chore: version packages#603
Merged
Merged
Conversation
github-actions
Bot
force-pushed
the
changeset-release/main
branch
30 times, most recently
from
a041bf5 to
c9ba5e1
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
c9ba5e1 to
097854e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
Releases
eslint-plugin-react-doctor@0.2.15
Patch Changes
6e59f10,75c1f99]:oxlint-plugin-react-doctor@0.2.15
Patch Changes
#596
6e59f10Thanks @aidenybai! - Collapse diagnostic categories into five clear, outcome-based buckets: Security, Bugs, Performance, Accessibility, and Maintainability. The previous fine-grained labels (Correctness, State & Effects, React Compiler, Next.js, React Native, Server, TanStack Query/Start, Preact → Bugs; Bundle Size → Performance; Architecture/Design → Maintainability) now roll up so the scan output reads as plain issue types at a glance.This changes the
categoryvalue on every diagnostic (CLI output, the per-error headline prefix likeSecurity: Use of eval(), and JSON/programmatic output). If you keycategoriesseverity overrides off the old names, update them to the new buckets. Dead-code findings (unused files/exports/dependencies, circular imports) now reportMaintainabilityinstead ofDead Code. Bundle-size findings now sort withPerformance(higher stakes) rather than near the bottom of the top-errors block.#630
75c1f99Thanks @rayhanadev! - Fixreact-doctor@latest(and the ESLint/oxlint plugins) crashing before the scan starts withERR_MODULE_NOT_FOUND: Cannot find package 'oxc-parser'under strict package managers like pnpm. The publishedoxlint-plugin-react-doctor/dist/index.jsperforms a runtimeimport { parseSync } from "oxc-parser"(cross-file parsing for rules likeno-mutating-reducer-state) and the build intentionally keepsoxc-parserexternal, but the package only declared it underdevDependencies, so consumers never had it installed.oxc-parseris now a realdependency. See #629.react-doctor@0.2.15
Patch Changes
#612
3ceb748Thanks @rayhanadev! - Stop flagging known public client keys inno-secrets-in-client-code. Keys that vendors design to ship in the browser bundle — RevenueCat public SDK keys (appl_/goog_/amzn_/strp_), Stripe/Clerk publishable keys (pk_live_/pk_test_), Supabase publishable keys (sb_publishable_), PostHog project keys (phc_), Stytch public tokens (public-token-), and Mapbox public access tokens (pk.) — are now allowlisted, so the variable-name heuristic no longer reports them as hardcoded secrets. Ambiguous shapes that can be either public or sensitive (Google/FirebaseAIza…browser keys, and bare Supabaseanon/service_roleJWTs) are intentionally still flagged.#596
6e59f10Thanks @aidenybai! - Diagnostic ranking now depends solely on the score API's per-rule priority. The hand-rolled severity/category-stakes weighting (and the offline priority midpoints) is gone: when the API priority is unavailable (--no-score, offline, or API failure) rules and categories keep their scan order, with categories falling back to alphabetical for determinism.#619
b3c3aa9Thanks @aidenybai! - TreatCI=1andCI=Trueas CI environments, not justCI=true. CI-only behavior (suppressing the share URL, marking the run as CI-originated for scoring) now triggers consistently across providers that setCIto a truthy value other than the literal string"true"; explicitCI=false/CI=0are still treated as non-CI.A present-but-unparseable
react-doctor.config.jsonat the scanned root no longer silently falls through to a parent directory's config. The tool stops there instead of letting an ancestor repo's config govern the project; apackage.jsonreactDoctorconfig in the same directory is still used as a fallback.#605
4861f37Thanks @rayhanadev! - Update the dead-code analysis engine (deslop-js) to0.0.14so the published CLI's unused-file / dead-code detection runs on the latest release. The CLI previously pinned^0.0.13while the internal core engine was already on0.0.14; this aligns both on a single version and drops the duplicate from the lockfile.#596
