zx-bulk-release 3.1.6 → 3.1.8

package/CHANGELOG.md

@@ -1,3 +1,14 @@
+## [3.1.8](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.7...v3.1.8) (2026-04-13)
+
+### Fixes & improvements
+* perf: minor internal code imprs ([f3f0aae](https://github.com/semrel-extra/zx-bulk-release/commit/f3f0aae2e7dc4045a6573a8e270acdf6a3d983d8))
+
+## [3.1.7](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.6...v3.1.7) (2026-04-13)
+
+### Fixes & improvements
+* perf: apply traverseQueue to delivery phase ([6f1ba58](https://github.com/semrel-extra/zx-bulk-release/commit/6f1ba58885e7739b23de1d895f80ea4680645347))
+* perf: let `--verify` accept out dir ([80015bb](https://github.com/semrel-extra/zx-bulk-release/commit/80015bb067306892bbcc969c5ee2700a256b22f4))
+
 ## [3.1.6](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.5...v3.1.6) (2026-04-13)
 
 ### Fixes & improvements

package/README.md

@@ -46,7 +46,7 @@ GH_TOKEN=ghtoken GH_USER=username NPM_TOKEN=npmtoken npx zx-bulk-release [opts]
 |------------------------------|---------------------------------------------------------------------------------------------------|------------------|
 | `--receive`                  | Consume rebuild signal, analyze, preflight. Writes `zbr-context.json`. Run before deps install.  |                  |
 | `--pack [dir]`               | Pack only: build, test, and write delivery tars to `dir`. No credentials needed.                  | `parcels`        |
-| `--verify [dir]`             | Verify untrusted parcels against context, copy valid ones to `parcels/`. Use `--context` for path. | `parcels`       |
+| `--verify [in:out]`          | Verify untrusted parcels against context, copy valid ones to output dir. Use `--context` for path. | `parcels:parcels` |
 | `--context <path>`           | Path to trusted `zbr-context.json` (used with `--verify`).                                       | `zbr-context.json` |
 | `--deliver [dir]`            | Deliver only: read tars from `dir` and run delivery channels. No source code needed.              | `parcels`        |
 | `--ignore`                   | Packages to ignore: `a, b`                                                                        |                  |
@@ -181,7 +181,7 @@ jobs:
           path: parcels-unverified/
 
       # verify — validate untrusted parcels against trusted context
-      - run: npx zx-bulk-release --verify parcels-unverified/
+      - run: npx zx-bulk-release --verify parcels-unverified/:parcels/
 
       # deliver — only verified parcels
       - run: npx zx-bulk-release --deliver
@@ -381,7 +381,7 @@ Each step has a uniform signature `(pkg, ctx)`:
 - **`preflight`** — checks tag availability on remote, re-resolves version on conflict, skips duplicates.
 - **`build`** — runs `buildCmd` (with dep traversal and optional npm artifact fetch).
 - **`test`** — runs `testCmd`.
-- **`pack`** — stages delivery artifacts into self-describing tar containers (`npm pack`, docs copy, assets, release notes). Each tar is named `parcel.{sha7}.{channel}.{tag}.{hash6}.tar` and contains a `manifest.json` with channel name, delivery instructions, and template credentials (`${{ENV_VAR}}`). A directive meta-parcel is also generated, listing all parcels and their delivery steps. After this step, everything the courier needs is outside the project dir.
+- **`pack`** — stages delivery artifacts into self-describing tar containers (`npm pack`, docs copy, assets, release notes). Each tar is named `parcel.{sha7}.{channel}.{name}.{version}.{hash6}.tar` and contains a `manifest.json` with channel name, delivery instructions, and template credentials (`${{ENV_VAR}}`). A directive meta-parcel is also generated, listing all parcels and their delivery steps. After this step, everything the courier needs is outside the project dir.
 - **`publish`** — hands tars to courier's `deliver()`, runs `cmd` channel separately. Tag push is handled by the `git-tag` channel.
 - **`clean`** — restores `package.json` files and unsets git user config.
 
