Skip to content

chore: bump fallow from 2.103.0 to 3.2.0 in the js-tooling group across 1 directory#72

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-tooling-4482d7cb10
Closed

chore: bump fallow from 2.103.0 to 3.2.0 in the js-tooling group across 1 directory#72
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-tooling-4482d7cb10

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown
Contributor

Bumps the js-tooling group with 1 update in the / directory: fallow.

Updates fallow from 2.103.0 to 3.2.0

Release notes

Sourced from fallow's releases.

v3.2.0: configurable large-function threshold, surfaced in the health summary

Health: a configurable "function too big" threshold, surfaced in the summary

This release makes the unit-size (large-function) check configurable and reports the effective ceiling in the health output.

health.maxUnitSize: raise the large-function bar instead of switching it off

The line count at which a function is reported as an oversized "large function" was hardcoded to 60 LOC. That made test suites noisy: a describe() callback spans hundreds of lines, and each large it() body trips the threshold too. The only escape was health.ignore, which drops every health signal (complexity, CRAP, hotspots) for those files, so you lost complexity checking on your test code as well.

You can now raise the bar rather than turning it off:

  • Set a global health.maxUnitSize (default 60).
  • Or scope it to a glob with a per-file thresholdOverrides entry, for example { "files": ["**/*.test.*"], "maxUnitSize": 500 }. Leave functions empty so the override covers both the describe() wrapper and the individual it() blocks.

Complexity, cognitive, and CRAP findings on those files are unchanged. Like the existing maxCyclomatic / maxCognitive / maxCrap overrides, this filters the reported "large functions" list; the descriptive unit-size profile and the health score still reflect raw sizes (use health.ignore to remove a file from the score entirely). Resolved thresholds are inspectable via fallow config. Thanks @​digulla for the request. (Closes #1731)

The health JSON summary reports the effective unit-size threshold

The summary block on fallow health --format json already carried max_cyclomatic_threshold, max_cognitive_threshold, and max_crap_threshold, but not a unit-size sibling, so a consumer reading the summary to learn which thresholds a run uses saw only three of the four. It now also carries max_unit_size_threshold (the effective global health.maxUnitSize, default 60). The human report's "Large functions" section reflects the configured global instead of a static "60" when health.maxUnitSize is raised project-wide. This is an additive-required field matching the existing max*Threshold siblings; no change to the unit-size check itself. (Closes #1750)

Other changes

  • Reuse the audit analysis context in the programmatic API path for less redundant work per run.
  • Benchmark-harness coverage and CI sharding improvements (internal).

Full Changelog: fallow-rs/fallow@v3.1.0...v3.2.0

v3.1.0: dev-dependency-in-production rule, member tracing, conditional dynamic imports

Features

New rule: dev-dependency-in-production

The promote-side mirror of test-only-dependency and type-only-dependency. A package in devDependencies that a production (non-test, non-config) file imports at runtime is flagged so you can promote it to dependencies, because pnpm install --prod omits devDependencies and the import breaks in production.

Only imports from files reachable from a runtime entry point count as evidence, so repo tooling (scripts/, benchmarks, rollup-config chains) does not trigger it, and workspace-owned files are governed by their own manifest. Type-only production imports are not flagged, and a package also present in dependencies / peerDependencies / optionalDependencies is left alone. Defaults to warn; suppress a package via ignoreDependencies. Surfaces in human, JSON, SARIF, Code Climate, compact, and markdown output, in fallow explain, and as an LSP diagnostic.

Thanks @​CallumHoward for the implementation.

Trace tooling now covers class, enum, and store members

fallow dead-code --trace FILE:MEMBER previously errored export 'X' not found when pointed at a class member, so a member finding could not be debugged from the trace tool. On an export miss the trace now falls back to a member trace that names the owning class, reports its reachability and usage, lists who imports it, and points at the right --unused-class-members inspection command. The MCP trace_export tool and Code Mode return the same member trace in-process, so AI agents get parity with the CLI. Trace not-found errors across trace_export / trace_file / trace_clone now carry an actionable help pointer to the right discovery tool.

Bug fixes

Conditional and logical dynamic imports are now traced

import(cond ? './a' : './b') and import(x || './b') previously produced no module-graph edge, so every file reachable only through such an import (and its whole transitive subtree) was falsely reported as unused-files / unused-exports. Extraction now emits one edge per statically-resolvable branch, including parenthesized and no-substitution template forms, across all dynamic-import shapes: bare expressions, const x = await import(...) declarations, .then() callbacks, React.lazy / next/dynamic arrow wrappers, and Angular/Vue route loadComponent / component callbacks. Genuinely runtime arguments (import(someVar)) still yield no edge, and repeated literals across branches deduplicate to a single edge.

