zx-bulk-release 3.1.7 → 3.1.9

package/CHANGELOG.md

@@ -1,3 +1,13 @@
+## [3.1.9](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.8...v3.1.9) (2026-04-13)
+
+### Fixes & improvements
+* perf: replace cosmiconfig with own config reader ([f980590](https://github.com/semrel-extra/zx-bulk-release/commit/f980590edbf9aa9311110207e24849c6373c0feb))
+
+## [3.1.8](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.7...v3.1.8) (2026-04-13)
+
+### Fixes & improvements
+* perf: minor internal code imprs ([f3f0aae](https://github.com/semrel-extra/zx-bulk-release/commit/f3f0aae2e7dc4045a6573a8e270acdf6a3d983d8))
+
 ## [3.1.7](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.6...v3.1.7) (2026-04-13)
 
 ### Fixes & improvements

package/README.md

@@ -46,7 +46,7 @@ GH_TOKEN=ghtoken GH_USER=username NPM_TOKEN=npmtoken npx zx-bulk-release [opts]
 |------------------------------|---------------------------------------------------------------------------------------------------|------------------|
 | `--receive`                  | Consume rebuild signal, analyze, preflight. Writes `zbr-context.json`. Run before deps install.  |                  |
 | `--pack [dir]`               | Pack only: build, test, and write delivery tars to `dir`. No credentials needed.                  | `parcels`        |
-| `--verify [dir]`             | Verify untrusted parcels against context, copy valid ones to `parcels/`. Use `--context` for path. | `parcels`       |
+| `--verify [in:out]`          | Verify untrusted parcels against context, copy valid ones to output dir. Use `--context` for path. | `parcels:parcels` |
 | `--context <path>`           | Path to trusted `zbr-context.json` (used with `--verify`).                                       | `zbr-context.json` |
 | `--deliver [dir]`            | Deliver only: read tars from `dir` and run delivery channels. No source code needed.              | `parcels`        |
 | `--ignore`                   | Packages to ignore: `a, b`                                                                        |                  |
@@ -181,7 +181,7 @@ jobs:
           path: parcels-unverified/
 
       # verify — validate untrusted parcels against trusted context
-      - run: npx zx-bulk-release --verify parcels-unverified/
+      - run: npx zx-bulk-release --verify parcels-unverified/:parcels/
 
       # deliver — only verified parcels
       - run: npx zx-bulk-release --deliver
@@ -212,8 +212,8 @@ await run({
 ```
 
 ## Config
-### cosmiconfig
-Any [cosmiconfig](https://github.com/davidtheclark/cosmiconfig) compliant format: `.releaserc`, `.release.json`, `.release.yaml`, etc in the package root or in the repo root dir.
+### Config files
+[cosmiconfig](https://github.com/davidtheclark/cosmiconfig)-compatible lookup: `.releaserc`, `.release.json`, `.release.yaml`, `.releaserc.js`, `release.config.js`, or `release` key in `package.json`. Searched from the package root up to the repo root.
 ```json
 {
   "buildCmd": "yarn && yarn build",
@@ -381,7 +381,7 @@ Each step has a uniform signature `(pkg, ctx)`:
 - **`preflight`** — checks tag availability on remote, re-resolves version on conflict, skips duplicates.
 - **`build`** — runs `buildCmd` (with dep traversal and optional npm artifact fetch).
 - **`test`** — runs `testCmd`.
-- **`pack`** — stages delivery artifacts into self-describing tar containers (`npm pack`, docs copy, assets, release notes). Each tar is named `parcel.{sha7}.{channel}.{tag}.{hash6}.tar` and contains a `manifest.json` with channel name, delivery instructions, and template credentials (`${{ENV_VAR}}`). A directive meta-parcel is also generated, listing all parcels and their delivery steps. After this step, everything the courier needs is outside the project dir.
+- **`pack`** — stages delivery artifacts into self-describing tar containers (`npm pack`, docs copy, assets, release notes). Each tar is named `parcel.{sha7}.{channel}.{name}.{version}.{hash6}.tar` and contains a `manifest.json` with channel name, delivery instructions, and template credentials (`${{ENV_VAR}}`). A directive meta-parcel is also generated, listing all parcels and their delivery steps. After this step, everything the courier needs is outside the project dir.
 - **`publish`** — hands tars to courier's `deliver()`, runs `cmd` channel separately. Tag push is handled by the `git-tag` channel.
 - **`clean`** — restores `package.json` files and unsets git user config.
 