6e59f10Thanks @aidenybai! - Collapse diagnostic categories into five clear, outcome-based buckets: Security, Bugs, Performance, Accessibility, and Maintainability. The previous fine-grained labels (Correctness, State & Effects, React Compiler, Next.js, React Native, Server, TanStack Query/Start, Preact → Bugs; Bundle Size → Performance; Architecture/Design → Maintainability) now roll up so the scan output reads as plain issue types at a glance.This changes the
categoryvalue on every diagnostic (CLI output, the per-error headline prefix likeSecurity: Use of eval(), and JSON/programmatic output). If you keycategoriesseverity overrides off the old names, update them to the new buckets. Dead-code findings (unused files/exports/dependencies, circular imports) now reportMaintainabilityinstead ofDead Code. Bundle-size findings now sort withPerformance(higher stakes) rather than near the bottom of the top-errors block.#623
b9e9bcbThanks @rayhanadev! - Align the CLI with the clig.dev and 12-factor CLI guidelines:--color/--no-colorflags force or disable colored output, with app-specificREACT_DOCTOR_NO_COLOR/REACT_DOCTOR_FORCE_COLORenv overrides. Flags win over env vars, which win over picocolors' built-inNO_COLOR/FORCE_COLOR/TERM/ TTY detection; the preference is resolved before parsing so it reaches every surface (scan report, branded header, score, prompts, errors).react-doctor --helpandreact-doctor install --helpnow lead with worked examples and link to where to report feedback.react-doctor versionsubcommand prints the version with Node and platform info (e.g.react-doctor/0.2.14 darwin-arm64 node-v24.14.0);-v/-V/--versionstay terse for scripts.react-doctor helpandreact-doctor help <command>now show help instead of failing by trying to scan a directory named "help".#583
4bc8a73Thanks @aidenybai! - Port expo-doctor's project-level checks as Expo-gated diagnostics. When an Expo project is detected (expoVersion !== null), react-doctor now runs the statically-determinable subset of expo-doctor's check suite during the environment-checks phase (skipped in diff/staged mode):expo-no-unimodules-packages— legacy@unimodules/*/react-native-unimodulespackages (IllegalPackageCheck).expo-no-cli-dependencies—expo-cli/eas-clilisted as project dependencies (GlobalPackageInstalledLocallyCheck).expo-no-redundant-dependency— packages Expo installs transitively or that were removed/deprecated (expo-modules-core,@expo/metro-config,@types/react-native,expo-permissions, theexpo-firebase-*family, …), each SDK-version gated (DirectPackageInstallCheck).expo-no-conflicting-dependency-override—overrides/resolutions/pnpm.overridesthat pin SDK-critical packages like@expo/cliormetro*(DependencyVersionOverrideCheck).expo-router-no-react-navigation— direct@react-navigation/*alongsideexpo-routeron the SDK 56 line only (>=56 <57, matching expo-doctor's range) (ExpoRouterReactNavigationCheck).expo-vector-icons-conflict— scoped icon packages mixed with@expo/vector-icons/react-native-vector-icons(VectorIconsCheck).expo-package-json-conflict—expo/react-nativescripts shadowing node_modules bins, and a package name colliding with a dependency (PackageJsonCheck).expo-lockfile— missing or multiple lock files at the workspace root (LockfileCheck).expo-gitignore— a committed.expo/directory, or local module native dirs that are gitignored (ProjectSetupCheck).expo-env-local-not-gitignored— committed.env*.localfiles (EnvLocalFilesCheck).expo-metro-config— a metro config that doesn't extendexpo/metro-config, while tolerating known wrappers that extend it internally such as Sentry'sgetSentryExpoConfig(MetroConfigCheck).The remaining expo-doctor checks require running the Expo CLI, querying the Expo API, or inspecting native iOS/Android projects — none of which fit react-doctor's offline, static model — so they're intentionally out of scope.
