relizy 1.4.6 → 1.4.8-beta.0

package/dist/cli.mjs

@@ -5,7 +5,7 @@ import process from 'node:process';
 import { fileURLToPath } from 'node:url';
 import { printBanner, logger } from '@maz-ui/node';
 import { Command } from 'commander';
-import { aq as isInCI, ar as getCIName, b as bump, c as changelog, g as publish, e as providerRelease, h as social, p as prComment, r as release } from './shared/relizy.CzL6Efad.mjs';
+import { aA as isInCI, aB as getCIName, b as bump, c as changelog, g as publish, e as providerRelease, h as social, p as prComment, r as release } from './shared/relizy.00ntGDTg.mjs';
 import 'node:child_process';
 import '@maz-ui/utils';
 import 'c12';

package/dist/index.d.mts

@@ -27,8 +27,8 @@ declare function getDefaultConfig(): {
         private: false;
         args: never[];
         token: string | undefined;
-        registry: string;
         safetyCheck: true;
+        safetyCheckTimeout: number;
         packageManager: PackageManager;
     };
     tokens: {
@@ -69,6 +69,7 @@ declare function getDefaultConfig(): {
     ai: AIConfig;
     logLevel: LogLevel;
     safetyCheck: boolean;
+    detectRewrittenTags: boolean;
 };
 /**
  * Merge user types with defaults: each user-defined entry replaces the default entirely.
@@ -210,6 +211,44 @@ declare function getCurrentGitBranch(cwd: string): string;
 declare function getCurrentGitRef(cwd: string): string;
 declare function getShortCommitSha(cwd: string, length?: number): string;
 
+/**
+ * Returns true when `ancestor` is an ancestor of `descendant` (i.e. reachable
+ * from it). Uses `git merge-base --is-ancestor`, which exits 0 when true and
+ * non-zero otherwise. Any error (e.g. unknown ref) is treated as "not an
+ * ancestor".
+ */
+declare function isAncestor(ancestor: string, descendant: string, cwd?: string): Promise<boolean>;
+/**
+ * Returns the subject (first line) of the commit a ref points to, or null.
+ */
+declare function getCommitSubject(ref: string, cwd?: string): Promise<string | null>;
+/**
+ * Find the most recent commit reachable from `to` whose subject matches
+ * `subject` literally. Used to locate the "twin" of a release commit that was
+ * rewritten by a rebase (the orphaned tag still points to the old commit).
+ */
+declare function findReachableCommitBySubject(subject: string, to: string, cwd?: string): Promise<string | null>;
+/**
+ * Returns true when a tag with the given name exists locally.
+ */
+declare function tagExists(tag: string, cwd?: string): Promise<boolean>;
+/**
+ * Move an annotated tag to a different commit locally (force). Never rewrites
+ * any commit; only the tag pointer moves.
+ */
+declare function retagAnnotatedLocal({ tag, commit, message, signed, cwd, logLevel, }: {
+    tag: string;
+    commit: string;
+    message: string;
+    signed?: boolean;
+    cwd?: string;
+    logLevel?: LogLevel;
+}): Promise<void>;
+/**
+ * Force-push a single tag to origin. Used only after explicit confirmation.
+ */
+declare function pushTagForce(tag: string, cwd?: string, logLevel?: LogLevel): Promise<void>;
+
 declare function github(options: ProviderReleaseOptions): Promise<PostedRelease[]>;
 
 interface GitlabRelease {
@@ -287,6 +326,16 @@ declare function parseChangelogMarkdown(contents: string): {
     }[];
 };
 
+/**
+ * Resolve the effective npm registry from the environment (`.npmrc` files, env
+ * variables, npm/pnpm defaults) via `npm config get registry`. Falls back to the
+ * public registry when npm is unavailable or returns nothing.
+ *
+ * Used when the user did not set `publish.registry`, so Relizy honors a custom
+ * registry (e.g. a corporate proxy) configured in the user's `.npmrc` instead of
+ * forcing the public registry.
+ */
+declare function getNpmRegistry(cwd?: string): string;
 declare function detectPackageManager(cwd?: string): PackageManager;
 declare function determinePublishTag(version: string, configTag?: string): string;
 declare function getPackagesToPublishInSelectiveMode(sortedPackages: PackageBase[], rootVersion: string | undefined): PackageBase[];
@@ -371,19 +420,27 @@ declare function postPrComment({ config, pr, body, }: {
     body: string;
 }): Promise<boolean>;
 
+/**
+ * Return a deep clone of `value` with every secret masked, without mutating the
+ * original. Secrets are detected by sensitive key name and by living under a
+ * secret container (e.g. `tokens.*`).
+ */
+declare function redactSecrets<T>(value: T): T;
+
 declare function readPackageJson(packagePath: string): ReadPackage | undefined;
 interface RootPackage extends ReadPackage {
     fromTag: string;
     commits: GitCommit[];
     newVersion?: string;
 }
-declare function getRootPackage({ config, force, from, to, suffix, changelog, }: {
+declare function getRootPackage({ config, force, from, to, suffix, changelog, dryRun, }: {
     config: ResolvedRelizyConfig;
     force: boolean;
     from: string;
     to: string;
     suffix: string | undefined;
     changelog: boolean;
+    dryRun?: boolean;
 }): Promise<RootPackage>;
 declare function readPackages({ cwd, patterns, ignorePackageNames, includePrivates, }: {
     cwd: string;
@@ -391,21 +448,42 @@ declare function readPackages({ cwd, patterns, ignorePackageNames, includePrivat
     ignorePackageNames: NonNullable<ResolvedRelizyConfig['monorepo']>['ignorePackageNames'];
     includePrivates?: boolean;
 }): ReadPackage[];
-declare function getPackages({ config, suffix, force, includeAll, }: {
+declare function getPackages({ config, suffix, force, includeAll, dryRun, }: {
     config: ResolvedRelizyConfig;
     suffix: string | undefined;
     force: boolean;
     includeAll?: boolean;
+    dryRun?: boolean;
 }): Promise<PackageBase[]>;
-declare function getPackageCommits({ pkg, from, to, config, changelog, }: {
+declare function getPackageCommits({ pkg, from, to, config, changelog, dryRun, }: {
     pkg: ReadPackage;
     from: string;
     to: string;
     config: ResolvedRelizyConfig;
     changelog: boolean;
+    dryRun?: boolean;
 }): Promise<GitCommit[]>;
 declare function hasLernaJson(rootDir: string): boolean;
 
+/** Test helper: clear the per-process decision cache. */
+declare function resetRewrittenTagCache(): void;
+/**
+ * Ensure the resolved `from` tag is reachable from `to`. When it is not (a
+ * rewritten / orphaned tag), explain the situation and either prompt the user
+ * or auto-correct, depending on the configured strategy. Returns the effective
+ * `from` to use (the original tag, the rebound tag, or the equivalent commit
+ * SHA for an ephemeral correction).
+ *
+ * No commit is ever rewritten; the only mutation possible is moving a tag.
+ */
+declare function reconcileFromTag({ from, to, config, dryRun, }: {
+    from: string;
+    to: string;
+    config: ResolvedRelizyConfig;
+    pkg?: ReadPackage;
+    dryRun?: boolean;
+}): Promise<string>;
+
 /**
  * Get Slack token from config
  * Priority: social.slack.credentials > config.tokens.slack > environment variables (handled in config.ts)
@@ -563,11 +641,12 @@ declare function isBumpedPackage(pkg: PackageBase): pkg is PackageBase & {
 declare function filterOutPrivatePackages<T extends {
     private: boolean;
 }>(packages: T[]): T[];
-declare function getPackagesOrBumpedPackages({ config, bumpResult, suffix, force, }: {
+declare function getPackagesOrBumpedPackages({ config, bumpResult, suffix, force, dryRun, }: {
     config: ResolvedRelizyConfig;
     bumpResult: BumpResultTruthy | undefined;
     suffix: string | undefined;
     force: boolean;
+    dryRun?: boolean;
 }): Promise<PackageBase[]>;
 
 declare function isGraduatingToStableBetweenVersion(version: string, newVersion: string): boolean;
@@ -1158,6 +1237,13 @@ type PublishConfig = ChangelogConfig$1['publish'] & {
      * @default true
      */
     safetyCheck?: boolean;
+    /**
+     * Maximum time in milliseconds for the registry authentication safety check
+     * before it is aborted. Prevents the release from hanging indefinitely when
+     * the registry (or a proxy) never answers.
+     * @default 15000
+     */
+    safetyCheckTimeout?: number;
 };
 interface PublishOptions extends PublishConfig {
     /**
@@ -1764,6 +1850,7 @@ type HookConfig = {
  * Relizy configuration
  * @see https://relizy.dev/config/overview
  */
+type OnRewrittenTag = 'prompt' | 'ephemeral' | 'rebind' | 'error';
 interface RelizyConfig extends Partial<Omit<ChangelogConfig$1, 'output' | 'templates' | 'publish' | 'types' | 'tokens'>> {
     /**
      * Project name
@@ -1845,6 +1932,24 @@ interface RelizyConfig extends Partial<Omit<ChangelogConfig$1, 'output' | 'templ
      * @default true
      */
     safetyCheck?: boolean;
+    /**
+     * Detect when the resolved `from` tag points to a commit that is no longer
+     * reachable from `to` (typically because the history was rebased after the
+     * tag was created). When enabled, relizy explains the situation and either
+     * prompts or auto-corrects, avoiding bloated changelogs and over-bumping.
+     * @default true
+     */
+    detectRewrittenTags?: boolean;
+    /**
+     * Strategy applied when a rewritten/orphaned `from` tag is detected.
+     * Defaults to `prompt` interactively, or `ephemeral` when non-interactive
+     * (`--yes` / no TTY / CI).
+     * - `prompt`: interactive selection.
+     * - `ephemeral`: use the reachable equivalent commit for this run only.
+     * - `rebind`: move the local tag onto the equivalent commit (no push).
+     * - `error`: throw and stop.
+     */
+    onRewrittenTag?: OnRewrittenTag;
 }
 
 declare function bump(options?: Partial<BumpOptions>): Promise<BumpResult>;
@@ -1897,5 +2002,5 @@ declare function socialSafetyCheck({ config }: {
 }): Promise<void>;
 declare function social(options?: Partial<SocialOptions>): Promise<SocialResult>;
 