@@ -397,13 +397,13 @@ Set `config.releaseRules` to override the default rules preset:
 ### Tar containers
 Each delivery artifact is a self-describing tar archive:
 ```
-parcel.{sha7}.{channel}.{tag}.{hash6}.tar
+parcel.{sha7}.{channel}.{name}.{version}.{hash6}.tar
   manifest.json    — channel name, delivery params, template credentials
   package.tgz     — (npm channel) npm tarball
   assets/          — (gh-release channel) release assets
   docs/            — (gh-pages channel) documentation files
 ```
-The `sha7` prefix groups all parcels of one commit. The `hash6` suffix is a content hash for deduplication — two builds of the same commit producing identical content yield the same filename (last-writer-wins), while different content gets a different hash.
+The `sha7` prefix groups all parcels of one commit. `name` is the sanitized package name (`@scope/pkg` → `scope-pkg`). The `hash6` suffix is a content hash for deduplication — two builds of the same commit producing identical content yield the same filename (last-writer-wins), while different content gets a different hash.
 
 A **directive** meta-parcel (`parcel.{sha7}.directive.{ts}.tar`) is generated alongside regular parcels. It contains the complete delivery map: package queue, per-package channel steps, and an authoritative list of parcel filenames. The directive enables coordinated delivery — see [DELIVER_SPEC.md](./DELIVER_SPEC.md).
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "zx-bulk-release",
   "alias": "bulk-release",
-  "version": "3.1.7",
+  "version": "3.1.9",
   "description": "zx-based alternative for multi-semantic-release",
   "type": "module",
   "exports": {
@@ -19,25 +19,24 @@
   ],
   "scripts": {
     "test": "npm run test:unit",
-    "test:unit": "uvu ./src/test -i fixtures -i utils -i integration",
+    "test:unit": "vitest run --dir src/test/js --exclude '**/integration*' --exclude '**/fixtures/**' --exclude '**/utils/**'",
     "test:it": "node ./src/test/js/integration.test.js",
-    "test:cov": "c8 sh -c 'npx uvu ./src/test -i fixtures -i utils -i integration && node ./src/test/js/integration.test.js' && c8 report -r lcov",
+    "test:cov": "vitest run --coverage --dir src/test/js --exclude '**/fixtures/**' --exclude '**/utils/**'",
     "docs": "mkdir -p docs && cp ./README.md ./docs/README.md",
     "publish:beta": "npm publish --tag beta --no-git-tag-version",
     "build": "esbuild src/main/js/index.js --platform=node --outdir=target --bundle --format=esm --external:typescript"
   },
   "dependencies": {
     "@semrel-extra/topo": "^1.14.1",
-    "cosmiconfig": "^9.0.1",
     "queuefy": "^1.2.1",
     "tar-stream": "^3.1.8",
     "zx-extra": "4.0.20"
   },
   "devDependencies": {
-    "c8": "^11.0.0",
+    "@vitest/coverage-v8": "^4.1.4",
     "esbuild": "^0.28.0",
-    "uvu": "^0.5.6",
-    "verdaccio": "6.5.0"
+    "verdaccio": "6.5.0",
+    "vitest": "^4.1.4"
   },
   "publishConfig": {
     "access": "public"
@@ -47,10 +46,5 @@
     "url": "git+https://github.com/semrel-extra/zx-bulk-release.git"
   },
   "author": "Anton Golub <antongolub@antongolub.com>",
-  "license": "MIT",
-  "c8": {
-    "exclude": [
-      "src/test/**"
-    ]
-  }
+  "license": "MIT"
 }

package/src/main/js/config.js

@@ -1,4 +1,4 @@
-import { cosmiconfig } from 'cosmiconfig'
+import { fs, path, YAML } from 'zx'
 import { asArray, camelize, memoizeBy } from './util.js'
 import { GH_URL, resolveGhApiUrl } from './post/api/gh.js'
 import { DEFAULT_GIT_COMMITTER_NAME, DEFAULT_GIT_COMMITTER_EMAIL } from './post/api/git.js'
@@ -29,12 +29,41 @@ export const defaultConfig = {
 export const getPkgConfig = async (cwd, env) =>
   normalizePkgConfig((await Promise.all(asArray(cwd).map(readPkgConfig))).find(Boolean) || defaultConfig, env)
 
