Releases: vcode-sh/depfresh
v1.0.0
depfresh 1.0.0
The "it's either 1.0 or therapy" release.
Full taze backlog audit done. Every claim backed by code and tests. 624 tests passing across 82 test files. Docs rewritten by someone who's read them. If you've been waiting for the "stable enough to bet on" signal — this is it.
Install
npx depfresh
pnpm dlx depfresh
bunx depfreshWhat's New
GitHub Dependencies
github:owner/repo#tag dependencies now resolve, check, and write like first-class citizens. Protocol-preserving rewrites keep your refs/tags/ and v prefix style intact. Because someone had to finish what taze started.
Coverage Matrix
Every open taze issue and PR tracked with shipped / partial / missing status and evidence links. Receipts, not promises. See docs/compare/coverage-matrix.md.
Peer Catalog Semantics
peers catalogs in pnpm workspaces are now skipped by default. Pass --peer to include them. Previously they'd sneak in uninvited, like a dependency you didn't ask for at a party you didn't want to attend.
Documentation Overhaul
README trimmed to something a human might actually read. Taze comparisons consolidated. Every doc page reviewed for accuracy and tone. Bun catalog docs corrected.
Fixes
- GitHub API rate-limit detection with reset-time hints and
GITHUB_TOKEN/GH_TOKENguidance - Protocol-preserving writes for GitHub refs
- Consistent alias metadata across npm/jsr/github protocol parsing
The Numbers
| depfresh 1.0.0 | |
|---|---|
| Tests | 624 passing |
| Test files | 82 |
| Build size | 155 KB |
| Lint | Clean |
| TypeScript | Strict, clean |
| Range modes | 7 (default, major, minor, patch, latest, newest, next) |
| Package managers | npm, pnpm, bun, yarn |
| Workspace catalogs | pnpm, bun, yarn |
Breaking Changes
None. Your 0.11.x configs, flags, and workflows carry over unchanged. 1.0.0 marks stability, not a contract reset.
Migration from taze
# it's literally this
npm install -g depfresh
depfreshFull migration guide: docs/compare/from-taze.md
MIT — Vibe Code
Full Changelog: v0.11.1...v1.0.0
v0.11.1
The "your help command wasn't helping" patch. bunx depfresh help blew up with a mode validation error because help leaked through as a positional arg. Belt-and-suspenders fix.
Fixed
bunx depfresh helpcrash —helpas positional arg now caught in the run handler as a fallback when raw-args normalization is bypassed. Shows usage and exits cleanly instead of throwingInvalid value for --mode: "help".
Full Changelog: v0.11.0...v0.11.1
Full Changelog: v0.11.0...v0.11.1
v0.11.0
The "close every gap or shut up" release. Ran a full codebase audit against taze, found 5 gaps, closed all 5 in one pass. Verified with real code inspection, runtime test runs, and CLI smoke checks on actual repos. Not vibes. Not a roadmap. Shipped code with 598 passing tests.
Added
- Addon/plugin system — first-class
addonswith deterministic lifecycle ordering, async hooks, and per-package write veto. Failures surface asAddonError(ERR_ADDON) with addon name + hook metadata. package.yamlsupport — full pipeline: discovery, resolve, write. Bothpackage.jsonandpackage.yamlload, with deterministic same-directory precedence (YAML wins). Overrides,pnpm.overrides,packageManager, protocol-preserving rewrites, CRLF/trailing-newline preservation — all work.--global-all— scans npm + pnpm + bun global packages in one run. Dedupes by package name, maps write targets back to every matching manager.--ignore-paths— exclude directories from package discovery.--refresh-cache/--no-cache— explicit cache bypass without overloading--forcesemantics. Fresh registry metadata, no guessing.
Fixed
.npmrctransport fidelity — registry requests now actually useproxy,https-proxy,strict-ssl, andcafileviaundicitransport. Previously parsed, politely ignored.- Non-transient transport failures fail fast — broken
cafilepaths no longer waste retry attempts.ResolveErrorimmediately. - JSON output cleaned —
--output jsonforces silent logging. No ANSI cursor restore leaking into stdout in non-TTY.
Changed
- Docs parity — all new flags documented in README, CLI reference, and configuration docs.
Stats
- 60 new tests (538 → 598). 77 test files. Build, typecheck, lint clean.
Full Changelog: v0.10.1...v0.11.0
Full Changelog: v0.10.1...v0.11.0
v0.10.1
The "your age column was a decoration" patch.
Fixed
- Empty age column -- switched from abbreviated npm metadata to full metadata. The
timefield actually exists now, so the age column shows~1d,~2moinstead of blank stares. - Provenance detection -- now handles both
hasSignatures(abbreviated) anddist.signatures[](full metadata) formats.
Added
depfresh help-- normalised to--helpinstead of failing enum validation. For people who typehelplike a normal human.
538 tests. See CHANGELOG.md for details.
Full Changelog: v0.10.0...v0.10.1
v0.10.0
The "contracts are contracts, not vibes" release.
Tightened CLI behavior so invalid inputs fail fast, made machine output explicit enough for automation that doesn't enjoy guesswork, and stopped pretending SARIF existed when it didn't. Then went back and made the whole thing properly agent-friendly because half-measures are for people who commit on Fridays.
See CHANGELOG.md for the full breakdown.
Highlights
- Structured JSON errors —
--output jsonfailures now return proper JSON witherror.code,error.retryable, andmeta. No more parsing stderr plaintext. - Non-TTY stderr hint — agents get a breadcrumb pointing to
--output jsonand--help-jsonautomatically. - Resolution errors in JSON envelope — failed deps surface in
errors[]instead of vanishing silently. - Enhanced
--help-json— now includesversion,workflows(4 agent recipes),flagRelationships,configFiles, andjsonOutputSchema. - Strict enum validation — invalid
--mode,--output,--sort,--loglevelvalues hard-fail with exit code 2. - SARIF removed — was never implemented. Claiming otherwise was trust debt.
537 tests. Build, typecheck, lint clean.