-export { NEW_PACKAGE_MARKER, PR_COMMENT_MARKER, buildChangelogBody, buildCommentBody, buildCompareLink, buildContributors, bump, capReleaseTypeForZeroMajor, changelog, checkGitStatusIfDirty, collectContributorNames, collectPackageBumps, confirmBump, createCommitAndTags, createGitlabRelease, defineConfig, detectGitProvider, detectPackageManager, detectPullRequest, determinePublishTag, determineReleaseType, determineSemverChange, executeBuildCmd, executeFormatCmd, executeHook, expandPackagesToBumpWithDependents, extractChangelogSummary, extractVersionFromPackageTag, extractVersionFromTag, fetchGitTags, filterOutPrivatePackages, findGitHubPR, findGitLabMR, formatChangelogForSlack, formatPackagesForSlack, formatSlackMessage, formatTweetMessage, generateChangelog, generateMarkDown, getAuthCommand, getBumpedIndependentPackages, getBumpedPackageIndependently, getCIName, getCanaryVersion, getCurrentGitBranch, getCurrentGitRef, getDefaultConfig, getDependentsOf, getFirstCommit, getGitStatus, getIndependentTag, getLastPackageTag, getLastRepoTag, getLastStableTag, getLastTag, getModifiedReleaseFilePatterns, getPackageCommits, getPackageDependencies, getPackageNewVersion, getPackages, getPackagesOrBumpedPackages, getPackagesToPublishInIndependentMode, getPackagesToPublishInSelectiveMode, getPreid, getReleaseUrl, getRootPackage, getShortCommitSha, getSlackToken, getSlackWebhookUrl, getTwitterCredentials, github, gitlab, hasLernaJson, isBumpedPackage, isChangedPreid, isGraduating, isGraduatingToStableBetweenVersion, isInCI, isPrerelease, isPrereleaseReleaseType, isStableReleaseType, isTagVersionCompatibleWithCurrent, loadRelizyConfig, mergeTypes, parseChangelogMarkdown, parseGitRemoteUrl, postPrComment, postReleaseToSlack, postReleaseToTwitter, prComment, providerRelease, providerReleaseSafetyCheck, publish, publishPackage, publishSafetyCheck, pushCommitAndTags, readPackageJson, readPackages, release, resolveTags, rollbackModifiedFiles, shouldFilterPrereleaseTags, social, socialSafetyCheck, topologicalSort, updateLernaVersion, writeChangelogToFile, writeVersion };
-export type { AIConfig, AIPromptTarget, AIProviderName, AISocialConfig, AISystemPromptOverrides, AITargetConfig, BumpConfig, BumpOptions, BumpResult, BumpResultFalsy, BumpResultTruthy, ChangelogConfig, ChangelogInclude, ChangelogOptions, ClaudeCodeProviderOptions, ConfigType, GitProvider, GitlabRelease, GitlabReleaseResponse, HookConfig, HookStep, HookType, MonorepoConfig, PackageBase, PackageBumpEntry, PackageManager, PostedRelease, PrCommentConfig, PrCommentMode, PrCommentOptions, PrCommentStatus, ProviderReleaseOptions, ProviderReleaseResult, PublishConfig, PublishOptions, PublishResponse, PullRequestInfo, ReadPackage, Reference, ReleaseConfig, ReleaseContext, ReleaseOptions, RelizyConfig, RepoConfig, ResolvedConfig, ResolvedRelizyConfig, ResolvedTags, ResolvedTwitterCredentials, RootPackage, SlackCredentials, SlackOptions, SlackPackageEntry, SlackSocialConfig, SocialConfig, SocialNetworkResult, SocialOptions, SocialResult, Step, TemplatesConfig, TokensConfig, TwitterCredentials, TwitterOptions, TwitterSocialConfig, VersionMode };
+export { NEW_PACKAGE_MARKER, PR_COMMENT_MARKER, buildChangelogBody, buildCommentBody, buildCompareLink, buildContributors, bump, capReleaseTypeForZeroMajor, changelog, checkGitStatusIfDirty, collectContributorNames, collectPackageBumps, confirmBump, createCommitAndTags, createGitlabRelease, defineConfig, detectGitProvider, detectPackageManager, detectPullRequest, determinePublishTag, determineReleaseType, determineSemverChange, executeBuildCmd, executeFormatCmd, executeHook, expandPackagesToBumpWithDependents, extractChangelogSummary, extractVersionFromPackageTag, extractVersionFromTag, fetchGitTags, filterOutPrivatePackages, findGitHubPR, findGitLabMR, findReachableCommitBySubject, formatChangelogForSlack, formatPackagesForSlack, formatSlackMessage, formatTweetMessage, generateChangelog, generateMarkDown, getAuthCommand, getBumpedIndependentPackages, getBumpedPackageIndependently, getCIName, getCanaryVersion, getCommitSubject, getCurrentGitBranch, getCurrentGitRef, getDefaultConfig, getDependentsOf, getFirstCommit, getGitStatus, getIndependentTag, getLastPackageTag, getLastRepoTag, getLastStableTag, getLastTag, getModifiedReleaseFilePatterns, getNpmRegistry, getPackageCommits, getPackageDependencies, getPackageNewVersion, getPackages, getPackagesOrBumpedPackages, getPackagesToPublishInIndependentMode, getPackagesToPublishInSelectiveMode, getPreid, getReleaseUrl, getRootPackage, getShortCommitSha, getSlackToken, getSlackWebhookUrl, getTwitterCredentials, github, gitlab, hasLernaJson, isAncestor, isBumpedPackage, isChangedPreid, isGraduating, isGraduatingToStableBetweenVersion, isInCI, isPrerelease, isPrereleaseReleaseType, isStableReleaseType, isTagVersionCompatibleWithCurrent, loadRelizyConfig, mergeTypes, parseChangelogMarkdown, parseGitRemoteUrl, postPrComment, postReleaseToSlack, postReleaseToTwitter, prComment, providerRelease, providerReleaseSafetyCheck, publish, publishPackage, publishSafetyCheck, pushCommitAndTags, pushTagForce, readPackageJson, readPackages, reconcileFromTag, redactSecrets, release, resetRewrittenTagCache, resolveTags, retagAnnotatedLocal, rollbackModifiedFiles, shouldFilterPrereleaseTags, social, socialSafetyCheck, tagExists, topologicalSort, updateLernaVersion, writeChangelogToFile, writeVersion };
+export type { AIConfig, AIPromptTarget, AIProviderName, AISocialConfig, AISystemPromptOverrides, AITargetConfig, BumpConfig, BumpOptions, BumpResult, BumpResultFalsy, BumpResultTruthy, ChangelogConfig, ChangelogInclude, ChangelogOptions, ClaudeCodeProviderOptions, ConfigType, GitProvider, GitlabRelease, GitlabReleaseResponse, HookConfig, HookStep, HookType, MonorepoConfig, OnRewrittenTag, PackageBase, PackageBumpEntry, PackageManager, PostedRelease, PrCommentConfig, PrCommentMode, PrCommentOptions, PrCommentStatus, ProviderReleaseOptions, ProviderReleaseResult, PublishConfig, PublishOptions, PublishResponse, PullRequestInfo, ReadPackage, Reference, ReleaseConfig, ReleaseContext, ReleaseOptions, RelizyConfig, RepoConfig, ResolvedConfig, ResolvedRelizyConfig, ResolvedTags, ResolvedTwitterCredentials, RootPackage, SlackCredentials, SlackOptions, SlackPackageEntry, SlackSocialConfig, SocialConfig, SocialNetworkResult, SocialOptions, SocialResult, Step, TemplatesConfig, TokensConfig, TwitterCredentials, TwitterOptions, TwitterSocialConfig, VersionMode };

package/dist/index.d.ts

@@ -27,8 +27,8 @@ declare function getDefaultConfig(): {
         private: false;
         args: never[];
         token: string | undefined;
-        registry: string;
         safetyCheck: true;
+        safetyCheckTimeout: number;
         packageManager: PackageManager;
     };
     tokens: {
@@ -69,6 +69,7 @@ declare function getDefaultConfig(): {
     ai: AIConfig;
     logLevel: LogLevel;
     safetyCheck: boolean;
+    detectRewrittenTags: boolean;
 };
 /**
  * Merge user types with defaults: each user-defined entry replaces the default entirely.
@@ -210,6 +211,44 @@ declare function getCurrentGitBranch(cwd: string): string;
 declare function getCurrentGitRef(cwd: string): string;
 declare function getShortCommitSha(cwd: string, length?: number): string;
 
