Skip to content

feat: add automated dependency bump checker and changelog validator #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add automated dependency bump checker and changelog validator #186

wants to merge 5 commits into from

Conversation

@cryptodev-2s
Copy link
Contributor

@cryptodev-2s cryptodev-2s commented Nov 5, 2025
edited by cursor bot
Loading

Description

Adds a new check-deps command to automatically detect, validate, and update dependency bump entries in CHANGELOGs.

Usage

# Detect and validate
yarn check-dependency-bumps

# Auto-fix
yarn check-dependency-bumps --fix --pr 1234

Key Features

  • Detects dependency bumps from git diffs in package.json files
  • Validates exact versions in changelog entries (catches stale entries)
  • Auto-updates changelogs with --fix flag
  • Preserves PR history when bumping same dependency multiple times
  • Release-aware - adds entries to ## [X.Y.Z] section when package version changes, or [Unreleased] otherwise
  • Repository agnostic - reads repo URL from package.json

Example:

# Before (PR #7007):
- Bump `@metamask/transaction-controller` from `^61.0.0` to `^61.1.0` ([#7007](...))

# After fix (PR #1234):
- Bump `@metamask/transaction-controller` from `^61.0.0` to `^62.0.0` ([#7007](...), [#1234](...))

Implementation

New files:

  • src/check-dependency-bumps.ts + tests (24 tests)
  • src/changelog-validator.ts + tests (27 tests)

Modified:

  • src/command-line-arguments.ts - Added check-deps command
  • src/main.ts - Command routing
  • Updated test files for command structure

Coverage: 100% (statements, branches, functions, lines) - 340 passing tests

Testing in MetaMask/core

# Build tool
cd /path/to/create-release-branch && yarn build

# From core
cd /path/to/core
git checkout -b test-dep-bumps

# In one or more packages, modify package.json to:
# - Bump some dependencies
# - Bump some peerDependencies  
# - Bump some devDependencies (to verify they're correctly excluded)
# - Change the package version (to test release detection)

git add . && git commit -m "Test: bump dependencies"

# Validate
node /path/to/create-release-branch/dist/cli.js check-deps

# Fix without PR number
node /path/to/create-release-branch/dist/cli.js check-deps --fix

# Fix with PR number
node /path/to/create-release-branch/dist/cli.js check-deps --fix --pr 4532

# Validate with github-tools (https://github.com/MetaMask/github-tools)
cd /path/to/github-tools
yarn run changelog:check "/path/to/core" "main" "4532"

Note

Introduce check-deps CLI to detect dependency bumps from git diffs, validate CHANGELOG entries, and optionally auto-update them.

  • CLI
    • Add check-deps subcommand (via yargs) to analyze package.json diffs between refs and print JSON results.
    • Route commands in main to support release and new check-deps; guard initial-parameters for release-only.
  • Changelog validation/updating
    • New src/changelog-validator.ts: exact-match validation against Unreleased or specific release sections; auto-add/update entries; preserve/merge PR numbers; mark peerDependencies as BREAKING; support placeholder PRs.
    • New src/check-dependency-bumps.ts: parse diffs, detect dependencies/peerDependencies bumps (skip dev), dedupe, detect package version bumps for release-aware targeting, resolve repo URL, and invoke validator/updater.
    • Shared types in src/types.ts.
  • Tests
    • Extensive unit tests for diff parsing, validation, and updating logic; command routing in main and CLI args.
  • Docs/Changelog
    • Update CHANGELOG.md with new command and usage.

Written by Cursor Bugbot for commit 88d116a. This will update automatically on new commits. Configure here.

@cryptodev-2s cryptodev-2s force-pushed the feat/add-dependency-bump-checker branch 4 times, most recently from a88a703 to e9b5b6c Compare November 6, 2025 14:11
@cryptodev-2s cryptodev-2s marked this pull request as ready for review November 6, 2025 14:11
@cryptodev-2s cryptodev-2s requested a review from a team as a code owner November 6, 2025 14:11
cursor[bot]
cursor bot reviewed Nov 6, 2025
View reviewed changes
@cryptodev-2s cryptodev-2s force-pushed the feat/add-dependency-bump-checker branch from e9b5b6c to abcda3f Compare November 6, 2025 15:28
cursor[bot]
cursor bot reviewed Nov 6, 2025
View reviewed changes
src/changelog-validator.ts
await writeFile(changelogPath, await updatedChangelog.toString());

stdout.write(
`✅ ${packageDirName}: Updated ${entriesToUpdate.length} and added ${entriesToAdd.length} changelog entries\n`,
Copy link

@cursor cursor bot Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Grammatical pluralization gap in changelog updates

Missing singular/plural handling for the "added" count in the combined update message. When both updating and adding entries, the message always uses "changelog entries" (plural) even when only 1 entry is added. The message should use conditional pluralization like: ${entriesToAdd.length} changelog ${entriesToAdd.length === 1 ? 'entry' : 'entries'} to be grammatically correct and consistent with other messages in the codebase (see lines 340 and 420).

