.
+  test("--lock update rewrites a lockfile with a corrupt file hash", async () => {
+    const cwd = path.join(import.meta.dirname, "install/success");
+    const lockFile = path.join(cwd, "mops.lock");
+    rmSync(lockFile, { force: true });
+    try {
+      const first = await cli(["install"], { cwd, env: { CI: undefined } });
+      expect(first.exitCode).toBe(0);
+      expect(existsSync(lockFile)).toBe(true);
+
+      const bad =
+        "BAD0000000000000000000000000000000000000000000000000000000000BAD";
+      const original = readFileSync(lockFile, "utf8");
+      const corrupted = original.replace(
+        /"core@1\.0\.0\/mops\.toml":\s*"[0-9a-f]{64}"/,
+        `"core@1.0.0/mops.toml": "${bad}"`,
+      );
+      expect(corrupted).not.toBe(original);
+      writeFileSync(lockFile, corrupted);
+
+      const result = await cli(["install", "--lock", "update"], {
+        cwd,
+        env: { CI: undefined },
+      });
+      expect(result.exitCode).toBe(0);
+      expect(readFileSync(lockFile, "utf8")).not.toContain(bad);
+    } finally {
+      rmSync(lockFile, { force: true });
+      rmSync(path.join(cwd, ".mops"), { recursive: true, force: true });
+    }
+  });
+});
+
+// `mops update` and `mops outdated` default to caret-bound resolution: stay
+// within `0.x.y` (or `1.x.y`) and never cross majors. Fixture pins:
+//   base = "0.14.5"  -> caret bumps within 0.14.x; --major jumps past it
+//   core = "1.0.0"   -> caret stays put (no 1.x.y > 1.0.0); --major jumps to 2.x
+describe("update / outdated bounds", () => {
+  jest.setTimeout(120_000);
+
+  const cwd = path.join(import.meta.dirname, "install/update-bound");
+  const tomlFile = path.join(cwd, "mops.toml");
+  const original = readFileSync(tomlFile, "utf8");
+
+  const cleanup = () => {
+    rmSync(path.join(cwd, "mops.lock"), { force: true });
+    rmSync(path.join(cwd, ".mops"), { recursive: true, force: true });
+    writeFileSync(tomlFile, original);
+  };
+
+  const baseVersion = (toml: string) =>
+    toml.match(/base = "(0\.\d+\.\d+)"/)?.[1];
+  const coreMajor = (toml: string) =>
+    parseInt(toml.match(/core = "(\d+)\./)?.[1] ?? "0");
+
+  test("mops update stays within the caret bound by default", async () => {
+    cleanup();
+    try {
+      await cli(["install"], { cwd, env: { CI: undefined } });
+      const result = await cli(["update"], { cwd, env: { CI: undefined } });
+      expect(result.exitCode).toBe(0);
+      const after = readFileSync(tomlFile, "utf8");
+      // base (pre-1.0): bumped within 0.14.x (patch bumps allowed)
+      expect(baseVersion(after)).toMatch(/^0\.14\./);
+      expect(baseVersion(after)).not.toBe("0.14.5");
+      // core (1.x): no 1.x.y > 1.0.0 published, so no bump across majors
+      expect(coreMajor(after)).toBe(1);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("mops update --major crosses the caret bound", async () => {
+    cleanup();
+    try {
+      await cli(["install"], { cwd, env: { CI: undefined } });
+      const result = await cli(["update", "--major"], {
+        cwd,
+        env: { CI: undefined },
+      });
+      expect(result.exitCode).toBe(0);
+      const after = readFileSync(tomlFile, "utf8");
+      // base: jumps past 0.14.x (next minor or major)
+      const baseMinor = parseInt(after.match(/base = "0\.(\d+)\./)?.[1] ?? "0");
+      expect(baseMinor).toBeGreaterThanOrEqual(15);
+      // core: jumps to 2.x or later
+      expect(coreMajor(after)).toBeGreaterThanOrEqual(2);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("mops outdated honors --major flag", async () => {
+    cleanup();
+    try {
+      await cli(["install"], { cwd, env: { CI: undefined } });
+      const caret = normalizePaths(
+        (await cli(["outdated"], { cwd, env: { CI: undefined } })).stdout,
+      );
+      const major = normalizePaths(
+        (await cli(["outdated", "--major"], { cwd, env: { CI: undefined } }))
+          .stdout,
+      );
+      // caret-bound: base bumps within 0.14.x; core (if reported) stays in 1.x
+      expect(caret).toMatch(/base 0\.14\.5 -> 0\.14\./);
+      const caretCore = caret.match(/core 1\.0\.0 -> (\d+)\./)?.[1];
+      if (caretCore) {
+        expect(parseInt(caretCore)).toBe(1);
+      }
+      // --major: both bump across their major bounds
+      expect(major).toMatch(/base 0\.14\.5 -> 0\.(1[5-9]|[2-9]\d)/);
+      expect(major).toMatch(/core 1\.0\.0 -> [2-9]/);
+    } finally {
+      cleanup();
+    }
+  });
 });

package/tests/install/update-bound/mops.toml

@@ -0,0 +1,3 @@
+[dependencies]
+base = "0.14.5"
+core = "1.0.0"