+/**
+ * Returns true when `ancestor` is an ancestor of `descendant` (i.e. reachable
+ * from it). Uses `git merge-base --is-ancestor`, which exits 0 when true and
+ * non-zero otherwise. Any error (e.g. unknown ref) is treated as "not an
+ * ancestor".
+ */
+declare function isAncestor(ancestor: string, descendant: string, cwd?: string): Promise<boolean>;
+/**
+ * Returns the subject (first line) of the commit a ref points to, or null.
+ */
+declare function getCommitSubject(ref: string, cwd?: string): Promise<string | null>;
+/**
+ * Find the most recent commit reachable from `to` whose subject matches
+ * `subject` literally. Used to locate the "twin" of a release commit that was
+ * rewritten by a rebase (the orphaned tag still points to the old commit).
+ */
+declare function findReachableCommitBySubject(subject: string, to: string, cwd?: string): Promise<string | null>;
+/**
+ * Returns true when a tag with the given name exists locally.
+ */
+declare function tagExists(tag: string, cwd?: string): Promise<boolean>;
+/**
+ * Move an annotated tag to a different commit locally (force). Never rewrites
+ * any commit; only the tag pointer moves.
+ */
+declare function retagAnnotatedLocal({ tag, commit, message, signed, cwd, logLevel, }: {
+    tag: string;
+    commit: string;
+    message: string;
+    signed?: boolean;
+    cwd?: string;
+    logLevel?: LogLevel;
+}): Promise<void>;
+/**
+ * Force-push a single tag to origin. Used only after explicit confirmation.
+ */
+declare function pushTagForce(tag: string, cwd?: string, logLevel?: LogLevel): Promise<void>;
+
 declare function github(options: ProviderReleaseOptions): Promise<PostedRelease[]>;
 
 interface GitlabRelease {
@@ -287,6 +326,16 @@ declare function parseChangelogMarkdown(contents: string): {
     }[];
 };
 
+/**
+ * Resolve the effective npm registry from the environment (`.npmrc` files, env
+ * variables, npm/pnpm defaults) via `npm config get registry`. Falls back to the
+ * public registry when npm is unavailable or returns nothing.
+ *
+ * Used when the user did not set `publish.registry`, so Relizy honors a custom
+ * registry (e.g. a corporate proxy) configured in the user's `.npmrc` instead of
+ * forcing the public registry.
+ */
+declare function getNpmRegistry(cwd?: string): string;
 declare function detectPackageManager(cwd?: string): PackageManager;
 declare function determinePublishTag(version: string, configTag?: string): string;
 declare function getPackagesToPublishInSelectiveMode(sortedPackages: PackageBase[], rootVersion: string | undefined): PackageBase[];
@@ -371,19 +420,27 @@ declare function postPrComment({ config, pr, body, }: {
     body: string;
 }): Promise<boolean>;
 
+/**
+ * Return a deep clone of `value` with every secret masked, without mutating the
+ * original. Secrets are detected by sensitive key name and by living under a
+ * secret container (e.g. `tokens.*`).
+ */
+declare function redactSecrets<T>(value: T): T;
+
 declare function readPackageJson(packagePath: string): ReadPackage | undefined;
 interface RootPackage extends ReadPackage {
     fromTag: string;
     commits: GitCommit[];
     newVersion?: string;
 }
-declare function getRootPackage({ config, force, from, to, suffix, changelog, }: {
+declare function getRootPackage({ config, force, from, to, suffix, changelog, dryRun, }: {
     config: ResolvedRelizyConfig;
     force: boolean;
     from: string;
     to: string;
     suffix: string | undefined;
     changelog: boolean;
+    dryRun?: boolean;
 }): Promise<RootPackage>;
 declare function readPackages({ cwd, patterns, ignorePackageNames, includePrivates, }: {
     cwd: string;
@@ -391,21 +448,42 @@ declare function readPackages({ cwd, patterns, ignorePackageNames, includePrivat
     ignorePackageNames: NonNullable<ResolvedRelizyConfig['monorepo']>['ignorePackageNames'];
     includePrivates?: boolean;
 }): ReadPackage[];
-declare function getPackages({ config, suffix, force, includeAll, }: {
+declare function getPackages({ config, suffix, force, includeAll, dryRun, }: {
     config: ResolvedRelizyConfig;
     suffix: string | undefined;
     force: boolean;
     includeAll?: boolean;
+    dryRun?: boolean;
 }): Promise<PackageBase[]>;
-declare function getPackageCommits({ pkg, from, to, config, changelog, }: {
+declare function getPackageCommits({ pkg, from, to, config, changelog, dryRun, }: {
     pkg: ReadPackage;
     from: string;
     to: string;
     config: ResolvedRelizyConfig;
     changelog: boolean;
+    dryRun?: boolean;
 }): Promise<GitCommit[]>;
 declare function hasLernaJson(rootDir: string): boolean;
 
+/** Test helper: clear the per-process decision cache. */
+declare function resetRewrittenTagCache(): void;
+/**
+ * Ensure the resolved `from` tag is reachable from `to`. When it is not (a
+ * rewritten / orphaned tag), explain the situation and either prompt the user
+ * or auto-correct, depending on the configured strategy. Returns the effective
+ * `from` to use (the original tag, the rebound tag, or the equivalent commit
+ * SHA for an ephemeral correction).
+ *
+ * No commit is ever rewritten; the only mutation possible is moving a tag.
+ */
+declare function reconcileFromTag({ from, to, config, dryRun, }: {
+    from: string;
+    to: string;
+    config: ResolvedRelizyConfig;
+    pkg?: ReadPackage;
+    dryRun?: boolean;
+}): Promise<string>;
+
 /**
  * Get Slack token from config
  * Priority: social.slack.credentials > config.tokens.slack > environment variables (handled in config.ts)
@@ -563,11 +641,12 @@ declare function isBumpedPackage(pkg: PackageBase): pkg is PackageBase & {
 declare function filterOutPrivatePackages<T extends {
     private: boolean;
 }>(packages: T[]): T[];
-declare function getPackagesOrBumpedPackages({ config, bumpResult, suffix, force, }: {
+declare function getPackagesOrBumpedPackages({ config, bumpResult, suffix, force, dryRun, }: {
     config: ResolvedRelizyConfig;
     bumpResult: BumpResultTruthy | undefined;
     suffix: string | undefined;
     force: boolean;
+    dryRun?: boolean;
 }): Promise<PackageBase[]>;
 
 declare function isGraduatingToStableBetweenVersion(version: string, newVersion: string): boolean;
@@ -1158,6 +1237,13 @@ type PublishConfig = ChangelogConfig$1['publish'] & {
      * @default true
      */
     safetyCheck?: boolean;
+    /**
+     * Maximum time in milliseconds for the registry authentication safety check
+     * before it is aborted. Prevents the release from hanging indefinitely when
+     * the registry (or a proxy) never answers.
+     * @default 15000
+     */
+    safetyCheckTimeout?: number;
 };
 interface PublishOptions extends PublishConfig {
     /**
@@ -1764,6 +1850,7 @@ type HookConfig = {
  * Relizy configuration
  * @see https://relizy.dev/config/overview
  */
+type OnRewrittenTag = 'prompt' | 'ephemeral' | 'rebind' | 'error';
 interface RelizyConfig extends Partial<Omit<ChangelogConfig$1, 'output' | 'templates' | 'publish' | 'types' | 'tokens'>> {
     /**
      * Project name
@@ -1845,6 +1932,24 @@ interface RelizyConfig extends Partial<Omit<ChangelogConfig$1, 'output' | 'templ
      * @default true
      */
     safetyCheck?: boolean;
+    /**
+     * Detect when the resolved `from` tag points to a commit that is no longer
+     * reachable from `to` (typically because the history was rebased after the
+     * tag was created). When enabled, relizy explains the situation and either
+     * prompts or auto-corrects, avoiding bloated changelogs and over-bumping.
+     * @default true
+     */
+    detectRewrittenTags?: boolean;
+    /**
+     * Strategy applied when a rewritten/orphaned `from` tag is detected.
+     * Defaults to `prompt` interactively, or `ephemeral` when non-interactive
+     * (`--yes` / no TTY / CI).
+     * - `prompt`: interactive selection.
+     * - `ephemeral`: use the reachable equivalent commit for this run only.
+     * - `rebind`: move the local tag onto the equivalent commit (no push).
+     * - `error`: throw and stop.
+     */
+    onRewrittenTag?: OnRewrittenTag;
 }
 
 declare function bump(options?: Partial<BumpOptions>): Promise<BumpResult>;
@@ -1897,5 +2002,5 @@ declare function socialSafetyCheck({ config }: {
 }): Promise<void>;
 declare function social(options?: Partial<SocialOptions>): Promise<SocialResult>;
 