Thanks @​Jerc92 for the contribution.

... (truncated)

Changelog

Sourced from fallow's changelog.

[3.2.0] - 2026-07-05

Added

  • The fallow health JSON summary now reports the effective unit-size threshold. summary on fallow health --format json already carried max_cyclomatic_threshold, max_cognitive_threshold, and max_crap_threshold, but not a unit-size sibling, so a consumer reading the summary to learn which thresholds a run uses saw only three of the four. It now also carries max_unit_size_threshold (the effective global health.maxUnitSize, default 60), and the human report's "Large functions" section reflects the configured global instead of a static "60" when health.maxUnitSize is raised project-wide. Additive-required field matching the existing max*Threshold siblings; no change to the unit-size check itself. (Closes #1750)

  • New health.maxUnitSize threshold for the "function too big" (unit-size) check, configurable globally and per file. Previously the line-count at which a function is reported as an oversized "large function" was hardcoded to 60 LOC with no way to change it, so test suites reported many large functions: a describe() block's callback spans hundreds of lines, and each big it() body trips the threshold too. The only workaround was health.ignore, which drops every health signal (complexity, CRAP, hotspots) for those files, so you also lost complexity checking on your test code. You can now raise the bar instead of switching it off: set a global health.maxUnitSize (default 60), or scope it to a glob with a per-file thresholdOverrides entry, e.g. { "files": ["**/*.test.*"], "maxUnitSize": 500 }. Leave functions empty so the override covers both the describe() wrapper and the individual it() blocks. Complexity, cognitive, and CRAP findings on those files are unchanged. Like the existing maxCyclomatic / maxCognitive / maxCrap overrides, this filters the reported "large functions" list; the descriptive unit-size profile and the health score still reflect raw sizes (use health.ignore to remove a file from the score entirely). Functions within their effective ceiling are simply omitted from the large_functions JSON array; the resolved thresholds are inspectable via fallow config. Thanks @​digulla for the request. (Closes #1731)

[3.1.0] - 2026-07-05

Added

  • New dev-dependency-in-production rule (promote-side dependency drift). Fallow already flagged production dependencies that belong in devDependencies (test-only-dependency, type-only-dependency); the new rule is the mirror that catches the opposite drift. A package in devDependencies that is imported by production (non-test, non-config) source code via a runtime/value import is flagged so it can be promoted to dependencies: a production-only install (pnpm install --prod) omits

... (truncated)

Commits
  • 0d56827 chore: release v3.2.0
  • afa3c17 fix(health): pluralize the large-functions unit-size footer (#1753)
  • 185c6a7 feat(health): expose max unit size threshold in summary
  • 47220ee ci: shard benchmarks by affected component
  • 9dc768e perf: broaden codspeed benchmark coverage
  • 1d14a77 feat(health): add maxUnitSize threshold override for the large-function check...
  • c6bbfa3 docs: align benchmark file count
  • ede3bcd docs: correct benchmark ratio claims
  • d461313 chore: guard benchmark harness drift
  • 9ea521d chore: stabilize codspeed benchmark shards
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 12, 2026
@codspeed-hq

codspeed-hq Bot commented Jul 12, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 188 untouched benchmarks
⏩ 76 skipped benchmarks1


Comparing dependabot/npm_and_yarn/js-tooling-4482d7cb10 (be7cd81) with main (001a973)

Open in CodSpeed

Footnotes

  1. 76 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

Bumps the js-tooling group with 1 update in the / directory: [fallow](https://github.com/fallow-rs/fallow).


Updates `fallow` from 2.103.0 to 3.2.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.103.0...v3.2.0)

---
updated-dependencies:
- dependency-name: fallow
  dependency-version: 3.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: js-tooling
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore: bump fallow from 2.103.0 to 3.1.0 in the js-tooling group chore: bump fallow from 2.103.0 to 3.2.0 in the js-tooling group across 1 directory Jul 13, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/js-tooling-4482d7cb10 branch from 980c24b to be7cd81 Compare July 13, 2026 13:41
@dependabot @github

dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/js-tooling-4482d7cb10 branch July 14, 2026 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant