react-native-doctor-ci 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # react-native-doctor-ci
2
2
 
3
- Fail pull requests that add abandoned, non-New-Architecture, or npm-deprecated React Native dependencies — with inline annotations and a policy-as-code allowlist.
3
+ Fail pull requests that add abandoned, non-New-Architecture, or npm-deprecated React Native dependencies with inline annotations and a policy-as-code allowlist.
4
4
 
5
5
  ![PR annotation: rn-doctor fails a pull request on the exact package.json line that adds a dying dependency](https://raw.githubusercontent.com/AmrithVengalath/react-native-doctor-ci/main/docs/assets/pr-annotation.png)
6
6
 
@@ -11,9 +11,9 @@ Fail pull requests that add abandoned, non-New-Architecture, or npm-deprecated R
11
11
 
12
12
  ## Why
13
13
 
14
- Unmaintained dependencies are a perennial top-5 pain in React Native surveys, and the cost keeps climbing now that the New Architecture is the default: a package that looked fine when it was added quietly stops getting releases, never gains New Architecture support, or gets deprecated on npm — and you find out during an upgrade, months after the PR that introduced it merged.
14
+ Unmaintained dependencies are a perennial top-5 pain in React Native surveys, and the cost keeps climbing now that the New Architecture is the default: a package that looked fine when it was added quietly stops getting releases, never gains New Architecture support, or gets deprecated on npm and you find out during an upgrade, months after the PR that introduced it merged.
15
15
 
16
- Lookup tools exist (the React Native Directory tells you a package's status if you go ask). What's been missing is **enforcement**: the check that runs on every PR, fails when someone adds a dying dependency, and points at the exact line — so the conversation happens at review time, when swapping the package costs five minutes instead of a quarter.
16
+ Lookup tools exist (the React Native Directory tells you a package's status if you go ask). What's been missing is **enforcement**: the check that runs on every PR, fails when someone adds a dying dependency, and points at the exact line so the conversation happens at review time, when swapping the package costs five minutes instead of a quarter.
17
17
 
18
18
  `rn-doctor` is that check. Pure TypeScript, zero native code, one command.
19
19
 
@@ -40,7 +40,7 @@ jobs:
40
40
  with:
41
41
  fetch-depth: 0 # required for changed-only (merge-base diff)
42
42
 
43
- - uses: AmrithVengalath/react-native-doctor-ci/action@v0.1.1
43
+ - uses: AmrithVengalath/react-native-doctor-ci/action@v0.1.2
44
44
  with:
45
45
  changed-only: "true"
46
46
  base: origin/${{ github.base_ref }}
@@ -61,9 +61,9 @@ npx --yes --package react-native-doctor-ci rn-doctor
61
61
  ## GitHub Action reference
62
62
 
63
63
  ```yaml
64
- - uses: AmrithVengalath/react-native-doctor-ci/action@v0.1.1
64
+ - uses: AmrithVengalath/react-native-doctor-ci/action@v0.1.2
65
65
  with:
66
- version: "0.1.0" # npm version/dist-tag to run (default: latest)
66
+ version: "0.1.2" # npm version/dist-tag to run (default: latest)
67
67
  policy: ".rn-doctor.yml" # policy file path (default: auto-detect)
68
68
  changed-only: "true" # only deps added/changed vs base (default: "false")
69
69
  base: origin/main # base ref for changed-only (default: origin/main)
@@ -76,8 +76,8 @@ npx --yes --package react-native-doctor-ci rn-doctor
76
76
 
77
77
  Notes:
78
78
 
79
- - `changed-only` requires `actions/checkout` with `fetch-depth: 0` — the diff is computed against the merge-base of the PR branch and `base`, same as GitHub's three-dot compare. Without history the run fails with an actionable message telling you exactly that.
80
- - The default `token` (the workflow's own `GITHUB_TOKEN`) is enough; it's only used to read public repo metadata (archived state, last push). Without any token those fields degrade to `unknown` with a warning — the run never fails because of rate limits.
79
+ - `changed-only` requires `actions/checkout` with `fetch-depth: 0` the diff is computed against the merge-base of the PR branch and `base`, same as GitHub's three-dot compare. Without history the run fails with an actionable message telling you exactly that.
80
+ - The default `token` (the workflow's own `GITHUB_TOKEN`) is enough; it's only used to read public repo metadata (archived state, last push). Without any token those fields degrade to `unknown` with a warning the run never fails because of rate limits.
81
81
  - Pin `version` for reproducible CI; `latest` is convenient but floats.
82
82
 
83
83
  ## CLI reference
@@ -98,7 +98,7 @@ rn-doctor [options]
98
98
  -h, --help Show help
99
99
  ```
100
100
 
