diff --git a/.bumpy/ci-check-comment-frog-images.md b/.bumpy/ci-check-comment-frog-images.md deleted file mode 100644 index bfb5364..0000000 --- a/.bumpy/ci-check-comment-frog-images.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -'@varlock/bumpy': patch ---- - -Rework CI check PR comment - -- Restyle with frog images matching the version PR description -- Filter to only changesets added/modified in the PR, not all pending changesets -- Add links to view diff and edit each changeset file on GitHub -- Add "click to add changeset" link for GitHub's file creation UI -- Detect package manager for correct CLI instructions -- Fix comment update using correct REST API numeric IDs and stdin flag diff --git a/.bumpy/clack-prompts.md b/.bumpy/clack-prompts.md deleted file mode 100644 index 264597b..0000000 --- a/.bumpy/clack-prompts.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@varlock/bumpy': patch ---- - -Revamp interactive prompts using `@clack/prompts` for a much nicer CLI UX. - -- `bumpy add` now uses arrow-key navigation, validation, grouped intro/outro framing, and a summary note -- `bumpy migrate` cleanup prompt uses a spinner and intro/outro -- Clean Ctrl-C / Esc cancellation on every prompt (no more stack traces) -- Swapped `ansis` → `picocolors` to avoid bundling two color libraries diff --git a/.bumpy/fix-tag-push-and-release.md b/.bumpy/fix-tag-push-and-release.md deleted file mode 100644 index 8b520b1..0000000 --- a/.bumpy/fix-tag-push-and-release.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -'@varlock/bumpy': patch ---- - -Fix git tag pushing and GitHub release creation - -- Use `git push --tags` instead of `--follow-tags` so lightweight tags are actually pushed to the remote -- Pass `--target` commit SHA to `gh release create` as a fallback in case tags haven't propagated diff --git a/.bumpy/fix-version-pr-ci-triggers.md b/.bumpy/fix-version-pr-ci-triggers.md deleted file mode 100644 index 40ac948..0000000 --- a/.bumpy/fix-version-pr-ci-triggers.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -'@varlock/bumpy': patch ---- - -Support custom token for triggering CI on version PRs - -- Add `BUMPY_GH_TOKEN` env var support — when set, bumpy pushes the version branch using the custom token, bypassing GitHub's anti-recursion guard so PR workflows fire automatically -- Add `bumpy ci setup` interactive command to help create a fine-grained PAT or GitHub App and store it as a repo secret -- When no custom token is set, log a warning with setup instructions diff --git a/.bumpy/github-changelog-enhancements.md b/.bumpy/github-changelog-enhancements.md deleted file mode 100644 index 787e61f..0000000 --- a/.bumpy/github-changelog-enhancements.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -'@varlock/bumpy': patch ---- - -Enhance GitHub changelog formatter with PR/commit links and contributor attribution. - -- Add commit hash links alongside PR links in changelog entries -- Add "Thanks @username!" attribution (matching `@changesets/changelog-github` format) -- Add `internalAuthors` option to suppress thanks for team members -- Support metadata overrides in changeset summaries (`pr:`, `commit:`, `author:` lines) -- Linkify bare `#123` issue references in summary text -- Auto-detect repo slug from `gh` CLI when not configured diff --git a/.bumpy/security-audit.md b/.bumpy/security-audit.md deleted file mode 100644 index 6e250f9..0000000 --- a/.bumpy/security-audit.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -'@varlock/bumpy': patch ---- - -Security hardening: eliminate shell injection vulnerabilities across all CLI commands - -- Replace shell string interpolation with `execFile`-based argument arrays (`runArgs`/`runArgsAsync`) throughout the codebase, preventing command injection via branch names, PR numbers, config values, package names, and registry URLs -- Add input validation for git branch names and PR numbers from environment variables -- Remove broken `escapeShell` function in favor of shell-free execution -- Use `sq()` single-quote escaping for template substitutions in user-defined publish commands -- Restrict dynamic changelog formatter imports to paths within the project root -- Reduce changeset filename collisions by using three-word random names diff --git a/packages/bumpy/CHANGELOG.md b/packages/bumpy/CHANGELOG.md index fed25bc..009e9fa 100644 --- a/packages/bumpy/CHANGELOG.md +++ b/packages/bumpy/CHANGELOG.md @@ -1,5 +1,43 @@ # Changelog +## 0.0.2 + +_2026-04-15_ + +- Security hardening: eliminate shell injection vulnerabilities across all CLI commands + - Replace shell string interpolation with `execFile`-based argument arrays (`runArgs`/`runArgsAsync`) throughout the codebase, preventing command injection via branch names, PR numbers, config values, package names, and registry URLs + - Add input validation for git branch names and PR numbers from environment variables + - Remove broken `escapeShell` function in favor of shell-free execution + - Use `sq()` single-quote escaping for template substitutions in user-defined publish commands + - Restrict dynamic changelog formatter imports to paths within the project root + - Reduce changeset filename collisions by using three-word random names +- Fix git tag pushing and GitHub release creation + - Use `git push --tags` instead of `--follow-tags` so lightweight tags are actually pushed to the remote + - Pass `--target` commit SHA to `gh release create` as a fallback in case tags haven't propagated +- Revamp interactive prompts using `@clack/prompts` for a much nicer CLI UX. + - `bumpy add` now uses arrow-key navigation, validation, grouped intro/outro framing, and a summary note + - `bumpy migrate` cleanup prompt uses a spinner and intro/outro + - Clean Ctrl-C / Esc cancellation on every prompt (no more stack traces) + - Swapped `ansis` → `picocolors` to avoid bundling two color libraries +- Rework CI check PR comment + - Restyle with frog images matching the version PR description + - Filter to only changesets added/modified in the PR, not all pending changesets + - Add links to view diff and edit each changeset file on GitHub + - Add "click to add changeset" link for GitHub's file creation UI + - Detect package manager for correct CLI instructions + - Fix comment update using correct REST API numeric IDs and stdin flag +- Enhance GitHub changelog formatter with PR/commit links and contributor attribution. + - Add commit hash links alongside PR links in changelog entries + - Add "Thanks @username!" attribution (matching `@changesets/changelog-github` format) + - Add `internalAuthors` option to suppress thanks for team members + - Support metadata overrides in changeset summaries (`pr:`, `commit:`, `author:` lines) + - Linkify bare `#123` issue references in summary text + - Auto-detect repo slug from `gh` CLI when not configured +- Support custom token for triggering CI on version PRs + - Add `BUMPY_GH_TOKEN` env var support — when set, bumpy pushes the version branch using the custom token, bypassing GitHub's anti-recursion guard so PR workflows fire automatically + - Add `bumpy ci setup` interactive command to help create a fine-grained PAT or GitHub App and store it as a repo secret + - When no custom token is set, log a warning with setup instructions + ## 0.0.1 _2026-04-15_ diff --git a/packages/bumpy/package.json b/packages/bumpy/package.json index cac1714..b663751 100644 --- a/packages/bumpy/package.json +++ b/packages/bumpy/package.json @@ -1,6 +1,6 @@ { "name": "@varlock/bumpy", - "version": "0.0.1", + "version": "0.0.2", "description": "Modern monorepo versioning and changelog tool", "repository": { "type": "git",