fix: honest no-bump CI comment + bundled-dependency awareness (#117)#120
Merged
Conversation
Closes #117. ci check: when the check fails because changed packages lack a bump file, the PR comment no longer says "you're good to go" (which contradicted the exit-1 status). It now matches the failing status, lists the uncovered packages, and points at an empty bump file (`bumpy add --empty`) to acknowledge an intentional no-release. In --no-fail mode the check passes, so the friendly wording is kept. bundledDependencies: a new per-package option listing workspace deps baked into a package's published output (commonly under devDependencies when inlined by a bundler). Any bump to a listed dep republishes the bundling package with a patch bump — shorthand for a cascadeFrom rule of { trigger: 'patch', bumpAs: 'patch' }. An explicit cascadeFrom for the same source takes precedence (e.g. bumpAs: 'match' for proportional bumps).
When package.json is the only changed file in a package, diff it against the base branch and only require a bump file if a publish-affecting field changed. The new `ignoredPackageJsonFields` config (default ["devDependencies"]) lists fields whose change alone doesn't count — so a dev-only dependency bump (e.g. Dependabot) no longer requires a bump file. Composes with bundledDependencies: a changed devDependencies entry that matches the package's bundledDependencies still flags the package, since it ships in the published output. Errs toward requiring a bump file when it can't compare cleanly (new/unparseable package.json). This resolves the root of #117 — the original dependency-only PR now passes without a bump file, instead of failing with a contradictory "you're good to go" comment.
Explain that bundledDependencies is one declaration driving two behaviors — cascade on the dep's own release (internal workspace deps only) and change-detection flagging when its range is edited (any dep). Add an explicit "internal workspace deps: bundled vs not" note, since that's the knob for which devDependencies affect published output. Rename the heading and fix the inbound anchor links.
|
The changes in this PR will be included in the next version bump.
|
bumpy has no runtime `dependencies` — its libs (@clack/prompts, js-yaml, picocolors, picomatch, semver) live in devDependencies and tsdown inlines them into the published output. With field-aware change detection, a dependency-only bump to one of these would otherwise pass without a bump file even though it ships to consumers. Mark them as bundledDependencies so such updates correctly require a release.
Explain the bundler mechanism explicitly (a build step inlines imports into dist/), why bundled deps live in devDependencies, and the no-runtime-dependencies extreme (as bumpy itself is built with tsdown). Name the common bundlers in both the configuration and propagation docs.
The option marks devDependencies that affect published output and so should trigger a release — bundling is the common reason but not the only one (committed codegen output, re-exported types). The new name describes the behavior rather than one cause, and avoids colliding with npm's own `bundledDependencies` package.json field (different mechanism). Unreleased, so renamed in place — no deprecation needed. Renames the config option, schema, internal helpers, docs (incl. heading + anchors), tests, and bumpy's own self-marking config.
"Triggering" names the behavior unambiguously — a change to one of these devDependencies triggers a release (and the dep's own release cascades) — avoiding the "deps used to perform a release" misreading of the bare "release" adjective. Updates the option, schema, internal helpers, docs (heading "Release-triggering devDependencies" + anchors), tests, and bumpy's own self-marking config.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #117.
Background
bumpy ci checkcould post a PR comment saying "…you're good to go" while the same run exited 1 — a Dependabot PR that only toucheddevDependenciesflagged the package as changed (anypackage.jsonedit counted), so with no bump file the check failed yet the comment said the opposite.Fixing that surfaced a deeper point (discussed on the issue): the "
devDependenciesdon't affect output" assumption breaks for bundled runtime deps (inlined by esbuild/tsup/rollup), which are commonly declared underdevDependencies. This PR addresses both.Changes
1. Honest no-bump-files comment (
cc5ff59)When the check fails because changed packages lack a bump file, the comment now matches the failing status: it drops "you're good to go", lists the uncovered packages, and points at
bumpy add --emptyto acknowledge an intentional no-release. In--no-failmode (which passes) the friendly wording is kept.2.
bundledDependenciesper-package option (cc5ff59)Names/globs of deps baked into a package's published output. One declaration of intent ("this dep ships in my output") that drives two behaviors:
cascadeFromwith{ trigger: 'patch', bumpAs: 'patch' }; an explicitcascadeFromfor the same source wins, e.g.bumpAs: 'match'for proportional bumps).3. Field-aware
package.jsonchange detection (2f8360d)When
package.jsonis the only changed file in a package, bumpy now diffs it against the base branch and only requires a bump file if a publish-affecting field changed. NewignoredPackageJsonFieldsconfig (default["devDependencies"]) controls which fields are ignored. Composes withbundledDependencies: a changeddevDependenciesentry matching the package'sbundledDependenciesstill flags the package (internal or external dep). Errs toward requiring a bump file when it can't compare cleanly (new/unparseablepackage.json). This resolves the root of #117 — the original dependency-only PR now simply passes.4. Docs (
7d8a2bc+ earlier)configuration.md(new "Change detection" + "Bundled dependencies" sections,ignoredPackageJsonFields/bundledDependenciestable rows),version-propagation.mdfootnote, andconfig-schema.json.Tests
21 new tests across 3 files; full suite 318 pass / 0 fail, tsc clean.
ci-no-bump-comment.test.ts— comment wording/frog for passing vs failingrelease-plan-bundled-deps.test.ts— cascade behavior, in-range cascade, globs,cascadeFromprecedencecheck-pkgjson-fields.test.ts— real-git integration: devDeps-only passes, runtime/metadata/exports flag, bundled (external) devDep flags, config overrideDogfooded:
bumpy checkpasses on this branch; bump file →@varlock/bumpy1.15.0 (minor).