@@ -397,13 +397,13 @@ Set `config.releaseRules` to override the default rules preset:
 ### Tar containers
 Each delivery artifact is a self-describing tar archive:
 ```
-parcel.{sha7}.{channel}.{tag}.{hash6}.tar
+parcel.{sha7}.{channel}.{name}.{version}.{hash6}.tar
   manifest.json    — channel name, delivery params, template credentials
   package.tgz     — (npm channel) npm tarball
   assets/          — (gh-release channel) release assets
   docs/            — (gh-pages channel) documentation files
 ```
-The `sha7` prefix groups all parcels of one commit. The `hash6` suffix is a content hash for deduplication — two builds of the same commit producing identical content yield the same filename (last-writer-wins), while different content gets a different hash.
+The `sha7` prefix groups all parcels of one commit. `name` is the sanitized package name (`@scope/pkg` → `scope-pkg`). The `hash6` suffix is a content hash for deduplication — two builds of the same commit producing identical content yield the same filename (last-writer-wins), while different content gets a different hash.
 
 A **directive** meta-parcel (`parcel.{sha7}.directive.{ts}.tar`) is generated alongside regular parcels. It contains the complete delivery map: package queue, per-package channel steps, and an authoritative list of parcel filenames. The directive enables coordinated delivery — see [DELIVER_SPEC.md](./DELIVER_SPEC.md).
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "zx-bulk-release",
   "alias": "bulk-release",
-  "version": "3.1.6",
+  "version": "3.1.8",
   "description": "zx-based alternative for multi-semantic-release",
   "type": "module",
   "exports": {

package/src/main/js/cli.js

@@ -15,7 +15,7 @@ Modes:
   (no flags)              All-in-one: analyze, build, test, pack, deliver
   --receive               Analyze & preflight, write zbr-context.json. Run BEFORE deps install
   --pack [dir]            Build, test, pack tars to dir                           [default: parcels]
-  --verify [input-dir]    Validate parcels against context, copy valid to parcels/ [default: parcels]
+  --verify [in:out]       Validate parcels against context, copy to out dir         [default: parcels]
   --deliver [dir]         Deliver parcels through channels                        [default: parcels]
 
 Options:

package/src/main/js/post/api/git.js

@@ -1,10 +1,10 @@
-export const DEFAULT_GIT_COMMITTER_NAME  = 'Semrel Extra Bot'
-export const DEFAULT_GIT_COMMITTER_EMAIL = 'semrel-extra-bot@hotmail.com'
-
 import {$, fs, path, tempy, copy} from 'zx-extra'
 import {log} from '../log.js'
 import {attempt2, attempt3, memoizeBy} from '../../util.js'
 
+export const DEFAULT_GIT_COMMITTER_NAME  = 'Semrel Extra Bot'
+export const DEFAULT_GIT_COMMITTER_EMAIL = 'semrel-extra-bot@hotmail.com'
+
 export const fetchRepo = memoizeBy(async ({cwd: _cwd, branch, origin: _origin, basicAuth}) => {
   if (!_origin && !_cwd) throw new Error('fetchRepo requires either origin or cwd')
   const origin = _origin || (await getRepo(_cwd, {basicAuth})).repoAuthedUrl

package/src/main/js/post/api/npm.js

@@ -3,8 +3,9 @@ import _fs from 'node:fs/promises'
 import _path from 'node:path'
 import tar from 'tar-stream'
 import {Readable} from 'node:stream'
-import {log} from '../log.js'
 import {$, semver, fs, INI, fetch, tempy} from 'zx-extra'
+
+import {log} from '../log.js'
 import {attempt2, memoizeBy} from '../../util.js'
 
 const FETCH_TIMEOUT_MS = 15_000

package/src/main/js/post/courier/index.js

@@ -2,6 +2,7 @@ import {$, tempy, within, path, semver, fs} from 'zx-extra'
 import {unpackTar} from '../tar.js'
 import {log} from '../log.js'
 import {pool} from '../../util.js'
+import {traverseQueue} from '../depot/deps.js'
 import {scanDirectives, invalidateOrphans} from '../parcel/directive.js'
 import {tryLock, unlock, signalRebuild} from './semaphore.js'
 import gitTag from './channels/git-tag.js'
@@ -160,43 +161,38 @@ const deliverParcel = async (tarPath, channelName, pkgName, version, env, {dryRu
   return res === 'duplicate' ? 'duplicate' : 'ok'
 }
 