101
- **Exit codes** (stable contract — CI depends on it):
101
+ **Exit codes** (stable contract CI depends on it):
102
102
 
103
103
  | Code | Meaning |
104
104
  | ---- | ------- |
@@ -108,7 +108,7 @@ rn-doctor [options]
108
108
 
109
109
  **Environment**: `GITHUB_TOKEN` (optional, enables GitHub repo enrichment), `NO_COLOR` (disables ANSI color), `GITHUB_ACTIONS=true` (auto-enables annotations).
110
110
 
111
- Only `dependencies` are checked — `devDependencies` never ship in your app.
111
+ Only `dependencies` are checked `devDependencies` never ship in your app.
112
112
 
113
113
  ## Policy: `.rn-doctor.yml`
114
114
 
@@ -132,9 +132,9 @@ allow: [] # see "Unblocking a PR" below
132
132
 
133
133
  Each rule takes `error | warn | off` (except `lastPublish`, which takes thresholds or `"off"`).
134
134
 
135
- **How the data is gathered.** Each dependency is enriched in parallel from the npm registry (publish time, deprecation, `codegenConfig`), the [React Native Directory](https://reactnative.directory) (New Architecture support, unmaintained flag, GitHub URL), and the GitHub API (archived, last push — token optional). Results are cached in `.rn-doctor-cache.json` for 24 hours (add it to `.gitignore`; `--no-cache` bypasses).
135
+ **How the data is gathered.** Each dependency is enriched in parallel from the npm registry (publish time, deprecation, `codegenConfig`), the [React Native Directory](https://reactnative.directory) (New Architecture support, unmaintained flag, GitHub URL), and the GitHub API (archived, last push token optional). Results are cached in `.rn-doctor-cache.json` for 24 hours (add it to `.gitignore`; `--no-cache` bypasses).
136
136
 
137
- **New Architecture verdicts** are tiered honestly: directory says supported → pass; directory says unsupported → `newArchitecture` fires; unknown but the package ships `codegenConfig` → pass with an informational note; unknown otherwise → `newArchUnknown` fires (a warning by default — missing data is not the same as a dead package).
137
+ **New Architecture verdicts** are tiered honestly: directory says supported pass; directory says unsupported `newArchitecture` fires; unknown but the package ships `codegenConfig` pass with an informational note; unknown otherwise `newArchUnknown` fires (a warning by default missing data is not the same as a dead package).
138
138
 
139
139
  **Scope.** `rn-native-only` (default) checks packages that actually couple to React Native: listed in the RN Directory, peer-depend on `react-native`, or ship `android`/`ios` directories. `all-deps` checks everything under `dependencies`.
140
140
 