#583
4bc8a73Thanks @aidenybai! - Detect Expo projects independently of the single-valuedframeworkhint. Project discovery now surfaces anexpoVersionsignal (the declaredexpopackage spec, looked up in the project or any of its workspace packages, ornull), parallelingreactVersion. Theexpocapability is keyed offexpoVersion !== nullrather thanframework === "expo", so Expo-specific rules now load on web-rooted monorepos whoseapps/mobileworkspace targets Expo, and on projects that declare bothexpoand a web bundler (wherevite/nextpreviously won framework detection and silently dropped theexpocapability). The file-level package boundary inoxlint-plugin-react-doctorstill keeps Expo-only rules quiet on web workspaces.#615
8b313baThanks @rayhanadev! - Fix two dead-code / fix-recipe papercuts surfaced on alias-heavy Next.js projects.Dead-code no longer mis-flags
@/…(and other) imports as unused. The dead-code pass resolves imports throughoxc-resolver, which returns realpath'd (symlink-free) paths, but built its module graph from the scan root as-is. When the project root sat behind a symlink — e.g. a macOS iCloud-synced~/Documents/~/Desktop, or a symlinked checkout — the two path spaces diverged, every import edge dropped, and files reachable only through those imports (in an alias-heavy codebase, every@/…target) were reported as "unused / unreachable". The scan root is now canonicalized before analysis so the module graph and the resolver agree. This was never specific to@/*aliases; relative imports were affected the same way.Per-rule fix-recipe URLs are only shown when a recipe exists. Findings advertised a "fetch the canonical fix recipe" URL (
/prompts/rules/<plugin>/<rule>.md) for every diagnostic, but recipes are only published for react-doctor's own engine rules. Dead-code (deslop/*), the environment / supply-chain checks (require-reduced-motion,require-pnpm-hardening), and adopted third-party plugins (eslint,unicorn,react-hooks-js, …) have no recipe, so their links 404. The directive is now gated to engine rules, so agents are no longer sent to dead links.#607
5dff3b5Thanks @rayhanadev! - Fixreact-doctor --staged(and other scans) hanging after the diagnostics summary is already printed. When an adopted lint config crashed oxlint on the first attempt, the oxlint runner's per-batch progress timer was left running while the scan silently retried withextendsstripped — so the run finished and printed results, but the orphanedsetIntervalkept the Node event loop alive and the process never returned control to the shell. The batch loop now clears the timer in afinally, so it's always cleaned up even when a batch throws. See #599.#614
daef23cThanks @aidenybai! -jsx-keyno longer reports a missing key when a list element spreads the whole iteration item —items.map((item) => <Item {...item} />). Spreading the row object is the canonical "this row carries its own identity" shape and was the dominant source ofjsx-keynoise on real lists, while rarely catching a genuine reorder bug. Genuine keyless lists still report:items.map((item) => <Item name={item.name} />), index keys, array literals ([<Item {...item} />]), and spreads of anything other than the iteration variable.#614
daef23cThanks @aidenybai! - App-only heuristics now stay quiet in published libraries, and React Compiler memoization-cleanup is demoted to a warning.react-hooks-js/static-componentsandno-render-prop-childrenno longer fire on files in a published library — a non-privatepackage.jsonthat declares the publish contract (name+exports). They still fire in applications (including private monorepo apps that live underpackages/or declare a niche internalexportsmap) and in any package without that contract, and an explicit per-rule severity in config always re-enables them.react-compiler-no-manual-memoizationnow defaults towarninstead oferrorwhen React Compiler is detected — redundantuseMemo/useCallback/memois correctness-neutral cleanup, so it's hidden from the default report. The externalreact-hooks-js/*compiler rules stayerrorbecause each marks code the compiler could not optimize (a real perf regression).bucketsconfig field: set{ "buckets": { "compiler-cleanup": "error" } }to re-enable strict errors for the redundant-memoization rule. A per-rule override still wins over a bucket.#613
6448d5bThanks @NisargIO! - Speed up scans of effect-heavy codebases by memoizinggetDownstreamRefsin the State & Effects rule helpers.ascend()re-descended the same large definition subtrees on every recursion step, so the seven effect rules (led byno-pass-data-to-parent) blew up superlinearly on big components with manyuseEffects — re-walking and re-scoping identical bodies across recursion, across effects, and across rules. Caching the downstream-reference lookup per Program node (aWeakMapkeyed on the per-Programanalysis singleton, GC-bound with the file) collapses that to a single descent.On an 866-file Next.js app this cut ~9s (~24%) off a full scan — the worst rule on the largest file (a 1,159-line component with 10 effects) dropped from ~9.5s to ~0.18s, and the hot lint batch from ~13.5s to ~2.5s. Diagnostics are byte-identical (verified by a SHA-256 fingerprint over every diagnostic before/after); the cache only stores arrays callers already read and never mutate.
