chore: version packages#918
Open
github-actions[bot] wants to merge 1 commit into
Open
Conversation
github-actions
Bot
force-pushed
the
changeset-release/main
branch
17 times, most recently
from
83d373e to
f3a3aeb
Compare
commit: |
github-actions
Bot
force-pushed
the
changeset-release/main
branch
2 times, most recently
from
c14a6c5 to
76bc97c
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
76bc97c to
b241376
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
Releases
deslop-cli@0.5.9
Patch Changes
#936
ba2af1bThanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-dateLICENSEfile so the terms travel with the tarball.The
react-doctorCLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.Updated dependencies [
ba2af1b,7f9e7f4]:deslop-js@0.5.9
Patch Changes
#936
ba2af1bThanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-dateLICENSEfile so the terms travel with the tarball.The
react-doctorCLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.#916
7f9e7f4Thanks @rayhanadev! - Rework unused-dependency detection to lean on real package metadata instead of hand-maintained whitelists.binis routinely invoked outside what a static scan can see (Makefiles, CI, git hooks, ad-hocnpx), so it's no longer flagged just because nopackage.jsonscript names the binary. Emptybinfields (""/{}) don't count.node_modulesmetadata: the binary→package map (CLI_BINARY_TO_PACKAGE+ thebabel/jest/remarkfallbacks), the env-wrapper binary set, the static peer-dependency map, and the implicit-companion map. With dependencies installed (the normal scan condition) detection is unchanged — a package's realbinandpeerDependenciescover what the tables used to hardcode.Trade-off: when scanning without
node_modules, a CLI dependency whose binary name differs from its package name (e.g.vp→vite-plus) can no longer be resolved from scripts, and a few heuristic peer relationships that aren't declaredpeerDependencies(e.g.@hookform/resolvers→zod) are no longer inferred. The always-used lists for tooling that can't be detected statically (typescript,eslint,@types/*,eslint-plugin-*, …) are unchanged.eslint-plugin-react-doctor@0.5.9
Patch Changes
#936
ba2af1bThanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-dateLICENSEfile so the terms travel with the tarball.The
react-doctorCLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.#958
c72b560Thanks @aidenybai! - Fixjsx-key's spread-overwrites-keycheck to key off the spread's position. A{...spread}can only clobber an explicitkeywhen it appears after the key — the later attribute wins under the classic runtime ({ key, ...spread }) and React falls back tocreateElementunder the automatic runtime, so the later spread wins there too. The rule now reports<App key="x" {...spread} />(and the sandwiched<App {...a} key="x" {...b} />) and stays silent on<App {...spread} key="x" />, which previously produced a false positive. Spreads of object literals that provably carry nokey(e.g.{...{}},{...{ className }}) are never treated as overwriting.Updated dependencies [
ba2af1b,c72b560]:oxlint-plugin-react-doctor@0.5.9
Patch Changes
#936
ba2af1bThanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-dateLICENSEfile so the terms travel with the tarball.The
react-doctorCLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.#958
c72b560Thanks @aidenybai! - Fixjsx-key's spread-overwrites-keycheck to key off the spread's position. A{...spread}can only clobber an explicitkeywhen it appears after the key — the later attribute wins under the classic runtime ({ key, ...spread }) and React falls back tocreateElementunder the automatic runtime, so the later spread wins there too. The rule now reports<App key="x" {...spread} />(and the sandwiched<App {...a} key="x" {...b} />) and stays silent on<App {...spread} key="x" />, which previously produced a false positive. Spreads of object literals that provably carry nokey(e.g.{...{}},{...{ className }}) are never treated as overwriting.react-doctor@0.5.9
Patch Changes
#936
ba2af1bThanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-dateLICENSEfile so the terms travel with the tarball.The
react-doctorCLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.#941
5774debThanks @rayhanadev! - Speed up cold scans and bound dead-code memory on multi-project workspaces.#929
5f2bd72Thanks @skoshx! - fix: validate string array config fields (projects, textComponents, etc.)Non-string entries in
config.projectscausedselectProjectsto crash withrequestedName.trim is not a function. The validator now filters non-string entries fromprojects,textComponents,rawTextWrapperComponents, andserverAuthFunctionNameswith warnings instead of crashing.Fixes #921 (Sentry REACT-DOCTOR-1R)
#940
441e6afThanks @rayhanadev! - Stop a scan from crashing when a git subprocess fails synchronously (fixes REACT-DOCTOR-1E, REACT-DOCTOR-1P, REACT-DOCTOR-20). Unlike a missing binary (ENOENT, which arrives on the catchable'error'event),child_process.spawnthrows synchronously when the working directory isn't a directory (ENOTDIR) or the argument list exceeds the OS command-line limit (ENAMETOOLONG— e.g.--scope lineson a 1,000+-file diff on Windows). That throw escaped Effect's error channel entirely and took down the whole scan (reported to Sentry as a rawspawnerror). The git runner now pre-flights both conditions and fails on its normal channel, so the existing fallbacks recover instead: a bad working directory degrades like an unavailable git, and an over-long--scope linesdiff degrades to file-level scope.#934
970babcThanks @skoshx! - Fix--projectresolution when scanning from within a project directory whose basename matches the requested project name.When running react-doctor from a subdirectory (e.g.,
apps/website) and passing--project website, the CLI now correctly recognizes that the current directory is the requested project instead of failing with "Project 'website' is not a directory under /path/to/apps/website."This affects users who scan a single (non-workspace) project directory and pass that directory's own name as the project — e.g.