-export { NEW_PACKAGE_MARKER, PR_COMMENT_MARKER, buildChangelogBody, buildCommentBody, buildCompareLink, buildContributors, bump, capReleaseTypeForZeroMajor, changelog, checkGitStatusIfDirty, collectContributorNames, collectPackageBumps, confirmBump, createCommitAndTags, createGitlabRelease, defineConfig, detectGitProvider, detectPackageManager, detectPullRequest, determinePublishTag, determineReleaseType, determineSemverChange, executeBuildCmd, executeFormatCmd, executeHook, expandPackagesToBumpWithDependents, extractChangelogSummary, extractVersionFromPackageTag, extractVersionFromTag, fetchGitTags, filterOutPrivatePackages, findGitHubPR, findGitLabMR, formatChangelogForSlack, formatPackagesForSlack, formatSlackMessage, formatTweetMessage, generateChangelog, generateMarkDown, getAuthCommand, getBumpedIndependentPackages, getBumpedPackageIndependently, getCIName, getCanaryVersion, getCurrentGitBranch, getCurrentGitRef, getDefaultConfig, getDependentsOf, getFirstCommit, getGitStatus, getIndependentTag, getLastPackageTag, getLastRepoTag, getLastStableTag, getLastTag, getModifiedReleaseFilePatterns, getPackageCommits, getPackageDependencies, getPackageNewVersion, getPackages, getPackagesOrBumpedPackages, getPackagesToPublishInIndependentMode, getPackagesToPublishInSelectiveMode, getPreid, getReleaseUrl, getRootPackage, getShortCommitSha, getSlackToken, getSlackWebhookUrl, getTwitterCredentials, github, gitlab, hasLernaJson, isBumpedPackage, isChangedPreid, isGraduating, isGraduatingToStableBetweenVersion, isInCI, isPrerelease, isPrereleaseReleaseType, isStableReleaseType, isTagVersionCompatibleWithCurrent, loadRelizyConfig, mergeTypes, parseChangelogMarkdown, parseGitRemoteUrl, postPrComment, postReleaseToSlack, postReleaseToTwitter, prComment, providerRelease, providerReleaseSafetyCheck, publish, publishPackage, publishSafetyCheck, pushCommitAndTags, readPackageJson, readPackages, release, resolveTags, rollbackModifiedFiles, shouldFilterPrereleaseTags, social, socialSafetyCheck, topologicalSort, updateLernaVersion, writeChangelogToFile, writeVersion };
-export type { AIConfig, AIPromptTarget, AIProviderName, AISocialConfig, AISystemPromptOverrides, AITargetConfig, BumpConfig, BumpOptions, BumpResult, BumpResultFalsy, BumpResultTruthy, ChangelogConfig, ChangelogInclude, ChangelogOptions, ClaudeCodeProviderOptions, ConfigType, GitProvider, GitlabRelease, GitlabReleaseResponse, HookConfig, HookStep, HookType, MonorepoConfig, PackageBase, PackageBumpEntry, PackageManager, PostedRelease, PrCommentConfig, PrCommentMode, PrCommentOptions, PrCommentStatus, ProviderReleaseOptions, ProviderReleaseResult, PublishConfig, PublishOptions, PublishResponse, PullRequestInfo, ReadPackage, Reference, ReleaseConfig, ReleaseContext, ReleaseOptions, RelizyConfig, RepoConfig, ResolvedConfig, ResolvedRelizyConfig, ResolvedTags, ResolvedTwitterCredentials, RootPackage, SlackCredentials, SlackOptions, SlackPackageEntry, SlackSocialConfig, SocialConfig, SocialNetworkResult, SocialOptions, SocialResult, Step, TemplatesConfig, TokensConfig, TwitterCredentials, TwitterOptions, TwitterSocialConfig, VersionMode };
+export { NEW_PACKAGE_MARKER, PR_COMMENT_MARKER, buildChangelogBody, buildCommentBody, buildCompareLink, buildContributors, bump, capReleaseTypeForZeroMajor, changelog, checkGitStatusIfDirty, collectContributorNames, collectPackageBumps, confirmBump, createCommitAndTags, createGitlabRelease, defineConfig, detectGitProvider, detectPackageManager, detectPullRequest, determinePublishTag, determineReleaseType, determineSemverChange, executeBuildCmd, executeFormatCmd, executeHook, expandPackagesToBumpWithDependents, extractChangelogSummary, extractVersionFromPackageTag, extractVersionFromTag, fetchGitTags, filterOutPrivatePackages, findGitHubPR, findGitLabMR, findReachableCommitBySubject, formatChangelogForSlack, formatPackagesForSlack, formatSlackMessage, formatTweetMessage, generateChangelog, generateMarkDown, getAuthCommand, getBumpedIndependentPackages, getBumpedPackageIndependently, getCIName, getCanaryVersion, getCommitSubject, getCurrentGitBranch, getCurrentGitRef, getDefaultConfig, getDependentsOf, getFirstCommit, getGitStatus, getIndependentTag, getLastPackageTag, getLastRepoTag, getLastStableTag, getLastTag, getModifiedReleaseFilePatterns, getNpmRegistry, getPackageCommits, getPackageDependencies, getPackageNewVersion, getPackages, getPackagesOrBumpedPackages, getPackagesToPublishInIndependentMode, getPackagesToPublishInSelectiveMode, getPreid, getReleaseUrl, getRootPackage, getShortCommitSha, getSlackToken, getSlackWebhookUrl, getTwitterCredentials, github, gitlab, hasLernaJson, isAncestor, isBumpedPackage, isChangedPreid, isGraduating, isGraduatingToStableBetweenVersion, isInCI, isPrerelease, isPrereleaseReleaseType, isStableReleaseType, isTagVersionCompatibleWithCurrent, loadRelizyConfig, mergeTypes, parseChangelogMarkdown, parseGitRemoteUrl, postPrComment, postReleaseToSlack, postReleaseToTwitter, prComment, providerRelease, providerReleaseSafetyCheck, publish, publishPackage, publishSafetyCheck, pushCommitAndTags, pushTagForce, readPackageJson, readPackages, reconcileFromTag, redactSecrets, release, resetRewrittenTagCache, resolveTags, retagAnnotatedLocal, rollbackModifiedFiles, shouldFilterPrereleaseTags, social, socialSafetyCheck, tagExists, topologicalSort, updateLernaVersion, writeChangelogToFile, writeVersion };