-const deliverDirective = async (directive, tarMap, env, {dryRun, cwd}) => {
+const deliverPkg = async (pkgName, pkg, tarMap, env, {dryRun, cwd}) => {
   const entries = []
   const conflicts = []
   const skipped = []
 
-  for (const pkgName of directive.queue) {
-    const pkg = directive.packages[pkgName]
-    if (!pkg) continue
-
-    let pkgConflict = false
+  let pkgConflict = false
 
-    for (const step of pkg.deliver) {
-      if (pkgConflict) break
+  for (const step of pkg.deliver) {
+    if (pkgConflict) break
 
-      const results = await Promise.all(step.map(async (channelName) => {
-        const parcelName = (pkg.parcels || []).find(p => p.includes(`.${channelName}.`))
-        const tarPath = parcelName && tarMap.get(parcelName)
-        if (!tarPath) return 'missing'
+    const results = await Promise.all(step.map(async (channelName) => {
+      const parcelName = (pkg.parcels || []).find(p => p.includes(`.${channelName}.`))
+      const tarPath = parcelName && tarMap.get(parcelName)
+      if (!tarPath) return 'missing'
 
-        return deliverParcel(tarPath, channelName, pkgName, pkg.version, env, {dryRun, cwd})
-      }))
+      return deliverParcel(tarPath, channelName, pkgName, pkg.version, env, {dryRun, cwd})
+    }))
 
-      for (let i = 0; i < step.length; i++) {
-        const r = results[i]
-        if (r === 'skip') skipped.push({channelName: step[i], pkg: pkgName})
-        else if (r !== 'missing' && r !== 'already') entries.push({channel: step[i], name: pkgName, version: pkg.version})
-      }
+    for (let i = 0; i < step.length; i++) {
+      const r = results[i]
+      if (r === 'skip') skipped.push({channelName: step[i], pkg: pkgName})
+      else if (r !== 'missing' && r !== 'already') entries.push({channel: step[i], name: pkgName, version: pkg.version})
+    }
 
-      if (results.includes('conflict')) {
-        pkgConflict = true
-        conflicts.push(pkgName)
-        for (const p of pkg.parcels || []) {
-          const tp = tarMap.get(p)
-          if (!tp) continue
-          const c = await fs.readFile(tp, 'utf8').catch(() => null)
-          if (c !== 'released') await fs.writeFile(tp, 'conflict')
-        }
+    if (results.includes('conflict')) {
+      pkgConflict = true
+      conflicts.push(pkgName)
+      for (const p of pkg.parcels || []) {
+        const tp = tarMap.get(p)
+        if (!tp) continue
+        const c = await fs.readFile(tp, 'utf8').catch(() => null)
+        if (c !== 'released') await fs.writeFile(tp, 'conflict')
       }
     }
   }
@@ -204,6 +200,25 @@ const deliverDirective = async (directive, tarMap, env, {dryRun, cwd}) => {
   return {entries, conflicts, skipped}
 }
 
+const deliverDirective = async (directive, tarMap, env, {dryRun, cwd}) => {
+  const entries = []
+  const conflicts = []
+  const skipped = []
+
+  const prev = new Map(Object.entries(directive.prev || {}))
+
+  await traverseQueue({queue: directive.queue, prev, cb: async (pkgName) => {
+    const pkg = directive.packages[pkgName]
+    if (!pkg) return
+    const r = await deliverPkg(pkgName, pkg, tarMap, env, {dryRun, cwd})
+    entries.push(...r.entries)
+    conflicts.push(...r.conflicts)
+    skipped.push(...r.skipped)
+  }})
+
+  return {entries, conflicts, skipped}
+}
+
 // --- Main entry point ---
 
 export const deliver = async (tars, env = process.env, {concurrency = 4, dryRun = false, cwd} = {}) => {

package/src/main/js/post/modes/pack.js

@@ -10,8 +10,8 @@ import {publish} from '../depot/steps/publish.js'
 import {clean} from '../depot/steps/clean.js'
 import {test} from '../depot/steps/test.js'
 import {preflight} from '../depot/reconcile.js'
-import {buildDirective, PARCELS_DIR} from '../parcel/index.js'
 import {CONTEXT_FILE, readContext} from '../depot/context.js'
+import {buildDirective, PARCELS_DIR} from '../parcel/index.js'
 
