upd-cli 0.1.2__tar.gz → 0.1.4__tar.gz

{upd_cli-0.1.2 → upd_cli-0.1.4}/CHANGELOG.md

@@ -12,6 +12,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+
+## [0.1.4](https://github.com/rvben/upd/compare/v0.1.3...v0.1.4) - 2026-04-28
+
+### Added
+
+- **discovery**: respect .gitignore for hidden ecosystem files and add --no-ignore ([bd44269](https://github.com/rvben/upd/commit/bd442692e4e7c5ab96e1163128ac8f274a771f30))
+
+## [0.1.3](https://github.com/rvben/upd/compare/v0.1.2...v0.1.3) - 2026-04-25
+
+### Added
+
+- **lock**: scope lockfile regeneration to the packages upd actually changed ([6b6cfa6](https://github.com/rvben/upd/commit/6b6cfa6fe3e8e8d787e78c7afea24883ebe67833))
+- **npm**: classify and rewrite comparator-range specs ([a60979a](https://github.com/rvben/upd/commit/a60979acd7edb7eb6adfac554a590412a6cf8271))
+
+### Fixed
+
+- **lock**: include config pins in targeted regenerate and update CLI help ([207fdf9](https://github.com/rvben/upd/commit/207fdf94af95c74865f828f258ec9cfa61d22085))
+- **npm**: preserve upper bound when pinning comparator-range specs ([fb7c863](https://github.com/rvben/upd/commit/fb7c863de9f07201af310ab13a59696d17fcb766))
+- **npm**: apply config policy and cooldown to comparator-range updates ([be095dd](https://github.com/rvben/upd/commit/be095dd30443dd547fb6913dae551cbd530cb019))
+- **npm**: update comparator-range specs via constraint-aware resolution ([4481b8b](https://github.com/rvben/upd/commit/4481b8bad6a02c6f761cf489a547b5546099e871))
+- **audit**: order fix versions numerically, not lexicographically ([069eb1d](https://github.com/rvben/upd/commit/069eb1dc8771640376957339e40ada7b60a82b0a))
+
 ## [0.1.2](https://github.com/rvben/upd/compare/v0.1.1...v0.1.2) - 2026-04-24
 
 ### Added

{upd_cli-0.1.2 → upd_cli-0.1.4}/Cargo.lock

@@ -2024,7 +2024,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.2"
+version = "0.1.4"
 dependencies = [
  "anyhow",
  "async-trait",

{upd_cli-0.1.2 → upd_cli-0.1.4}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.2"
+version = "0.1.4"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"

{upd_cli-0.1.2 → upd_cli-0.1.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.2
+Version: 0.1.4
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -46,7 +46,10 @@ pipx run --spec upd-cli upd --apply
 
 - **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
-- **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
+- **Constraint-aware**: Respects `>=2.0,<3` (Python), `~> 7.1` (Ruby), and `^2.0.0` / `~2.0.0` (npm, Cargo).
+  For npm, comparator ranges such as `">=1.0.0 <2.0.0"` are rewritten with a **bump strategy**: the lower
+  bound moves to the highest version satisfying the constraint, preserving the upper bound. Hyphen
+  (`"1 - 2"`) and OR (`"^1 || ^2"`) ranges are reported as warnings and left untouched.
 - **Smart caching**: 24-hour version cache for faster subsequent runs
 - **Update filters**: Filter by bump level with `--only-bump <major|minor|patch>` (repeatable) or cap with `--max-bump`
 - **Interactive mode**: Approve updates individually with `-i`
@@ -54,7 +57,11 @@ pipx run --spec upd-cli upd --apply
 - **Major warnings**: Highlights breaking changes with `(MAJOR)`
 - **Format-preserving**: Keeps formatting, comments, and structure
 - **Pre-release aware**: Updates pre-releases to newer pre-releases
-- **Gitignore-aware**: Respects `.gitignore` when discovering files
+- **Gitignore-aware**: Honors `.gitignore`, `.git/info/exclude`, and the global
+  gitignore — even outside a git repo. Hidden directories are pruned by default;
+  `upd` only opens the dotfiles it actually updates (`.github/workflows`,
+  `.pre-commit-config.yaml`, `.mise.toml`, `.tool-versions`). Use `--no-ignore`
+  to walk every file regardless.
 - **Version alignment**: Align package versions across multiple files
 - **Security auditing**: Check dependencies for known vulnerabilities via OSV
 - **Config file support**: Ignore or pin packages via `.updrc.toml`
@@ -758,6 +765,7 @@ Global flags (accepted on every subcommand):
 | `--full-precision` | | Output full versions |
 | `--no-cache` | | Disable version cache |
 | `--no-color` | | Disable colored output |
+| `--no-ignore` | | Disable `.gitignore` filtering during discovery |
 | `--lock` | | Regenerate lockfiles after updates |
 | `--config <FILE>` | `-c` | Use a specific config file |
 | `--show-config` | | Print effective configuration and exit |
@@ -767,6 +775,33 @@ Global flags (accepted on every subcommand):
 