#616
bb15252Thanks @rayhanadev! - Add an--experimental-parallel [workers]flag that runs the oxlint lint pass across multiple worker processes instead of one batch at a time. React Doctor's rules are oxlint JS plugins (single-threaded per process), so a serial scan only ever pins one core;--experimental-parallelfans the file batches out across the requested number of concurrent oxlint subprocesses, which scales the scan nearly linearly with CPU cores (measured ~3.5–4.6x on a 1,500-file project and ~4.6x on Sentry's 8,773 files) while producing byte-identical diagnostics.--experimental-parallelwith no value auto-detects available cores;--experimental-parallel <n>caps the worker count;REACT_DOCTOR_PARALLEL=<n>seeds the default for flag-less / CI runs. The worker count is clamped to a safe range to bound peak memory, and the default remains serial so resource usage stays opt-in.#601
5f7cc7cThanks @rayhanadev! - Publish a JSON Schema forreact-doctor.config.jsonathttps://react.doctor/schema/config.json.Pointing
$schemaat the URL enables editor autocomplete, hover docs from the interface JSDoc, and typo warnings in any editor that understands JSON Schema. Closes #497.{ "$schema": "https://react.doctor/schema/config.json", "lint": true }The schema is generated from
packages/core/src/types/config.tsviapnpm build:schemaand checked intopackages/website/public/schema/config.json.#606
fe01e57Thanks @rayhanadev! - Redact secrets and PII from diagnostic output. Every diagnostic'smessage/helpis now scrubbed for API keys, tokens, private keys, JWTs, credentialed URLs, and email addresses before it reaches the terminal, the JSON report, or the score API — so react-doctor never echoes or transmits a secret embedded in your source. Provider tokens keep their non-secret, type-identifying prefix (e.g.sk_live_<redacted>,ghp_<redacted>) so you can tell which credential leaked while the secret itself stays masked.#625
bdb9e36Thanks @rayhanadev! - Add 10 React Native & Expo diagnostics (researched against first-party docs/RFCs and validated against an OSS corpus). Six are oxlint AST rules; four are project-level checks gated on the React Native / Expo capability and run in the environment-checks phase (skipped in diff/staged mode).AST rules:
rn-no-deep-imports— deep imports of public symbols fromreact-native/Libraries/*(RFC 0894; breaks on upgrade). Curated to symbols re-exported from the root, with a tailored message for the relocatedNewAppScreen; skips type-only imports and the Codegen/TurboModule authoring surface.rn-no-set-native-props—ref.current(?.).setNativeProps(...), a silent no-op under the New Architecture (Fabric).rn-no-image-children— children inside react-native's<Image>(which renders none); use<ImageBackground>. Resolves the element to thereact-nativeimport soexpo-image/customImageare ignored.rn-no-panresponder—PanResponderimported fromreact-native(JS-thread gestures); usereact-native-gesture-handler.rn-detox-missing-await— un-awaited Detox actions /waitFor/expect(element(...))in*.e2e.*files.expo-no-non-inlined-env— computedprocess.env[...]andprocess.envdestructuring, whichbabel-preset-expocan't inline (value isundefinedat runtime); scoped to Expo client files.Project-level checks:
rn-no-metro-babel-preset—module:metro-react-native-babel-presetin a babel config (renamed to@react-native/babel-preset; uninstalled on RN 0.73+).rn-library-react-in-dependencies— areact-native-builder-boblibrary listingreact/react-nativeindependenciesinstead ofpeerDependencies(duplicate-React / duplicate-native-module crashes).expo-reanimated-v4-requires-new-arch—react-native-reanimatedv4 withnewArchEnabled: falsein the app config (first-launch crash).expo-updates-no-unsafe-production-config—updates.disableAntiBrickingMeasures: truein the app config (can brick installed apps).#614
daef23cThanks @aidenybai! -rn-no-raw-textnow auto-detects in-file custom text wrappers, cutting false positives on design-system<Text>forwarders. A component whose returned root is a<Text>— e.g.const Banner = ({ children }) => <Text>{children}</Text>orexport const Caption = (props) => <Text {...props} />— is treated as a string-only text forwarder, so raw text passed to it (<Banner>Hello</Banner>) no longer reports. Mixed children still report (<Banner><Icon /> hi</Banner>) because a single-<Text>forwarder can't be trusted to route a JSX child into text. Components only referenced (not defined) in the file keep the existing name-heuristic behavior, and the config-driventextComponents/rawTextWrapperComponentsoverrides are unchanged.#617