+export type { AIConfig, AIPromptTarget, AIProviderName, AISocialConfig, AISystemPromptOverrides, AITargetConfig, BumpConfig, BumpOptions, BumpResult, BumpResultFalsy, BumpResultTruthy, ChangelogConfig, ChangelogInclude, ChangelogOptions, ClaudeCodeProviderOptions, ConfigType, GitProvider, GitlabRelease, GitlabReleaseResponse, HookConfig, HookStep, HookType, MonorepoConfig, OnRewrittenTag, PackageBase, PackageBumpEntry, PackageManager, PostedRelease, PrCommentConfig, PrCommentMode, PrCommentOptions, PrCommentStatus, ProviderReleaseOptions, ProviderReleaseResult, PublishConfig, PublishOptions, PublishResponse, PullRequestInfo, ReadPackage, Reference, ReleaseConfig, ReleaseContext, ReleaseOptions, RelizyConfig, RepoConfig, ResolvedConfig, ResolvedRelizyConfig, ResolvedTags, ResolvedTwitterCredentials, RootPackage, SlackCredentials, SlackOptions, SlackPackageEntry, SlackSocialConfig, SocialConfig, SocialNetworkResult, SocialOptions, SocialResult, Step, TemplatesConfig, TokensConfig, TwitterCredentials, TwitterOptions, TwitterSocialConfig, VersionMode };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-export { ak as NEW_PACKAGE_MARKER, $ as PR_COMMENT_MARKER, M as buildChangelogBody, a as buildCommentBody, L as buildCompareLink, O as buildContributors, b as bump, ay as capReleaseTypeForZeroMajor, c as changelog, v as checkGitStatusIfDirty, N as collectContributorNames, X as collectPackageBumps, aM as confirmBump, B as createCommitAndTags, J as createGitlabRelease, k as defineConfig, y as detectGitProvider, R as detectPackageManager, _ as detectPullRequest, S as determinePublishTag, aA as determineReleaseType, az as determineSemverChange, at as executeBuildCmd, as as executeFormatCmd, ap as executeHook, q as expandPackagesToBumpWithDependents, ad as extractChangelogSummary, aE as extractVersionFromPackageTag, aP as extractVersionFromTag, x as fetchGitTags, av as filterOutPrivatePackages, Y as findGitHubPR, Z as findGitLabMR, a9 as formatChangelogForSlack, aa as formatPackagesForSlack, ab as formatSlackMessage, an as formatTweetMessage, i as generateChangelog, P as generateMarkDown, V as getAuthCommand, aN as getBumpedIndependentPackages, aL as getBumpedPackageIndependently, ar as getCIName, aQ as getCanaryVersion, F as getCurrentGitBranch, G as getCurrentGitRef, j as getDefaultConfig, o as getDependentsOf, E as getFirstCommit, u as getGitStatus, af as getIndependentTag, aj as getLastPackageTag, ai as getLastRepoTag, ag as getLastStableTag, ah as getLastTag, A as getModifiedReleaseFilePatterns, a5 as getPackageCommits, n as getPackageDependencies, aC as getPackageNewVersion, a4 as getPackages, aw as getPackagesOrBumpedPackages, U as getPackagesToPublishInIndependentMode, T as getPackagesToPublishInSelectiveMode, aJ as getPreid, ae as getReleaseUrl, a2 as getRootPackage, H as getShortCommitSha, a7 as getSlackToken, a8 as getSlackWebhookUrl, am as getTwitterCredentials, I as github, K as gitlab, a6 as hasLernaJson, au as isBumpedPackage, aK as isChangedPreid, aI as isGraduating, ax as isGraduatingToStableBetweenVersion, aq as isInCI, aF as isPrerelease, aH as isPrereleaseReleaseType, aG as isStableReleaseType, aR as isTagVersionCompatibleWithCurrent, l as loadRelizyConfig, m as mergeTypes, Q as parseChangelogMarkdown, z as parseGitRemoteUrl, a0 as postPrComment, ac as postReleaseToSlack, ao as postReleaseToTwitter, p as prComment, e as providerRelease, d as providerReleaseSafetyCheck, g as publish, W as publishPackage, f as publishSafetyCheck, C as pushCommitAndTags, a1 as readPackageJson, a3 as readPackages, r as release, al as resolveTags, D as rollbackModifiedFiles, aO as shouldFilterPrereleaseTags, h as social, s as socialSafetyCheck, t as topologicalSort, aD as updateLernaVersion, w as writeChangelogToFile, aB as writeVersion } from './shared/relizy.CzL6Efad.mjs';
+export { au as NEW_PACKAGE_MARKER, a6 as PR_COMMENT_MARKER, S as buildChangelogBody, a as buildCommentBody, R as buildCompareLink, U as buildContributors, b as bump, aI as capReleaseTypeForZeroMajor, c as changelog, v as checkGitStatusIfDirty, T as collectContributorNames, a2 as collectPackageBumps, aW as confirmBump, B as createCommitAndTags, P as createGitlabRelease, k as defineConfig, y as detectGitProvider, Y as detectPackageManager, a5 as detectPullRequest, Z as determinePublishTag, aK as determineReleaseType, aJ as determineSemverChange, aD as executeBuildCmd, aC as executeFormatCmd, az as executeHook, q as expandPackagesToBumpWithDependents, an as extractChangelogSummary, aO as extractVersionFromPackageTag, aZ as extractVersionFromTag, x as fetchGitTags, aF as filterOutPrivatePackages, a3 as findGitHubPR, a4 as findGitLabMR, K as findReachableCommitBySubject, aj as formatChangelogForSlack, ak as formatPackagesForSlack, al as formatSlackMessage, ax as formatTweetMessage, i as generateChangelog, V as generateMarkDown, a0 as getAuthCommand, aX as getBumpedIndependentPackages, aV as getBumpedPackageIndependently, aB as getCIName, a_ as getCanaryVersion, J as getCommitSubject, F as getCurrentGitBranch, G as getCurrentGitRef, j as getDefaultConfig, o as getDependentsOf, E as getFirstCommit, u as getGitStatus, ap as getIndependentTag, at as getLastPackageTag, as as getLastRepoTag, aq as getLastStableTag, ar as getLastTag, A as getModifiedReleaseFilePatterns, X as getNpmRegistry, ad as getPackageCommits, n as getPackageDependencies, aM as getPackageNewVersion, ac as getPackages, aG as getPackagesOrBumpedPackages, $ as getPackagesToPublishInIndependentMode, _ as getPackagesToPublishInSelectiveMode, aT as getPreid, ao as getReleaseUrl, aa as getRootPackage, H as getShortCommitSha, ah as getSlackToken, ai as getSlackWebhookUrl, aw as getTwitterCredentials, O as github, Q as gitlab, ae as hasLernaJson, I as isAncestor, aE as isBumpedPackage, aU as isChangedPreid, aS as isGraduating, aH as isGraduatingToStableBetweenVersion, aA as isInCI, aP as isPrerelease, aR as isPrereleaseReleaseType, aQ as isStableReleaseType, a$ as isTagVersionCompatibleWithCurrent, l as loadRelizyConfig, m as mergeTypes, W as parseChangelogMarkdown, z as parseGitRemoteUrl, a7 as postPrComment, am as postReleaseToSlack, ay as postReleaseToTwitter, p as prComment, e as providerRelease, d as providerReleaseSafetyCheck, g as publish, a1 as publishPackage, f as publishSafetyCheck, C as pushCommitAndTags, N as pushTagForce, a9 as readPackageJson, ab as readPackages, ag as reconcileFromTag, a8 as redactSecrets, r as release, af as resetRewrittenTagCache, av as resolveTags, M as retagAnnotatedLocal, D as rollbackModifiedFiles, aY as shouldFilterPrereleaseTags, h as social, s as socialSafetyCheck, L as tagExists, t as topologicalSort, aN as updateLernaVersion, w as writeChangelogToFile, aL as writeVersion } from './shared/relizy.00ntGDTg.mjs';
 import '@maz-ui/node';
 import 'node:child_process';
 import 'node:process';