 Subcommands: `update` (default), `align`, `audit`, `clean-cache`, `self-update`.
 
+#### Commands run by `--lock`
+
+`upd --lock` runs the narrowest per-ecosystem refresh command that
+updates only the packages `upd` just rewrote. Targeted forms are used
+wherever the package manager supports them; targeting falls back to
+`--lockfile-only` flags where no per-package form exists; otherwise
+the manifest-wide refresh command is used.
+
+| Ecosystem | Lockfile                 | Command                                        |
+|-----------|--------------------------|------------------------------------------------|
+| Python    | `poetry.lock`            | `poetry lock --no-update`                      |
+| Python    | `uv.lock`                | `uv lock`                                      |
+| Node      | `package-lock.json`      | `npm install --package-lock-only`              |
+| Node      | `yarn.lock`              | `yarn install --mode update-lockfile` (Yarn 2+)|
+| Node      | `pnpm-lock.yaml`         | `pnpm install --lockfile-only`                 |
+| Node      | `bun.lockb`              | `bun install`                                  |
+| Rust      | `Cargo.lock`             | `cargo update -p <changed> -p <changed> …`     |
+| Go        | `go.sum`                 | `go mod tidy` (no targeted form)               |
+| Ruby      | `Gemfile.lock`           | `bundle lock --update <changed> …`             |
+| .NET      | `packages.lock.json`     | `dotnet restore` (no targeted form)            |
+| Terraform | `.terraform.lock.hcl`    | `terraform providers lock` (no targeted form)  |
+
+Manifests whose `upd` pass produced zero changes have their lockfile
+refresh skipped entirely. A directory where only config pins were
+applied is still refreshed, and the changed-package list includes
+those pinned packages so `cargo update -p <pkg>` / `bundle lock --update <pkg>` stay scoped.
+
 Stable `audit`-specific flags:
 
 | Flag | Purpose |

{upd_cli-0.1.2 → upd_cli-0.1.4}/README.md

@@ -23,7 +23,10 @@ pipx run --spec upd-cli upd --apply
 
 - **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
-- **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
+- **Constraint-aware**: Respects `>=2.0,<3` (Python), `~> 7.1` (Ruby), and `^2.0.0` / `~2.0.0` (npm, Cargo).
+  For npm, comparator ranges such as `">=1.0.0 <2.0.0"` are rewritten with a **bump strategy**: the lower
+  bound moves to the highest version satisfying the constraint, preserving the upper bound. Hyphen
+  (`"1 - 2"`) and OR (`"^1 || ^2"`) ranges are reported as warnings and left untouched.
 - **Smart caching**: 24-hour version cache for faster subsequent runs
 - **Update filters**: Filter by bump level with `--only-bump <major|minor|patch>` (repeatable) or cap with `--max-bump`
 - **Interactive mode**: Approve updates individually with `-i`
@@ -31,7 +34,11 @@ pipx run --spec upd-cli upd --apply
 - **Major warnings**: Highlights breaking changes with `(MAJOR)`
 - **Format-preserving**: Keeps formatting, comments, and structure
 - **Pre-release aware**: Updates pre-releases to newer pre-releases
-- **Gitignore-aware**: Respects `.gitignore` when discovering files
+- **Gitignore-aware**: Honors `.gitignore`, `.git/info/exclude`, and the global
+  gitignore — even outside a git repo. Hidden directories are pruned by default;
+  `upd` only opens the dotfiles it actually updates (`.github/workflows`,
+  `.pre-commit-config.yaml`, `.mise.toml`, `.tool-versions`). Use `--no-ignore`
+  to walk every file regardless.
 - **Version alignment**: Align package versions across multiple files
 - **Security auditing**: Check dependencies for known vulnerabilities via OSV
 - **Config file support**: Ignore or pin packages via `.updrc.toml`
@@ -735,6 +742,7 @@ Global flags (accepted on every subcommand):
 | `--full-precision` | | Output full versions |
 | `--no-cache` | | Disable version cache |
 | `--no-color` | | Disable colored output |
+| `--no-ignore` | | Disable `.gitignore` filtering during discovery |
 | `--lock` | | Regenerate lockfiles after updates |
 | `--config <FILE>` | `-c` | Use a specific config file |
 | `--show-config` | | Print effective configuration and exit |
@@ -744,6 +752,33 @@ Global flags (accepted on every subcommand):
 