9777f1aThanks @rayhanadev! - Configure React Doctor withdoctor.config.{ts,js,mjs,cjs,mts,cts,json}(or apackage.json#reactDoctorkey), and addreact-doctor rulescommands to list, explain, and configure rules without hand-editing config.doctor.config.ts(or any JS/JSON variant) — TypeScript and ESM configs load viajiti, and JSON configs allow comments and trailing commas (JSONC).rulescommands.rules listshows every rule and the severity it runs at;rules explain <rule>describes why a rule matters and how to tune it; andrules set/enable/disable/category/ignore-tag/unignore-tagedit your config for you. TS/JS configs are edited in place viamagicast(formatting and comments preserved); JSON andpackage.jsonare edited as data; adoctor.config.jsonis created when no config exists. Rule references accept the full key (react-doctor/no-danger), the bare id (no-danger), or a legacy key (react/no-danger).doctor-explainskill (aliasdoctor-config), shipped viareact-doctor install, teaches coding agents to explain a rule before disabling it and to pick the narrowest control (rule severity vs category vs tag vssurfaces).Breaking: the config file is now
doctor.config.*instead ofreact-doctor.config.json. The next time you runreact-doctorinteractively, an existingreact-doctor.config.jsonis automatically migrated to a typeddoctor.config.ts(settings preserved,$schemadropped) and you're told once — CI, coding-agent,--staged, JSON/score, and non-TTY runs are left untouched (a warning still nudges them). Thepackage.json#reactDoctorkey is unchanged.#596
6e59f10Thanks @aidenybai! - Cleaner scan output and smarter file scoping:Security: Use of eval()) instead of its id, so it's clear at a glance what kind of problem it is.dangerouslySetInnerHTML(XSS) is categorized under Security, and security messages use explicit vulnerability language (code injection, XSS, reverse tabnabbing, CSRF, secret exposure).title.*.iife.js,*.umd.js,*.global.js,*.min.js) is now excluded from scans by default. As a resultproject.sourceFileCount(and the scanned-file totals) no longer count these generated bundles.public/inject.jsbundle) are now detected by content and skipped, so they no longer flood the report with noise. Any diagnostic that still lands on an overlong single line falls back to afile:linereference instead of rendering an unreadable code frame.#621
24425b1Thanks @NisargIO! - Add Sentry crash reporting to the CLI. Uncaught errors that reach the CLI's error funnels are now captured via@sentry/nodeand flushed before the process exits, each enriched with aruncontext snapshot (version, node/platform/arch, the invocationcommand/argv,cwd, CI provider, coding agent, interactivity, and JSON mode) to make crashes triage-able. Sentry initializes as the first statement of the CLI entry so its global handlers are armed before any command runs, and it's scoped to the CLI only — the programmatic@react-doctor/apilibrary never initializes Sentry.Reporting is opt-out: pass
--no-scoreto disable crash reporting along with the hosted score API and share URL. The SDK is also skipped under test runs (VITEST/NODE_ENV=test).#628
e9e71bbThanks @rayhanadev! - Deepen the CLI's Sentry integration: uploaded source maps, unified tracing, and richer run context.dist/cli.jsand uploads the maps (scripts/sentry-sourcemaps.mjs, run frompnpm releaseand the@devpublish job) so crash stack traces are fully de-minified. Maps are uploaded to Sentry, not shipped in the npm tarball. Wired for both tagged releases and@devsnapshots; a no-op unless theSENTRY_AUTH_TOKEN/SENTRY_ORG/SENTRY_PROJECTCI secrets are configured.runInspectplus everyEffect.fn("Service.method")span) is bridged straight into Sentry as one unified per-run trace. If a user has their own OTLP backend configured (REACT_DOCTOR_OTLP_*), that still wins and the Effect trace is additionally parented under the Sentry trace so the two share atrace_id. Tracing is tunable viaSENTRY_TRACES_SAMPLE_RATE(set to0to disable; default samples every run).trace_id) so the crash and its spans appear together.environment(production/development, overridable viaSENTRY_ENVIRONMENT), areact-doctor@<version>releasethat matches the uploaded source-map artifacts, and the full run snapshot as searchable tags on every event (not just exceptions) — including which command ran (command,argv), where it ran (origin= cli/ci/agent/git-hook, plusci/ciProvider), the launching package manager (invokedVia, e.g. npm vs. pnpm dlx), and Node major version.project.*tags (framework, React major, TypeScript, React Compiler, Expo, React Native) plus aprojectcontext block (versions of React/Tailwind/Zod/Preact/Expo, TanStack Query, Reanimated, source-file count). The identifyingprojectName/rootDirectoryare deliberately excluded; no source code or diagnostic findings are sent.sendDefaultPiiis off (no IP), the hostname/server_name/device name and captured local variables are stripped, the OS username is removed from all paths (home directory →~) across cwd, argv, stack frames, and span attributes (e.g. theinspect.directorypath), and known secrets/emails are masked via the same redactor used for diagnostics. If scrubbing ever fails, the event is dropped rather than sent.SENTRY_DSN,SENTRY_ENVIRONMENT,SENTRY_RELEASE,SENTRY_TRACES_SAMPLE_RATE, andSENTRY_DEBUGare all honored at runtime.Reporting remains opt-out and CLI-only:
--no-scoredisables Sentry entirely (crash reporting and tracing), it's skipped under test runs, and the programmatic@react-doctor/apilibrary never initializes Sentry.#622
0938376Thanks @NisargIO! - Show"warning"-severity diagnostics by default again. A scan that reports only errors is too generous a bar for a health check, so warnings surface on every surface (CLI, PR comment, score,--fail-on) out of the box. Opt out with--no-warningsor"warnings": false; per-rule / per-category severity overrides still win as before.#596
6e59f10Thanks @aidenybai! - Hidewarning-severity diagnostics by default — a clean scan now reports onlyerror-severity findings (errors always show). Opt warnings back in with the--warningsflag or"warnings": trueconfig option;--no-warnings/"warnings": falseis the explicit default-off. The toggle is the master switch and runs after per-rule / per-category severity overrides, so a rule explicitly set to"warn"viarules/categoriesstill shows even when warnings are hidden.Because dead-code analysis only emits
warning-severity findings, it's now skipped entirely when warnings are hidden (its results would be filtered out anyway) — avoiding an expensive analysis pass on the default path.--warnings/"warnings": true(and--fail-on warning) re-enable it.Updated dependencies [
6e59f10,75c1f99]:@react-doctor/api@0.2.15
Patch Changes
6e59f10,6e59f10]:@react-doctor/core@0.2.15
Patch Changes
#596
6e59f10Thanks @aidenybai! - Collapse diagnostic categories into five clear, outcome-based buckets: Security, Bugs, Performance, Accessibility, and Maintainability. The previous fine-grained labels (Correctness, State & Effects, React Compiler, Next.js, React Native, Server, TanStack Query/Start, Preact → Bugs; Bundle Size → Performance; Architecture/Design → Maintainability) now roll up so the scan output reads as plain issue types at a glance.This changes the
categoryvalue on every diagnostic (CLI output, the per-error headline prefix likeSecurity: Use of eval(), and JSON/programmatic output). If you keycategoriesseverity overrides off the old names, update them to the new buckets. Dead-code findings (unused files/exports/dependencies, circular imports) now reportMaintainabilityinstead ofDead Code. Bundle-size findings now sort withPerformance(higher stakes) rather than near the bottom of the top-errors block.#596
6e59f10Thanks @aidenybai! - Fix dead-code analysis silently failing ("Scanning failed (dead-code analysis, non-fatal).") on type-heavy projects. deslop's semantic pass builds a full TypeScript program and walks every identifier through the type checker; on projects with large generic types (tRPC routers, Effect/Zod schemas, deep generics) the checker instantiates enormous types and the child process exceeds Node's default ~4 GB heap, dying with an uncatchable "JavaScript heap out of memory" that surfaced as empty worker output and a non-fatal scan failure. The dead-code worker child is now spawned with--max-old-space-size=8192so those projects complete instead of crashing.Updated dependencies [
6e59f10,75c1f99]:Note
Low Risk
The PR only updates versions and changelogs; risk to the repo is low, though the published 0.2.15 notes include a breaking config filename migration and new default telemetry unless users opt out.
Overview
This is a Changesets release PR: it removes consumed
.changeset/*.mdentries, bumps workspace packages from 0.2.14 → 0.2.15, and records the aggregated notes in each packageCHANGELOG.md. There is no application source diff here—only versioning and release metadata.What ships as 0.2.15 (documented in the changelogs):
react-doctorand plugins gain Expo/RN diagnostics, expo-doctor-style project checks,doctor.config.*+react-doctor rulesCLI, scan output and category rollup (Security / Bugs / Performance / Accessibility / Maintainability), secret redaction in diagnostics, optional Sentry crash reporting/tracing (opt-out via--no-score),--experimental-parallel, dead-code fixes (symlinked roots, 8GB worker heap),oxc-parseras a real dependency for pnpm consumers, and many rule/CLI papercuts. Breaking for users: config moves fromreact-doctor.config.jsontodoctor.config.*(interactive migration todoctor.config.ts); updatecategoriesoverrides if they used old category names.Reviewed by Cursor Bugbot for commit 097854e. Bugbot is set up for automated code reviews on this repo. Configure here.