package/dist/shared/{relizy.CzL6Efad.mjs → relizy.00ntGDTg.mjs}

@@ -7,7 +7,7 @@ import { getGitDiff, parseCommits, resolveRepoConfig, getRepoConfig, formatCompa
 import { defu } from 'defu';
 import { existsSync, readFileSync, statSync, writeFileSync } from 'node:fs';
 import path, { join, relative, sep } from 'node:path';
-import { confirm, input } from '@inquirer/prompts';
+import { select, confirm, input } from '@inquirer/prompts';
 import fastGlob from 'fast-glob';
 import * as semver from 'semver';
 import { convert } from 'convert-gitmoji';
@@ -131,6 +131,250 @@ function topologicalSort(packages) {
   return sorted;
 }
 
+function shellSingleQuote(value) {
+  return `'${value.replaceAll("'", "'\\''")}'`;
+}
+async function isAncestor(ancestor, descendant, cwd) {
+  try {
+    await execPromise(
+      `git merge-base --is-ancestor ${shellSingleQuote(ancestor)} ${shellSingleQuote(descendant)}`,
+      { cwd, noStderr: true, noStdout: true, noSuccess: true, noError: true }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function getCommitSubject(ref, cwd) {
+  try {
+    const { stdout } = await execPromise(
+      `git log -1 --format=%s ${shellSingleQuote(ref)}`,
+      { cwd, noStderr: true, noStdout: true, noSuccess: true, noError: true }
+    );
+    return stdout.trim() || null;
+  } catch {
+    return null;
+  }
+}
+async function findReachableCommitBySubject(subject, to, cwd) {
+  try {
+    const { stdout } = await execPromise(
+      `git log ${shellSingleQuote(to)} --grep=${shellSingleQuote(subject)} --fixed-strings --format=%H -n 1`,
+      { cwd, noStderr: true, noStdout: true, noSuccess: true, noError: true }
+    );
+    return stdout.trim().split("\n")[0]?.trim() || null;
+  } catch {
+    return null;
+  }
+}
+async function tagExists(tag, cwd) {
+  try {
+    const tagRef = `refs/tags/${tag}`;
+    await execPromise(
+      `git rev-parse --verify --quiet ${shellSingleQuote(tagRef)}`,
+      { cwd, noStderr: true, noStdout: true, noSuccess: true, noError: true }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function retagAnnotatedLocal({
+  tag,
+  commit,
+  message,
+  signed,
+  cwd,
+  logLevel
+}) {
+  const sign = signed ? "-s " : "";
+  await execPromise(
+    `git tag -f ${sign}-a ${shellSingleQuote(tag)} ${shellSingleQuote(commit)} -m ${shellSingleQuote(message)}`,
+    { cwd, logLevel, noStderr: true, noStdout: true }
+  );
+}
+async function pushTagForce(tag, cwd, logLevel) {
+  await execPromise(
+    `git push origin ${shellSingleQuote(tag)} --force`,
+    { cwd, logLevel, noStderr: true, noStdout: true }
+  );
+}
+
+const sessionCache = /* @__PURE__ */ new Map();
+function resetRewrittenTagCache() {
+  sessionCache.clear();
+}
+function short(sha) {
+  return sha.slice(0, 9);
+}
+function extractVersionFromRef(ref) {
+  const atIndex = ref.lastIndexOf("@");
+  const candidate = atIndex >= 0 ? ref.slice(atIndex + 1) : ref;
+  return candidate.startsWith("v") ? candidate.slice(1) : candidate;
+}
+function resolveStrategy(config) {
+  const isTTY = Boolean(process$1.stdout?.isTTY);
+  const strategy = config.onRewrittenTag ?? (!config.bump?.yes && isTTY ? "prompt" : "ephemeral");
+  if (strategy === "prompt" && !isTTY) {
+    return "ephemeral";
+  }
+  return strategy;
+}
+function buildExplanation({
+  from,
+  to,
+  twin,
+  subject
+}) {
+  const lines = [
+    `\u26A0\uFE0F  Tag "${from}" points to a commit that is no longer in the history of "${to}".`,
+    `It was most likely rewritten by a "git rebase" after the tag was created.`,
+    `Generating a changelog from it would span the whole divergent range (often the entire history since the last stable release, with duplicated commits) instead of the real changes.`
+  ];
+  if (twin) {
+    const subjectSuffix = subject ? ` ("${subject}")` : "";
+    lines.push(`Equivalent commit found on "${to}": ${short(twin)}${subjectSuffix}.`);
+  } else {
+    lines.push(`No equivalent commit could be found on "${to}".`);
+  }
+  lines.push(`Tip: never rebase "develop"/"main" (commits that are tagged or pushed are immutable). Integrate branches via merge or fast-forward instead.`);
+  return lines.join("\n");
+}
+async function rebind({
+  from,
+  twin,
+  config,
+  dryRun,
+  push
+}) {
+  const message = config.templates?.tagMessage?.replaceAll("{{newVersion}}", extractVersionFromRef(from)) || from;
+  if (dryRun) {
+    logger.info(`[dry-run] git tag -f -a ${from} ${short(twin)} -m "${message}" (re-bind orphaned tag)`);
+    if (push) {
+      logger.info(`[dry-run] git push origin ${from} --force`);
+    }
+    return from;
+  }
+  await retagAnnotatedLocal({
+    tag: from,
+    commit: twin,
+    message,
+    signed: config.signTags,
+    cwd: config.cwd,
+    logLevel: config.logLevel
+  });
+  logger.success(`Re-bound tag "${from}" -> ${short(twin)} locally.`);
+  if (push) {
+    await pushTagForce(from, config.cwd, config.logLevel);
+    logger.success(`Force-pushed tag "${from}" to origin.`);
+  } else {
+    logger.info(`To publish the corrected tag later: git push origin ${from} --force`);
+  }
+  return from;
+}
+async function promptOrphan({
+  from,
+  twin,
+  config,
+  dryRun,
+  explanation
+}) {
+  logger.warn(explanation);
+  const choices = [];
+  if (twin) {
+    choices.push({ name: `Use equivalent commit ${short(twin)} for this run only (recommended, non-destructive)`, value: "ephemeral" });
+    choices.push({ name: `Re-bind tag "${from}" -> ${short(twin)} locally (push it manually later)`, value: "rebind-local" });
+    choices.push({ name: `Re-bind tag "${from}" -> ${short(twin)} locally AND force-push to origin`, value: "rebind-push" });
+  }
+  choices.push({ name: `Keep the orphaned tag (changelog will span the full divergent range)`, value: "keep" });
+  choices.push({ name: `Abort`, value: "abort" });
+  let answer;
+  try {
+    answer = await select({
+      message: `How should relizy handle the rewritten tag "${from}"?`,
+      choices,
+      default: twin ? "ephemeral" : "keep"
+    });
+  } catch (error) {
+    const userHasExited = error instanceof Error && error.name === "ExitPromptError";
+    logger.log("");
+    logger.fail(userHasExited ? "Cancelled" : "Error while resolving rewritten tag");
+    process$1.exit(userHasExited ? 0 : 1);
+  }
+  switch (answer) {
+    case "ephemeral":
+      logger.info(`Using equivalent commit ${short(twin)} as the changelog base for this run.`);
+      return twin;
+    case "rebind-local":
+      return rebind({ from, twin, config, dryRun, push: false });
+    case "rebind-push": {
+      const confirmed = await confirm({
+        message: `Force-push tag "${from}" to origin? This rewrites the already-published tag.`,
+        default: false
+      }).catch(() => false);
+      if (!confirmed) {
+        logger.info("Skipping force-push; re-binding the tag locally only.");
+        return rebind({ from, twin, config, dryRun, push: false });
+      }
+      return rebind({ from, twin, config, dryRun, push: true });
+    }
+    case "keep":
+      logger.warn(`Keeping orphaned tag "${from}"; the changelog range may be incorrect.`);
+      return from;
+    case "abort":
+    default:
+      logger.log("");
+      logger.fail("Aborted. Re-bind the tag or fix your history, then retry.");
+      process$1.exit(0);
+  }
+}
+async function reconcileFromTag({
+  from,
+  to,
+  config,
+  dryRun = false
+}) {
+  if (config.detectRewrittenTags === false || !from || from === to) {
+    return from;
+  }
+  const cwd = config.cwd;
+  if (!await tagExists(from, cwd)) {
+    return from;
+  }
+  const cached = sessionCache.get(from);
+  if (cached !== void 0) {
+    return cached;
+  }
+  if (await isAncestor(from, to, cwd)) {
+    sessionCache.set(from, from);
+    return from;
+  }
+  const subject = await getCommitSubject(from, cwd);
+  const twin = subject ? await findReachableCommitBySubject(subject, to, cwd) : null;
+  const explanation = buildExplanation({ from, to, twin, subject });
+  const strategy = resolveStrategy(config);
+  let result;
+  if (strategy === "error") {
+    logger.error(explanation);
+    throw new Error(`Tag "${from}" was rewritten (rebased) and is no longer reachable from "${to}". Re-bind the tag or fix your history.`);
+  } else if (strategy === "prompt") {
+    result = await promptOrphan({ from, twin, config, dryRun, explanation });
+  } else if (!twin) {
+    logger.warn(explanation);
+    logger.warn(`Falling back to the original tag "${from}"; the changelog range may be incorrect.`);
+    result = from;
+  } else if (strategy === "rebind") {
+    logger.warn(explanation);
+    result = await rebind({ from, twin, config, dryRun, push: false });
+  } else {
+    logger.warn(explanation);
+    logger.info(`Using equivalent commit ${short(twin)} as the changelog base for this run (tag "${from}" left untouched).`);
+    result = twin;
+  }
+  sessionCache.set(from, result);
+  return result;
+}
+
 function getFirstPackageCommitHash(packagePath, cwd) {
   const relativePath = relative(cwd, packagePath);
   try {
@@ -175,7 +419,8 @@ async function getRootPackage({
   from,
   to,
   suffix,
-  changelog
+  changelog,
+  dryRun = false
 }) {
   try {
     const packageJson = readPackageJson(config.cwd);
@@ -187,7 +432,8 @@ async function getRootPackage({
       from,
       to,
       config,
-      changelog
+      changelog,
+      dryRun
     });
     let newVersion;
     if (config.monorepo?.versionMode !== "independent") {
@@ -296,7 +542,8 @@ async function getPackages({
   config,
   suffix,
   force,
-  includeAll = false
+  includeAll = false,
+  dryRun = false
 }) {
   const patterns = config.monorepo?.packages;
   const readedPackages = readPackages({
@@ -349,7 +596,8 @@ async function getPackages({
         from,
         to,
         config,
-        changelog: false
+        changelog: false,
+        dryRun
       });
       foundPaths.add(matchPath);
       const dependencies = getPackageDependencies({
@@ -427,19 +675,21 @@ async function getPackageCommits({
   from,
   to,
   config,
-  changelog
+  changelog,
+  dryRun = false
 }) {
   logger.debug(`Analyzing commits for ${pkg.name} since ${from} to ${to}`);
-  let actualFrom = from;
+  let actualFrom;
   if (from === NEW_PACKAGE_MARKER) {
     const firstPackageCommit = getFirstPackageCommitHash(pkg.path, config.cwd);
-    if (firstPackageCommit) {
-      logger.debug(`${pkg.name} is a new package, using first package commit: ${firstPackageCommit.slice(0, 8)}`);
-      actualFrom = `${firstPackageCommit}^`;
-    } else {
+    if (!firstPackageCommit) {
       logger.debug(`${pkg.name} has no commits yet, returning empty`);
       return [];
     }
+    logger.debug(`${pkg.name} is a new package, using first package commit: ${firstPackageCommit.slice(0, 8)}`);
+    actualFrom = `${firstPackageCommit}^`;
+  } else {
+    actualFrom = await reconcileFromTag({ from, to, config, dryRun });
   }
   const changelogConfig = {
     ...config,
@@ -1536,7 +1786,8 @@ async function getPackagesOrBumpedPackages({
   config,
   bumpResult,
   suffix,
-  force
+  force,
+  dryRun = false
 }) {
   if (bumpResult?.bumpedPackages && bumpResult.bumpedPackages.length > 0) {
     return bumpResult.bumpedPackages;
@@ -1544,11 +1795,25 @@ async function getPackagesOrBumpedPackages({
   return await getPackages({
     config,
     suffix,
-    force
+    force,
+    dryRun
   });
 }
 
+const DEFAULT_REGISTRY = "https://registry.npmjs.org/";
 let sessionOtp;
+function getNpmRegistry(cwd = process.cwd()) {
+  try {
+    const output = execSync("npm config get registry", {
+      cwd,
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    }).trim();
+    return output && output !== "undefined" ? output : DEFAULT_REGISTRY;
+  } catch {
+    return DEFAULT_REGISTRY;
+  }
+}
 function detectPackageManager(cwd = process.cwd()) {
   try {
     const packageJsonPath = join(cwd, "package.json");
@@ -1752,7 +2017,7 @@ async function executePublishCommand({
     logger.info(`${dryRun ? "[dry-run] " : ""}Skipping actual publish for ${packageNameAndVersion}`);
     return;
   }
-  const { stdout, stderr } = await execPromise(command, {
+  await execPromise(command, {
     noStderr: true,
     noStdout: true,
     noSuccess: true,
@@ -1760,8 +2025,6 @@ async function executePublishCommand({
     logLevel: config.logLevel,
     cwd: pkg.path
   });
-  logger.debug("Publish stdout:", stdout);
-  logger.debug("Publish stderr:", stderr);
 }
 function getAuthCommand({
   packageManager,
@@ -1859,6 +2122,53 @@ async function publishPackage({
   }
 }
 