 Subcommands: `update` (default), `align`, `audit`, `clean-cache`, `self-update`.
 
+#### Commands run by `--lock`
+
+`upd --lock` runs the narrowest per-ecosystem refresh command that
+updates only the packages `upd` just rewrote. Targeted forms are used
+wherever the package manager supports them; targeting falls back to
+`--lockfile-only` flags where no per-package form exists; otherwise
+the manifest-wide refresh command is used.
+
+| Ecosystem | Lockfile                 | Command                                        |
+|-----------|--------------------------|------------------------------------------------|
+| Python    | `poetry.lock`            | `poetry lock --no-update`                      |
+| Python    | `uv.lock`                | `uv lock`                                      |
+| Node      | `package-lock.json`      | `npm install --package-lock-only`              |
+| Node      | `yarn.lock`              | `yarn install --mode update-lockfile` (Yarn 2+)|
+| Node      | `pnpm-lock.yaml`         | `pnpm install --lockfile-only`                 |
+| Node      | `bun.lockb`              | `bun install`                                  |
+| Rust      | `Cargo.lock`             | `cargo update -p <changed> -p <changed> …`     |
+| Go        | `go.sum`                 | `go mod tidy` (no targeted form)               |
+| Ruby      | `Gemfile.lock`           | `bundle lock --update <changed> …`             |
+| .NET      | `packages.lock.json`     | `dotnet restore` (no targeted form)            |
+| Terraform | `.terraform.lock.hcl`    | `terraform providers lock` (no targeted form)  |
+
+Manifests whose `upd` pass produced zero changes have their lockfile
+refresh skipped entirely. A directory where only config pins were
+applied is still refreshed, and the changed-package list includes
+those pinned packages so `cargo update -p <pkg>` / `bundle lock --update <pkg>` stay scoped.
+
 Stable `audit`-specific flags:
 
 | Flag | Purpose |

{upd_cli-0.1.2 → upd_cli-0.1.4}/src/audit/mod.rs

@@ -134,7 +134,7 @@ pub fn compute_fix_plan(audit: &AuditResult) -> (HashMap<String, String>, Vec<(S
             .vulnerabilities
             .iter()
             .filter_map(|v| v.fixed_version.as_deref())
-            .max_by(|a, b| compare_fix_versions(a, b));
+            .max_by(|a, b| crate::version::compare::compare_versions(a, b));
 
         if let Some(version) = max_fixed {
             fixable.insert(name.clone(), version.to_string());
@@ -144,44 +144,6 @@ pub fn compute_fix_plan(audit: &AuditResult) -> (HashMap<String, String>, Vec<(S
     (fixable, unfixable)
 }
 