-export const readPkgConfig = memoizeBy(async (cwd) => cosmiconfig(CONFIG_NAME, {
-  searchPlaces: CONFIG_FILES,
-  searchStrategy: 'global', // https://github.com/cosmiconfig/cosmiconfig/releases/tag/v9.0.0
-})
-  .search(cwd)
-  .then(r => r?.config))
+export const cosmiconfig = (name, {searchPlaces}) => {
+  const load = async (filePath) => {
+    if (filePath.endsWith('.js') || filePath.endsWith('.cjs'))
+      return (await import(filePath)).default
+    const raw = await fs.readFile(filePath, 'utf8')
+    if (filePath.endsWith('.yaml') || filePath.endsWith('.yml'))
+      return YAML.parse(raw)
+    try { return JSON.parse(raw) } catch { return YAML.parse(raw) }
+  }
+
+  const search = async (cwd) => {
+    let dir = path.resolve(cwd)
+    while (true) {
+      for (const file of searchPlaces) {
+        const filePath = path.resolve(dir, file)
+        if (!await fs.pathExists(filePath)) continue
+        if (file === 'package.json') {
+          const pkg = await fs.readJson(filePath)
+          if (pkg[name]) return pkg[name]
+          continue
+        }
+        return load(filePath)
+      }
+      const parent = path.dirname(dir)
+      if (parent === dir) return
+      dir = parent
+    }
+  }
+
+  return {search}
+}
+
+export const readPkgConfig = memoizeBy(async (cwd) =>
+  cosmiconfig(CONFIG_NAME, {searchPlaces: CONFIG_FILES}).search(cwd)
+)
 
 export const normalizePkgConfig = (config, env) => {
   const envConfig = parseEnv(env)

package/src/main/js/post/api/git.js

@@ -1,10 +1,10 @@
-export const DEFAULT_GIT_COMMITTER_NAME  = 'Semrel Extra Bot'
-export const DEFAULT_GIT_COMMITTER_EMAIL = 'semrel-extra-bot@hotmail.com'
-
 import {$, fs, path, tempy, copy} from 'zx-extra'
 import {log} from '../log.js'
 import {attempt2, attempt3, memoizeBy} from '../../util.js'
 
+export const DEFAULT_GIT_COMMITTER_NAME  = 'Semrel Extra Bot'
+export const DEFAULT_GIT_COMMITTER_EMAIL = 'semrel-extra-bot@hotmail.com'
+
 export const fetchRepo = memoizeBy(async ({cwd: _cwd, branch, origin: _origin, basicAuth}) => {
   if (!_origin && !_cwd) throw new Error('fetchRepo requires either origin or cwd')
   const origin = _origin || (await getRepo(_cwd, {basicAuth})).repoAuthedUrl

package/src/main/js/post/api/npm.js

@@ -3,8 +3,9 @@ import _fs from 'node:fs/promises'
 import _path from 'node:path'
 import tar from 'tar-stream'
 import {Readable} from 'node:stream'
-import {log} from '../log.js'
 import {$, semver, fs, INI, fetch, tempy} from 'zx-extra'
+
+import {log} from '../log.js'
 import {attempt2, memoizeBy} from '../../util.js'
 
 const FETCH_TIMEOUT_MS = 15_000

package/src/main/js/post/tar.js

@@ -1,8 +1,7 @@
 import tar from 'tar-stream'
 import crypto from 'node:crypto'
-import {fs, path} from 'zx-extra'
 import {pipeline} from 'node:stream/promises'
-import {createWriteStream, createReadStream} from 'node:fs'
+import {fs, path} from 'zx-extra'
 
 export const packTar = async (tarPath, manifest, files = []) => {
   await fs.ensureDir(path.dirname(tarPath))
@@ -20,13 +19,13 @@ export const packTar = async (tarPath, manifest, files = []) => {
   }
 
   pack.finalize()
-  await pipeline(pack, createWriteStream(tarPath))
+  await pipeline(pack, fs.createWriteStream(tarPath))
   return tarPath
 }
 
 export const hashFile = async (filePath) => {
   const hash = crypto.createHash('sha1')
-  await pipeline(createReadStream(filePath), hash)
+  await pipeline(fs.createReadStream(filePath), hash)
   return hash.digest('hex').slice(0, 6)
 }
 
@@ -68,7 +67,7 @@ export const unpackTar = async (tarPath, destDir) => {
     extract.on('error', reject)
   })
 
-  await pipeline(createReadStream(tarPath), extract)
+  await pipeline(fs.createReadStream(tarPath), extract)
   await done
   return {manifest, dir: destDir}
 }

package/src/test/js/utils/mock.js

@@ -19,7 +19,7 @@ function proc(stdout = '', code = 0) {
   return p
 }
 
-export function createMock(responses = []) {
+export function createSpawnMock(responses = []) {
   const calls = []
   const spawn = (cmd, args) => {
     const command = args?.[args.length - 1] || cmd