+const REDACTED = "[redacted]";
+const SENSITIVE_KEYS = /* @__PURE__ */ new Set([
+  "token",
+  "publishtoken",
+  "oauthtoken",
+  "apikey",
+  "apikeysecret",
+  "accesstoken",
+  "accesstokensecret",
+  "password",
+  "secret",
+  "webhookurl",
+  "_authtoken"
+]);
+const SECRET_CONTAINER_KEYS = /* @__PURE__ */ new Set(["tokens"]);
+function redactValue(value, inSecretContainer, keyIsSensitive) {
+  if (typeof value === "string") {
+    if (value === "") {
+      return value;
+    }
+    if (inSecretContainer || keyIsSensitive) {
+      return REDACTED;
+    }
+    return value;
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => redactValue(item, inSecretContainer, false));
+  }
+  if (value && typeof value === "object") {
+    return redactObject(value, inSecretContainer);
+  }
+  return value;
+}
+function redactObject(obj, inSecretContainer) {
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    const lowerKey = key.toLowerCase();
+    const childInContainer = inSecretContainer || SECRET_CONTAINER_KEYS.has(lowerKey);
+    const keyIsSensitive = SENSITIVE_KEYS.has(lowerKey);
+    result[key] = redactValue(value, childInContainer, keyIsSensitive);
+  }
+  return result;
+}
+function redactSecrets(value) {
+  return redactValue(value, false, false);
+}
+
 function getDefaultConfig() {
   return {
     cwd: process$1.cwd(),
@@ -1907,8 +2217,11 @@ function getDefaultConfig() {
       private: false,
       args: [],
       token: process$1.env.RELIZY_NPM_TOKEN || process$1.env.NPM_TOKEN || process$1.env.NODE_AUTH_TOKEN,
-      registry: "https://registry.npmjs.org/",
+      // registry is intentionally left undefined: it is resolved later from the
+      // user's npm config / .npmrc (see resolveConfig) so a custom registry
+      // (e.g. a corporate proxy) is honored instead of forcing the public one.
       safetyCheck: true,
+      safetyCheckTimeout: 15e3,
       packageManager: detectPackageManager(process$1.cwd())
     },
     tokens: {
@@ -1975,7 +2288,8 @@ function getDefaultConfig() {
       }
     },
     logLevel: "default",
-    safetyCheck: true
+    safetyCheck: true,
+    detectRewrittenTags: true
   };
 }
 function resolveTemplateDefaults(config) {
@@ -2009,6 +2323,9 @@ async function resolveConfig(config, cwd) {
       provider: resolvedRepoConfig.provider
     };
   }
+  if (config.publish && !config.publish.registry) {
+    config.publish.registry = getNpmRegistry(cwd);
+  }
   return config;
 }
 function mergeTypes(userTypes, defaultTypes) {
@@ -2050,7 +2367,7 @@ async function loadRelizyConfig(options) {
   logger.verbose("User config:", formatJson(results.config.changelog));
   resolveTemplateDefaults(results.config);
   const resolvedConfig = await resolveConfig(results.config, cwd);
-  logger.debug("Resolved config:", formatJson(resolvedConfig));
+  logger.debug("Resolved config:", formatJson(redactSecrets(resolvedConfig)));
   return resolvedConfig;
 }
 function defineConfig(config) {
@@ -2680,7 +2997,8 @@ async function generateChangelog({
       from: gitFromRef,
       to: gitToRef,
       config: { ...config, from: gitFromRef, to: gitToRef },
-      changelog: true
+      changelog: true,
+      dryRun
     });
     const displayConfig = { ...config, from: displayFromTag, to: displayToTag };
     const parts = await renderChangelogParts({
@@ -3035,7 +3353,8 @@ async function githubIndependentMode({
     config,
     bumpResult,
     suffix,
-    force
+    force,
+    dryRun
   }));
   logger.info(`Creating ${packages.length} GitHub release(s)`);
   const postedReleases = [];
@@ -3156,7 +3475,8 @@ async function github(options) {
       suffix: options.suffix,
       changelog: true,
       from,
-      to
+      to,
+      dryRun
     });
     return await githubUnified({
       config,
@@ -3243,7 +3563,8 @@ async function gitlabIndependentMode({
     config,
     bumpResult,
     suffix,
-    force
+    force,
+    dryRun
   }));
   logger.info(`Creating ${packages.length} GitLab release(s) for independent packages`);
   logger.debug("Getting current branch...");
@@ -3417,7 +3738,8 @@ async function gitlab(options = {}) {
       suffix: options.suffix,
       changelog: true,
       from,
-      to
+      to,
+      dryRun
     });
     logger.debug(`Root package: ${getIndependentTag({ name: rootPackage.name, version: newVersion })}`);
     return await gitlabUnified({
@@ -4265,7 +4587,8 @@ async function bumpUnifiedMode({
     from,
     to,
     suffix,
-    changelog: false
+    changelog: false,
+    dryRun
   });
   const currentVersion = rootPackage.version;
   const newVersion = rootPackage.newVersion;
@@ -4279,7 +4602,8 @@ async function bumpUnifiedMode({
     config,
     suffix,
     force,
-    includeAll: true
+    includeAll: true,
+    dryRun
   });
   if (packages.length === 0) {
     logger.debug("No packages to bump");
@@ -4349,7 +4673,8 @@ async function bumpSelectiveMode({
     from,
     to,
     suffix,
-    changelog: false
+    changelog: false,
+    dryRun
   });
   const currentVersion = rootPackage.version;
   const newVersion = rootPackage.newVersion;
@@ -4362,7 +4687,8 @@ async function bumpSelectiveMode({
   const packages = await getPackages({
     config,
     suffix,
-    force
+    force,
+    dryRun
   });
   if (packages.length === 0) {
     logger.debug("No packages to bump");
@@ -4430,7 +4756,8 @@ async function bumpIndependentMode({
   const packagesToBump = await getPackages({
     config,
     suffix,
-    force
+    force,
+    dryRun
   });
   if (packagesToBump.length === 0) {
     logger.debug("No packages to bump");
@@ -4483,7 +4810,7 @@ async function bumpCanaryMode({
   logger.debug("Starting bump in canary mode");
   if (config.monorepo?.versionMode === "independent") {
     const sha2 = getShortCommitSha(config.cwd);
-    const packages2 = await getPackages({ config, suffix: void 0, force: false });
+    const packages2 = await getPackages({ config, suffix: void 0, force: false, dryRun });
     if (packages2.length === 0) {
       logger.debug("No packages to bump");
       return { bumped: false };
@@ -4506,7 +4833,8 @@ async function bumpCanaryMode({
     from,
     to,
     config,
-    changelog: false
+    changelog: false,
+    dryRun
   });
   const releaseType = determineSemverChange(commits, config.types);
   const sha = getShortCommitSha(config.cwd);
@@ -4523,7 +4851,8 @@ async function bumpCanaryMode({
     config,
     suffix: void 0,
     force: false,
-    includeAll: isUnified
+    includeAll: isUnified,
+    dryRun
   });
   if (packages.length === 0) {
     logger.debug("No packages to bump");
@@ -4772,7 +5101,8 @@ async function generateSimpleRootChangelog({
     suffix,
     changelog: true,
     from: fromTag,
-    to
+    to,
+    dryRun
   });
   logger.debug(`Generating ${rootPackage.name} changelog (${fromTag}...${to})`);
   const rootChangelog = await generateChangelog({
@@ -4821,7 +5151,8 @@ async function changelog(options = {}) {
       config,
       bumpResult: options.bumpResult,
       suffix: options.suffix,
-      force: options.force ?? false
+      force: options.force ?? false,
+      dryRun
     });
     if (config.changelog?.rootChangelog && config.monorepo?.versionMode) {
       if (config.monorepo.versionMode === "independent") {
@@ -5252,27 +5583,42 @@ async function publishSafetyCheck({ config }) {
   }
   logger.debug("Start checking auth config to package registry");
   const isPnpmOrNpm = config.publish.packageManager === "pnpm" || config.publish.packageManager === "npm";
-  if (isPnpmOrNpm) {
-    const authCommand = getAuthCommand({
-      packageManager: config.publish.packageManager,
-      config,
-      otp: config.publish.otp
+  if (!isPnpmOrNpm) {
+    logger.debug(`Skipping authentication to package registry because "${config.publish.packageManager}" is not supported`);
+    return;
+  }
+  const authCommand = getAuthCommand({
+    packageManager: config.publish.packageManager,
+    config,
+    otp: config.publish.otp
+  });
+  const timeoutMs = config.publish.safetyCheckTimeout ?? 15e3;
+  const patienceDelay = Math.min(5e3, Math.floor(timeoutMs / 2));
+  const patienceTimer = setTimeout(() => {
+    logger.info(`The package registry is taking longer than expected to respond (will time out at ${Math.round(timeoutMs / 1e3)}s)...`);
+  }, patienceDelay);
+  try {
+    logger.info("Authenticating to package registry...");
+    await execPromise(authCommand, {
+      cwd: config.cwd,
+      timeout: timeoutMs,
+      noStdout: true,
+      noStderr: true,
+      noSuccess: true,
+      noError: true,
+      logLevel: config.logLevel
     });
-    try {
-      logger.debug("Authenticating to package registry...");
-      await execPromise(authCommand, {
-        cwd: config.cwd,
-        noStderr: true,
-        noStdout: true,
-        logLevel: config.logLevel,
-        noSuccess: true
-      });
-      logger.info("Successfully authenticated to package registry");
-    } catch (error) {
-      throw new Error("Failed to authenticate to package registry", { cause: error });
+    logger.info("Successfully authenticated to package registry");
+  } catch (error) {
+    if (error?.killed) {
+      throw new Error(
+        `Authentication to package registry timed out after ${timeoutMs}ms. The registry did not respond - check your network or registry access, increase publish.safetyCheckTimeout, or skip this check with --no-safety-check.`,
+        { cause: error }
+      );
     }
-  } else {
-    logger.debug(`Skipping authentication to package registry because "${config.publish.packageManager}" is not supported`);
+    throw new Error("Failed to authenticate to package registry", { cause: error });
+  } finally {
+    clearTimeout(patienceTimer);
   }
 }
 async function publish(options = {}) {
@@ -5314,7 +5660,8 @@ async function publish(options = {}) {
       config,
       bumpResult: options.bumpResult,
       suffix: options.suffix,
-      force: options.force ?? false
+      force: options.force ?? false,
+      dryRun
     });
     const packages = filterOutPrivatePackages(discoveredPackages);
     if (discoveredPackages.length !== packages.length) {
@@ -5644,7 +5991,8 @@ async function social(options = {}) {
       suffix: void 0,
       changelog: true,
       from: fromTag,
-      to
+      to,
+      dryRun
     });
     const minifiedBody = await generateChangelog({
       pkg: { ...rootPackage, fromTag },
@@ -5716,7 +6064,8 @@ ${twitterChangelog}`);
       from: fromTag,
       to: "HEAD",
       config,
-      changelog: true
+      changelog: true,
+      dryRun
     });
     const slackResponse = await handleSlackPost({
       config,
@@ -6095,4 +6444,4 @@ Git provider: ${provider}`);
   }
 }
 