-/// Compare two version strings for ordering, preferring semver but falling back
-/// to lexicographic comparison for non-semver ecosystems.
-fn compare_fix_versions(a: &str, b: &str) -> std::cmp::Ordering {
-    match (semver_parse(a), semver_parse(b)) {
-        (Some(va), Some(vb)) => va.cmp(&vb),
-        _ => a.cmp(b),
-    }
-}
-
-/// Parse a version string as semver, accepting an optional leading `v`.
-///
-/// Returns `(major, minor, patch, is_stable)` where `is_stable` is 1 for stable
-/// releases and 0 for pre-releases (e.g. `2.0.0-rc1`). This ensures stable
-/// versions beat pre-releases when all numeric components are equal.
-fn semver_parse(v: &str) -> Option<(u64, u64, u64, u8)> {
-    let v = v.trim_start_matches('v');
-    let parts: Vec<&str> = v.split('.').collect();
-    if parts.len() < 2 {
-        return None;
-    }
-    let major: u64 = parts[0].parse().ok()?;
-    let minor: u64 = parts[1].parse().ok()?;
-    // Patch may carry a pre-release or build suffix (e.g. "0-rc1", "3+build1").
-    // Take only the leading digit run so "0-rc1" → patch=0, rest="-rc1".
-    let patch_part = parts.get(2).copied().unwrap_or("0");
-    let (patch_digits, rest) = patch_part
-        .split_once(|c: char| !c.is_ascii_digit())
-        .unwrap_or((patch_part, ""));
-    let patch: u64 = if patch_digits.is_empty() {
-        0
-    } else {
-        patch_digits.parse().ok()?
-    };
-    // Stability flag: 1 = stable, 0 = pre-release. Stable wins ties.
-    let is_stable: u8 = if rest.is_empty() { 1 } else { 0 };
-    Some((major, minor, patch, is_stable))
-}
-
 /// Return a sort key for a severity string such that Critical sorts first.
 ///
 /// Lower numeric values sort earlier, so Critical = 0, Unknown = 5.
@@ -858,6 +820,43 @@ mod tests {
         assert_eq!(fixable.get("pkg").map(|s| s.as_str()), Some("2.10.0"));
     }
 
+    #[test]
+    fn test_compute_fix_plan_picks_numerically_highest_non_semver_fix() {
+        // Regression test for 4-segment versions (e.g. Ruby or multi-segment tags)
+        // where the legacy `semver_parse` dropped the 4th segment, making
+        // `1.0.0.10` and `1.0.0.9` compare equal. `max_by` then returned the
+        // *last* element, so the answer depended on fix_version ordering.
+        //
+        // The correct "minimum safe fix" must order by full numeric value.
+        let mut audit = AuditResult::default();
+        audit.vulnerable.push(PackageAuditResult {
+            package: Package {
+                name: "pkg".to_string(),
+                version: "1.0.0.1".to_string(),
+                ecosystem: Ecosystem::RubyGems,
+            },
+            vulnerabilities: vec![
+                Vulnerability {
+                    id: "CVE-A".to_string(),
+                    summary: None,
+                    severity: None,
+                    url: None,
+                    fixed_version: Some("1.0.0.10".to_string()),
+                },
+                Vulnerability {
+                    id: "CVE-B".to_string(),
+                    summary: None,
+                    severity: None,
+                    url: None,
+                    fixed_version: Some("1.0.0.9".to_string()),
+                },
+            ],
+        });
+
+        let (fixable, _) = compute_fix_plan(&audit);
+        assert_eq!(fixable.get("pkg").map(String::as_str), Some("1.0.0.10"));
+    }
+
     // ─── check_packages_cached unit tests ────────────────────────────────────
 
     fn sample_package(name: &str) -> Package {

{upd_cli-0.1.2 → upd_cli-0.1.4}/src/cli.rs

@@ -130,8 +130,9 @@ pub struct Cli {
 
     /// Regenerate lockfiles after updating.
     ///
-    /// Runs the appropriate lock command for each ecosystem (e.g. `poetry lock`,
-    /// `npm install`, `cargo update`).
+    /// Runs the narrowest per-ecosystem refresh command that updates only the
+    /// packages `upd` just rewrote (e.g. `cargo update -p <pkg>`,
+    /// `bundle lock --update <pkg>`, `npm install --package-lock-only`).
     #[arg(long, global = true)]
     pub lock: bool,
 
@@ -182,6 +183,15 @@ pub struct Cli {
         value_delimiter = ','
     )]
     pub packages: Vec<String>,
+
+    /// Disable .gitignore filtering and walk every dependency file in the tree.
+    ///
+    /// By default, `upd` honors `.gitignore`, `.git/info/exclude`, and the
+    /// global gitignore when discovering dependency files. Pass `--no-ignore`
+    /// to scan files git would ignore. Equivalent to `rg --no-ignore`.
+    /// Explicit file paths are always processed regardless of this flag.
+    #[arg(long = "no-ignore", global = true)]
+    pub no_ignore: bool,
 }
 