directory: apps/websitetogether with--project website(orprojects: ["website"]in config). The*("all projects") default is unaffected: it short-circuits to the root directory and never goes through name resolution.#938
229ea2eThanks @skoshx! - fix(staged): log warning when getStagedSourceFiles encounters git errorsWhen git commands fail (missing git binary, corrupted repo, permission errors),
getStagedSourceFilesnow logs a warning message showing the error instead of silently returning an empty array. This makes--stagedfailures much easier to debug while still gracefully degrading.#930
ea4d9afThanks @skoshx! - Degrade gracefully when git is unavailable or diff base ref is missing (fixes REACT-DOCTOR-F, REACT-DOCTOR-1K, REACT-DOCTOR-14, REACT-DOCTOR-22). CI containers without git installed and shallow clones missing the diff base ref now fall back to a full scan with a clear warning instead of crashing and reporting to Sentry.#926
b8188e0Thanks @skoshx! - Fixreact-doctor installcrashes on pre-existing malformed/conflicting agent config. The install command now handles three user-environment failure modes gracefully with clear error messages instead of unhandled exceptions:~/.claude/settings.jsonor~/.cursor/hooks.json(REACT-DOCTOR-25)~/.claude/skillsor parent paths (REACT-DOCTOR-17)These errors are now treated as expected user-environment conditions (not react-doctor bugs) and surface actionable messages without Sentry reports.
#939
986557dThanks @rayhanadev! - Alignreact-doctor install's agent selection with the VercelskillsCLI so it stops scattering skill directories across your project. The prompt previously detected every agent with a config dir anywhere in$HOME(~/.codebuddy,~/.crush,~/.goose,~/.kilocode, …) and pre-selected all of them, so a single Enter copied.codebuddy/,.crush/,.goose/, … into the project root.Now, following that CLI's heuristic, the default selection is:
skills'lastSelectedAgentslock), elseclaude-code,cursor,codex,opencode), elseEvery detected agent is still shown so the rest are one keystroke away; they're just no longer pre-checked. A non-interactive run (
--yes/ CI) still installs to all detected agents, matchingskills'--yes.#944
0c19858Thanks @rayhanadev! - Organize the per-scan Sentry "wide event" under dotted namespaces. The root-span attributes had accreted into a flat, half-namespaced set (~50 keys, most bare); each now carries a namespace matching its concept —scan.*(config +scan.fileCount),action.*(CI/action knobs),outcome.*(verdict),diag.*(findings),score.*,lint.*,deadCode.*,supplyChain.*,timing.*— alongside the already-namespacedmigration.*/baseline.*. Applied via a singlewithNamespacehelper so the prefix lives in one place instead of being hand-spelled per key. Pure rename: value types are preserved (numbers stay numeric sop75/avgkeep working) and the keys stay filter-/group-/aggregate-able in Sentry's Spans dataset. Run/project base tags and all metrics are unchanged.#917
7a673d2Thanks @rayhanadev! - Remember the post-scan "What would you like to do next?" pick. The interactive handoff prompt now pre-selects whatever the user chose last (an agent, "copy to clipboard", or "skip"), so the common "always hand off to the same agent" path is a single Enter. The choice is remembered per user in the existing CLI state file via a newPreferencelifecycle primitive; a remembered agent that's since been uninstalled falls back to highlighting the first option, and pressing Esc leaves the prior preference untouched.#928
734c564Thanks @skoshx! - Stop reporting unactionable environment errors to Sentry. A narrow set of filesystem conditions react-doctor cannot fix — a full disk (ENOSPC), a failing or read-only disk (EIO/EROFS), denied permissions (EACCES/EPERM), a path blocked by a file (ENOTDIR), or a missing binary (spawn … ENOENT) — now exit cleanly with an actionable message instead of crashing with a stack trace and appearing as product defects in Sentry. The set is deliberately narrow: codes that usually indicate a react-doctor bug (a missing file we expected, or an over-long argv such asENAMETOOLONG) keep reaching Sentry. A low-cardinalitycli.env_errormetric, keyed by code, tracks how often these occur without inflating the crash dashboard. Closes REACT-DOCTOR-13, REACT-DOCTOR-1V, REACT-DOCTOR-24.Updated dependencies [
ba2af1b,c72b560,7f9e7f4]:@react-doctor/api@0.5.9
Patch Changes
5f2bd72,441e6af,c2ce298,ea4d9af]:@react-doctor/core@0.5.9
Patch Changes
#929
5f2bd72Thanks @skoshx! - fix: validate string array config fields (projects, textComponents, etc.)Non-string entries in