-export { PR_COMMENT_MARKER as $, getModifiedReleaseFilePatterns as A, createCommitAndTags as B, pushCommitAndTags as C, rollbackModifiedFiles as D, getFirstCommit as E, getCurrentGitBranch as F, getCurrentGitRef as G, getShortCommitSha as H, github as I, createGitlabRelease as J, gitlab as K, buildCompareLink as L, buildChangelogBody as M, collectContributorNames as N, buildContributors as O, generateMarkDown as P, parseChangelogMarkdown as Q, detectPackageManager as R, determinePublishTag as S, getPackagesToPublishInSelectiveMode as T, getPackagesToPublishInIndependentMode as U, getAuthCommand as V, publishPackage as W, collectPackageBumps as X, findGitHubPR as Y, findGitLabMR as Z, detectPullRequest as _, buildCommentBody as a, postPrComment as a0, readPackageJson as a1, getRootPackage as a2, readPackages as a3, getPackages as a4, getPackageCommits as a5, hasLernaJson as a6, getSlackToken as a7, getSlackWebhookUrl as a8, formatChangelogForSlack as a9, determineReleaseType as aA, writeVersion as aB, getPackageNewVersion as aC, updateLernaVersion as aD, extractVersionFromPackageTag as aE, isPrerelease as aF, isStableReleaseType as aG, isPrereleaseReleaseType as aH, isGraduating as aI, getPreid as aJ, isChangedPreid as aK, getBumpedPackageIndependently as aL, confirmBump as aM, getBumpedIndependentPackages as aN, shouldFilterPrereleaseTags as aO, extractVersionFromTag as aP, getCanaryVersion as aQ, isTagVersionCompatibleWithCurrent as aR, formatPackagesForSlack as aa, formatSlackMessage as ab, postReleaseToSlack as ac, extractChangelogSummary as ad, getReleaseUrl as ae, getIndependentTag as af, getLastStableTag as ag, getLastTag as ah, getLastRepoTag as ai, getLastPackageTag as aj, NEW_PACKAGE_MARKER as ak, resolveTags as al, getTwitterCredentials as am, formatTweetMessage as an, postReleaseToTwitter as ao, executeHook as ap, isInCI as aq, getCIName as ar, executeFormatCmd as as, executeBuildCmd as at, isBumpedPackage as au, filterOutPrivatePackages as av, getPackagesOrBumpedPackages as aw, isGraduatingToStableBetweenVersion as ax, capReleaseTypeForZeroMajor as ay, determineSemverChange as az, bump as b, changelog as c, providerReleaseSafetyCheck as d, providerRelease as e, publishSafetyCheck as f, publish as g, social as h, generateChangelog as i, getDefaultConfig as j, defineConfig as k, loadRelizyConfig as l, mergeTypes as m, getPackageDependencies as n, getDependentsOf as o, prComment as p, expandPackagesToBumpWithDependents as q, release as r, socialSafetyCheck as s, topologicalSort as t, getGitStatus as u, checkGitStatusIfDirty as v, writeChangelogToFile as w, fetchGitTags as x, detectGitProvider as y, parseGitRemoteUrl as z };
+export { getPackagesToPublishInIndependentMode as $, getModifiedReleaseFilePatterns as A, createCommitAndTags as B, pushCommitAndTags as C, rollbackModifiedFiles as D, getFirstCommit as E, getCurrentGitBranch as F, getCurrentGitRef as G, getShortCommitSha as H, isAncestor as I, getCommitSubject as J, findReachableCommitBySubject as K, tagExists as L, retagAnnotatedLocal as M, pushTagForce as N, github as O, createGitlabRelease as P, gitlab as Q, buildCompareLink as R, buildChangelogBody as S, collectContributorNames as T, buildContributors as U, generateMarkDown as V, parseChangelogMarkdown as W, getNpmRegistry as X, detectPackageManager as Y, determinePublishTag as Z, getPackagesToPublishInSelectiveMode as _, buildCommentBody as a, isTagVersionCompatibleWithCurrent as a$, getAuthCommand as a0, publishPackage as a1, collectPackageBumps as a2, findGitHubPR as a3, findGitLabMR as a4, detectPullRequest as a5, PR_COMMENT_MARKER as a6, postPrComment as a7, redactSecrets as a8, readPackageJson as a9, isInCI as aA, getCIName as aB, executeFormatCmd as aC, executeBuildCmd as aD, isBumpedPackage as aE, filterOutPrivatePackages as aF, getPackagesOrBumpedPackages as aG, isGraduatingToStableBetweenVersion as aH, capReleaseTypeForZeroMajor as aI, determineSemverChange as aJ, determineReleaseType as aK, writeVersion as aL, getPackageNewVersion as aM, updateLernaVersion as aN, extractVersionFromPackageTag as aO, isPrerelease as aP, isStableReleaseType as aQ, isPrereleaseReleaseType as aR, isGraduating as aS, getPreid as aT, isChangedPreid as aU, getBumpedPackageIndependently as aV, confirmBump as aW, getBumpedIndependentPackages as aX, shouldFilterPrereleaseTags as aY, extractVersionFromTag as aZ, getCanaryVersion as a_, getRootPackage as aa, readPackages as ab, getPackages as ac, getPackageCommits as ad, hasLernaJson as ae, resetRewrittenTagCache as af, reconcileFromTag as ag, getSlackToken as ah, getSlackWebhookUrl as ai, formatChangelogForSlack as aj, formatPackagesForSlack as ak, formatSlackMessage as al, postReleaseToSlack as am, extractChangelogSummary as an, getReleaseUrl as ao, getIndependentTag as ap, getLastStableTag as aq, getLastTag as ar, getLastRepoTag as as, getLastPackageTag as at, NEW_PACKAGE_MARKER as au, resolveTags as av, getTwitterCredentials as aw, formatTweetMessage as ax, postReleaseToTwitter as ay, executeHook as az, bump as b, changelog as c, providerReleaseSafetyCheck as d, providerRelease as e, publishSafetyCheck as f, publish as g, social as h, generateChangelog as i, getDefaultConfig as j, defineConfig as k, loadRelizyConfig as l, mergeTypes as m, getPackageDependencies as n, getDependentsOf as o, prComment as p, expandPackagesToBumpWithDependents as q, release as r, socialSafetyCheck as s, topologicalSort as t, getGitStatus as u, checkGitStatusIfDirty as v, writeChangelogToFile as w, fetchGitTags as x, detectGitProvider as y, parseGitRemoteUrl as z };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "relizy",
   "type": "module",
-  "version": "1.4.6",
+  "version": "1.4.8-beta.0",
   "description": "Changelogen adapter for monorepo management with unified and independent versioning",
   "author": "Louis Mazel <me@loicmazuel.com>",
   "license": "MIT",
@@ -56,7 +56,7 @@
   },
   "peerDependencies": {
     "@slack/web-api": "^7.0.0",
-    "@yoloship/claude-sdk": "^0.1.0",
+    "@yoloship/claude-sdk": "^0.2.0-beta.6",
     "twitter-api-v2": "^1.20.0"
   },
   "peerDependenciesMeta": {
@@ -71,40 +71,40 @@
     }
   },
   "dependencies": {
-    "@inquirer/prompts": "^8.4.2",
-    "@maz-ui/node": "4.6.1",
-    "@maz-ui/utils": "^4.7.6",
+    "@inquirer/prompts": "^8.5.2",
+    "@maz-ui/node": "5.0.0-beta.26",
+    "@maz-ui/utils": "5.0.0-beta.25",
     "c12": "^3.3.3",
     "changelogen": "^0.6.2",
-    "commander": "^14.0.3",
+    "commander": "^15.0.0",
     "convert-gitmoji": "^0.1.5",
     "defu": "6.1.7",
     "fast-glob": "^3.3.2",
     "node-fetch-native": "^1.6.7",
-    "semver": "^7.7.4"
+    "semver": "^7.8.3"
   },
   "devDependencies": {
-    "@commitlint/cli": "^20.5.0",
-    "@commitlint/config-conventional": "20.5.0",
-    "@commitlint/cz-commitlint": "^20.5.1",
-    "@commitlint/types": "^20.5.0",
-    "@maz-ui/eslint-config": "^4.9.1",
-    "@slack/web-api": "7.15.1",
-    "@types/node": "^25.6.0",
+    "@commitlint/cli": "^21.0.2",
+    "@commitlint/config-conventional": "21.0.2",
+    "@commitlint/cz-commitlint": "^21.0.2",
+    "@commitlint/types": "^21.0.1",
+    "@maz-ui/eslint-config": "5.0.0-beta.25",
+    "@slack/web-api": "7.16.0",
+    "@types/node": "^25.9.2",
     "@types/semver": "^7.7.1",
-    "@vitest/coverage-v8": "^4.1.5",
-    "@yoloship/claude-sdk": "0.1.0-beta.3",
+    "@vitest/coverage-v8": "^4.1.8",
+    "@yoloship/claude-sdk": "0.2.0-beta.6",
     "cross-env": "10.1.0",
-    "eslint": "^10.2.1",
+    "eslint": "^10.4.1",
     "husky": "9.1.7",
-    "jiti": "2.6.1",
-    "lint-staged": "^16.4.0",
-    "memfs": "^4.57.2",
-    "tsx": "^4.21.0",
+    "jiti": "2.7.0",
+    "lint-staged": "^17.0.7",
+    "memfs": "^4.57.6",
+    "tsx": "^4.22.4",
     "twitter-api-v2": "^1.29.0",
-    "typescript": "^5.9.3",
+    "typescript": "^6.0.3",
     "unbuild": "^3.6.1",
-    "vitest": "^4.1.5"
+    "vitest": "^4.1.8"
   },
   "lint-staged": {
     "*.{js,jsx,ts,tsx,mjs,mts,cjs,md,yml,json}": [