 #[derive(Subcommand)]
@@ -841,4 +851,27 @@ mod tests {
         assert_eq!(cli.min_age.as_deref(), Some("14d"));
         assert!(matches!(cli.command, Some(Command::Update { .. })));
     }
+
+    #[test]
+    fn test_cli_no_ignore_default_false() {
+        let cli = Cli::try_parse_from(["upd"]).unwrap();
+        assert!(!cli.no_ignore);
+    }
+
+    #[test]
+    fn test_cli_no_ignore_parses() {
+        let cli = Cli::try_parse_from(["upd", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+    }
+
+    #[test]
+    fn test_cli_no_ignore_is_global_across_subcommands() {
+        let cli = Cli::try_parse_from(["upd", "audit", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+        assert!(matches!(cli.command, Some(Command::Audit { .. })));
+
+        let cli = Cli::try_parse_from(["upd", "align", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+        assert!(matches!(cli.command, Some(Command::Align { .. })));
+    }
 }

{upd_cli-0.1.2 → upd_cli-0.1.4}/src/cooldown.rs

@@ -6,6 +6,7 @@ use anyhow::{Result, anyhow};
 use chrono::{DateTime, Duration, Utc};
 
 use crate::registry::VersionMeta;
+use crate::version::compare::compare_versions;
 
 /// Parse a cooldown duration string.
 ///
@@ -238,46 +239,6 @@ pub fn select(
     }
 }
 
-/// Version comparison: try semver first, fall back to numeric-aware segment
-/// comparison.
-///
-/// The fallback splits on `.` and `-` and compares integer segments as numbers
-/// (so `1.10 > 1.9` and `v0.10.0.0 > v0.9.0.0`). Lexicographic string compare
-/// would get those wrong, which breaks selection across non-strict-semver
-/// ecosystems like PyPI and multi-segment GitHub tags.
-fn compare_versions(a: &str, b: &str) -> std::cmp::Ordering {
-    let stripped_a = a.strip_prefix('v').unwrap_or(a);
-    let stripped_b = b.strip_prefix('v').unwrap_or(b);
-    if let (Ok(va), Ok(vb)) = (
-        semver::Version::parse(stripped_a),
-        semver::Version::parse(stripped_b),
-    ) {
-        return va.cmp(&vb);
-    }
-    compare_loose(stripped_a, stripped_b)
-}
-
-fn compare_loose(a: &str, b: &str) -> std::cmp::Ordering {
-    let mut a_parts = a.split(['.', '-']);
-    let mut b_parts = b.split(['.', '-']);
-    loop {
-        match (a_parts.next(), b_parts.next()) {
-            (None, None) => return std::cmp::Ordering::Equal,
-            (None, Some(_)) => return std::cmp::Ordering::Less,
-            (Some(_), None) => return std::cmp::Ordering::Greater,
-            (Some(x), Some(y)) => {
-                let ord = match (x.parse::<u64>(), y.parse::<u64>()) {
-                    (Ok(nx), Ok(ny)) => nx.cmp(&ny),
-                    _ => x.cmp(y),
-                };
-                if ord != std::cmp::Ordering::Equal {
-                    return ord;
-                }
-            }
-        }
-    }
-}
-
 fn is_newer(candidate: &str, current: &str) -> bool {
     compare_versions(candidate, current) == std::cmp::Ordering::Greater
 }

{upd_cli-0.1.2 → upd_cli-0.1.4}/src/lib.rs

@@ -25,7 +25,9 @@ pub use registry::{
     GitHubReleasesRegistry, NpmRegistry, NuGetRegistry, PyPiRegistry, Registry, RubyGemsRegistry,
     TerraformRegistry, VersionMeta,
 };
-pub use updater::{FileType, Lang, UpdateResult, Updater, discover_files};
+pub use updater::{
+    DiscoverOptions, FileType, Lang, UpdateResult, Updater, discover_files, discover_files_with,
+};
 
 /// Determine the process exit code given the outcome of a run.
 ///