@@ -149,14 +149,14 @@ allow:
149
149
  expires: 2027-01-31
150
150
  ```
151
151
 
152
- - Suppressed findings still appear in output (marked as allowed) — nothing disappears silently.
152
+ - Suppressed findings still appear in output (marked as allowed) nothing disappears silently.
153
153
  - `expires` is optional but recommended: past that date the allow stops suppressing and findings **escalate to errors**, so exceptions can't quietly outlive their justification.
154
154
  - Every finding's message suggests the exact allowlist entry to add, so unblocking is copy-paste.
155
155
 
156
156
  ## Output formats
157
157
 
158
- - **Pretty** (default): one block per finding — severity badge, message, allow-reason if suppressed, and an evidence link (npm/directory/GitHub) so you can verify every claim.
159
- - **`--json`**: stable-ordered, timestamp-free (`version: 1`) — safe to snapshot or post-process.
158
+ - **Pretty** (default): one block per finding severity badge, message, allow-reason if suppressed, and an evidence link (npm/directory/GitHub) so you can verify every claim.
159
+ - **`--json`**: stable-ordered, timestamp-free (`version: 1`) safe to snapshot or post-process.
160
160
  - **`--sarif`**: SARIF 2.1.0, validates against the official schema. Upload to GitHub code scanning:
161
161
 
162
162
  ```yaml
@@ -167,30 +167,30 @@ allow:
167
167
  sarif_file: rn-doctor.sarif
168
168
  ```
169
169
 
170
- - **GitHub annotations**: emitted automatically inside GitHub Actions, resolved to the dependency's real line in `package.json` (string-escape-aware — a same-named key under `scripts` can't false-match).
170
+ - **GitHub annotations**: emitted automatically inside GitHub Actions, resolved to the dependency's real line in `package.json` (string-escape-aware a same-named key under `scripts` can't false-match).
171
171
 
172
172
  ## Changed-only and monorepos
173
173
 
174
- `--changed-only` is the flagship PR mode: it diffs `dependencies` against the merge-base with `--base` and checks only additions and spec changes (downgrades and protocol changes count too — they're re-checked). Fast, and zero noise from pre-existing debt: adopting rn-doctor on a 5-year-old app doesn't mean fixing 30 findings before the check goes green.
174
+ `--changed-only` is the flagship PR mode: it diffs `dependencies` against the merge-base with `--base` and checks only additions and spec changes (downgrades and protocol changes count too they're re-checked). Fast, and zero noise from pre-existing debt: adopting rn-doctor on a 5-year-old app doesn't mean fixing 30 findings before the check goes green.
175
175
 
176
176
  `--workspaces` walks npm/yarn `workspaces` globs or `pnpm-workspace.yaml` and checks every workspace manifest, with findings grouped per manifest and annotations pointing at the right file. Composes with `--changed-only`.
177
177
 
178
178
  ## FAQ
179
179
 
180
- **Does it check devDependencies?** No — they don't ship in your app. Scope decisions live in the policy file, not flags.
180
+ **Does it check devDependencies?** No they don't ship in your app. Scope decisions live in the policy file, not flags.
181
181
 
182
182
  **Is it a security scanner?** No. CVE auditing is `npm audit` / OSV territory. rn-doctor answers a different question: *is this dependency alive and does it have a future on the New Architecture?*
183
183
 
184
- **Does it fix anything?** No — it tells you what's wrong and what to do (allowlist entry, `npx expo install --fix`, Renovate), then gets out of the way.
184
+ **Does it fix anything?** No it tells you what's wrong and what to do (allowlist entry, `npx expo install --fix`, Renovate), then gets out of the way.
185
185
 
186
- **What if the RN Directory is wrong about a package?** Every finding carries an evidence link so you can check, and a false positive costs one allowlist line. File a correction with the directory — everyone benefits.
186
+ **What if the RN Directory is wrong about a package?** Every finding carries an evidence link so you can check, and a false positive costs one allowlist line. File a correction with the directory everyone benefits.
187
187
 
188
- **Why is `yaml` the only runtime dependency?** The policy file and `pnpm-workspace.yaml` are YAML, and a spec-compliant YAML parser is not a weekend project — this one is worth its weight. Everything else (HTTP, caching, git diffing, glob matching, SARIF, annotations) is hand-rolled on Node built-ins; less supply chain in a tool whose whole job is judging dependencies.
188
+ **Why is `yaml` the only runtime dependency?** The policy file and `pnpm-workspace.yaml` are YAML, and a spec-compliant YAML parser is not a weekend project this one is worth its weight. Everything else (HTTP, caching, git diffing, glob matching, SARIF, annotations) is hand-rolled on Node built-ins; less supply chain in a tool whose whole job is judging dependencies.
189
189
 
190
190
  ## Contributing
191
191
 
192
- Issues and PRs welcome — see [CONTRIBUTING.md](CONTRIBUTING.md). The project follows a phased roadmap; out-of-scope items (security auditing, auto-fixing, a hosted service) are listed there.
192
+ Issues and PRs welcome see [CONTRIBUTING.md](CONTRIBUTING.md). The project follows a phased roadmap; out-of-scope items (security auditing, auto-fixing, a hosted service) are listed there.
193
193
 
194
194
  ## License
195
195
 
196
- [MIT](LICENSE) © Amrith Vengalath
196
+ [MIT](LICENSE) © Amrith Vengalath
package/dist/cli.cjs CHANGED
@@ -120,7 +120,7 @@ async function mapWithConcurrency(items, fn, concurrency = 8) {
120
120
  // package.json
121
121
  var package_default = {
122
122
  name: "react-native-doctor-ci",
123
- version: "0.1.1",
123
+ version: "0.1.2",
124
124
  description: "Policy-as-code CI gate for React Native dependency health: fail PRs that add abandoned, non-New-Architecture, or npm-deprecated dependencies.",
125
125
  keywords: [
126
126
  "react-native",