config.projectscausedselectProjectsto crash withrequestedName.trim is not a function. The validator now filters non-string entries fromprojects,textComponents,rawTextWrapperComponents, andserverAuthFunctionNameswith warnings instead of crashing.Fixes #921 (Sentry REACT-DOCTOR-1R)
#940
441e6afThanks @rayhanadev! - Stop a scan from crashing when a git subprocess fails synchronously (fixes REACT-DOCTOR-1E, REACT-DOCTOR-1P, REACT-DOCTOR-20). Unlike a missing binary (ENOENT, which arrives on the catchable'error'event),child_process.spawnthrows synchronously when the working directory isn't a directory (ENOTDIR) or the argument list exceeds the OS command-line limit (ENAMETOOLONG— e.g.--scope lineson a 1,000+-file diff on Windows). That throw escaped Effect's error channel entirely and took down the whole scan (reported to Sentry as a rawspawnerror). The git runner now pre-flights both conditions and fails on its normal channel, so the existing fallbacks recover instead: a bad working directory degrades like an unavailable git, and an over-long--scope linesdiff degrades to file-level scope.#927
c2ce298Thanks @skoshx! - Fix crash when disable comments contain Object.prototype keys (constructor, toString, valueOf, etc.)Resolves REACT-DOCTOR-1Y and fixes #920.
The suppression near-miss detector would crash with
TypeError: bareRuleKey.includes is not a functionwhen an eslint-disable or oxlint-disable comment contained a token matching an Object.prototype member name. Indexing the LEGACY_RULE_KEY_TO_NATIVE_RULE_KEY lookup map with such a token returned an inherited method (which the??fallback let through), socanonicalizeRuleKeynow guards the lookup with atypeofcheck and only treats the result as an alias when it is a string.#930
ea4d9afThanks @skoshx! - Degrade gracefully when git is unavailable or diff base ref is missing (fixes REACT-DOCTOR-F, REACT-DOCTOR-1K, REACT-DOCTOR-14, REACT-DOCTOR-22). CI containers without git installed and shallow clones missing the diff base ref now fall back to a full scan with a clear warning instead of crashing and reporting to Sentry.Updated dependencies [
ba2af1b,c72b560,7f9e7f4]:@react-doctor/language-server@0.5.9
Patch Changes
5f2bd72,441e6af,c2ce298,ea4d9af]:Note
Medium Risk
The diff is release metadata, but 0.5.9 bundles many runtime behavior changes (git fallbacks, install defaults, deslop unused-dep heuristics, license notice) that can affect CI scans and dependency findings across consumers.
Overview
Automated Changesets release that bumps the monorepo from 0.5.8 → 0.5.9, removes consumed
.changeset/*entries, and records the release notes in each packageCHANGELOG.md/package.json.This PR does not change application source; it publishes the accumulated patch work already merged to
main. Highlights in 0.5.9:License & distribution: MIT with FSL-style additional terms (no AI training / commercial resale without permission; restrictions sunset per version after two years). Each tarball ships an up-to-date
LICENSE. The CLI prints a one-time notice when it detects an AI/ML training or agent sandbox.CLI reliability & UX: Graceful degradation when git is missing or the diff base is unreachable; git
spawnpreflight forENOTDIR/ENAMETOOLONG; warnings instead of silent empty results for--stagedgit failures; narrow handling of unactionable env errors (ENOSPC,EACCES,ENOENT, …) without Sentry noise;react-doctor installhandles malformed agent JSON, blocked paths, and permission errors; install agent defaults aligned with Vercelskills(remembered / curated agents, not every detected home dir); remembered post-scan handoff choice;--projectworks when cwd basename matches the project name.Scan performance: Security content-regex scan overlaps lint on a yielding background fiber (~30% faster cold scans, same diagnostics); dead-code worker concurrency capped by memory on multi-project workspaces.
Core: Config string-array fields (
projects,textComponents, …) filter non-strings with warnings;canonicalizeRuleKeysafe againstObject.prototypetokens in disable comments.Rules / deslop:
jsx-keyspread-overwrites-keyrespects attribute order; unused-deps detection uses realbin/peerDependenciesmetadata (fewer false positives withnode_modules, weaker heuristics without).Telemetry: Sentry wide-event span attributes renamed under dotted namespaces (
scan.*,lint.*, …) viawithNamespace— values unchanged.Reviewed by Cursor Bugbot for commit b241376. Bugbot is set up for automated code reviews on this repo. Configure here.