 export const runPack = async ({cwd, env, flags}, ctx) => {
   const {report, packages, queue, prev} = ctx

package/src/main/js/post/modes/verify.js

@@ -4,9 +4,9 @@ import {PARCELS_DIR, verifyParcels} from '../parcel/index.js'
 import {CONTEXT_FILE, readContext} from '../depot/context.js'
 
 export const runVerify = async ({cwd, flags}) => {
-  const inputDir = typeof flags.verify === 'string' ? flags.verify : PARCELS_DIR
+  const [inputDir = PARCELS_DIR, outputDir_ = PARCELS_DIR] = typeof flags.verify === 'string' ? flags.verify.split(':') : []
+  const outputDir = path.resolve(cwd, outputDir_)
   const contextPath = typeof flags.context === 'string' ? flags.context : path.resolve(cwd, CONTEXT_FILE)
-  const outputDir = path.resolve(cwd, PARCELS_DIR)
 
   log.info(`verifying parcels in ${inputDir} against ${contextPath}`)
 

package/src/main/js/post/parcel/directive.js

@@ -17,6 +17,7 @@ export const buildDirective = async (ctx, packedPkgs, outputDir) => {
   const {sha, timestamp} = packedPkgs[0].ctx.git
   const packages = {}
   const parcels = []
+  const packedNames = new Set(packedPkgs.map(p => p.name))
 
   for (const pkg of packedPkgs) {
     const pkgParcels = (pkg.tars || []).map(t => path.basename(t))
@@ -29,12 +30,21 @@ export const buildDirective = async (ctx, packedPkgs, outputDir) => {
     parcels.push(...pkgParcels)
   }
 
+  // Store dependency graph for parallel delivery in topo order
+  const prev = {}
+  if (ctx.prev) {
+    for (const name of packedNames) {
+      const deps = (ctx.prev.get(name) || []).filter(d => packedNames.has(d))
+      if (deps.length) prev[name] = deps
+    }
+  }
+
   const sha7 = sha.slice(0, 7)
   const manifest = {
     channel: 'directive',
     sha, timestamp: Number(timestamp),
     queue: packedPkgs.map(p => p.name),
-    packages, parcels,
+    packages, parcels, prev,
   }
 
   const tarPath = path.join(outputDir, `parcel.${sha7}.directive.${timestamp}.tar`)

package/src/main/js/post/tar.js

@@ -1,8 +1,7 @@
 import tar from 'tar-stream'
 import crypto from 'node:crypto'
-import {fs, path} from 'zx-extra'
 import {pipeline} from 'node:stream/promises'
-import {createWriteStream, createReadStream} from 'node:fs'
+import {fs, path} from 'zx-extra'
 
 export const packTar = async (tarPath, manifest, files = []) => {
   await fs.ensureDir(path.dirname(tarPath))
@@ -20,13 +19,13 @@ export const packTar = async (tarPath, manifest, files = []) => {
   }
 
   pack.finalize()
-  await pipeline(pack, createWriteStream(tarPath))
+  await pipeline(pack, fs.createWriteStream(tarPath))
   return tarPath
 }
 
 export const hashFile = async (filePath) => {
   const hash = crypto.createHash('sha1')
-  await pipeline(createReadStream(filePath), hash)
+  await pipeline(fs.createReadStream(filePath), hash)
   return hash.digest('hex').slice(0, 6)
 }
 
@@ -68,7 +67,7 @@ export const unpackTar = async (tarPath, destDir) => {
     extract.on('error', reject)
   })
 
-  await pipeline(createReadStream(tarPath), extract)
+  await pipeline(fs.createReadStream(tarPath), extract)
   await done
   return {manifest, dir: destDir}
 }

package/src/test/js/utils/mock.js

@@ -19,7 +19,7 @@ function proc(stdout = '', code = 0) {
   return p
 }
 
-export function createMock(responses = []) {
+export function createSpawnMock(responses = []) {
   const calls = []
   const spawn = (cmd, args) => {
     const command = args?.[args.length - 1] || cmd