Fix in Cursor Fix in Web

@mcmire
Copy link
Contributor

mcmire commented Nov 12, 2025

@cryptodev-2s I haven't had time to review this yet, but I have one initial thought:

Should we rename check-deps to validate? My thought is that we will want to include some more validation steps in the future (e.g. #176), and if we group everything under validate it will create room for that work.

@cryptodev-2s
Copy link
Contributor Author

cryptodev-2s commented Nov 12, 2025

@cryptodev-2s I haven't had time to review this yet, but I have one initial thought:

Should we rename check-deps to validate? My thought is that we will want to include some more validation steps in the future (e.g. #176), and if we group everything under validate it will create room for that work.

Good point about future validation commands! However, I think check-deps should remain separate from release validation (#176) since:

  1. Different scope: check-deps works on any branch (feature branches included), not just release branches
  2. Independent use case: Validating dependency changelog entries is useful outside the release process
  3. Clear separation: Release-specific validation (Add command for validating release branch #176) deserves its own command

Suggestion:

Side note: Given we're adding more commands beyond release creation, we could consider renaming the package to something like @metamask/monorepo-tools in a future major version. But that's a separate discussion.

@cryptodev-2s
feat: add automated dependency bump checker and changelog validator
71ff282 
Introduces a new tool to automatically detect dependency version changes
and validate/update changelog entries accordingly.

Features:
- Detects dependency bumps from git diffs in package.json files
- Validates changelog entries with exact version matching
- Automatically updates changelogs with missing or outdated entries
- Smart PR reference concatenation when updating existing entries
- Dynamically reads repository URLs and package names
- Validates by default with optional --fix flag for updates

Usage:
  yarn check-dependency-bumps           # Validate changelogs
  yarn check-dependency-bumps --fix     # Auto-update changelogs
  yarn check-dependency-bumps --fix --pr 1234  # With PR number
@cryptodev-2s
refactor: inline package name resolution during diff parsing
8ee555d 
Optimizes package name resolution by reading package.json inline during
git diff parsing instead of in a separate enrichment pass.

Changes:
- Make parseDiff async to read package names inline
- Remove enrichWithPackageNames function (no longer needed)
- Read packageName immediately when first encountering a package
- Simplify validateChangelogs and updateChangelogs signatures
- Remove packageNames parameter (now part of PackageInfo)

Benefits:
- Single-pass processing (parse + enrich in one step)
- Simpler code flow (24 lines removed)
- Better data locality (package info complete at creation)
- Cleaner API (functions receive unified PackageChanges structure)

Test coverage maintained: 100% (339 passing tests)
@cryptodev-2s
refactor: use example repo name instead of core
084415e
@cryptodev-2s
fix: remove useless re-exported types
2a87c2e
@cryptodev-2s
docs: add changelog entry for check-deps command
88d116a
@cryptodev-2s cryptodev-2s force-pushed the feat/add-dependency-bump-checker branch from 9b796b6 to 88d116a Compare November 18, 2025 15:52
@cryptodev-2s cryptodev-2s requested a review from a team as a code owner November 18, 2025 15:52
@cryptodev-2s cryptodev-2s removed the request for review from a team November 18, 2025 15:54
@cryptodev-2s
Copy link
Contributor Author

cryptodev-2s commented Nov 18, 2025

@metamaskbot publish-preview

@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/[email protected]

See these instructions for more information about preview builds.

1 similar comment
@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/[email protected]

See these instructions for more information about preview builds.

@mcmire
Copy link
Contributor

mcmire commented Nov 18, 2025

check-deps works on any branch (feature branches included), not just release branches

Hmm. Currently this tool is centered around release management, so adding code that doesn't strictly relate to releases feels wrong. I did see your note about renaming this tool to monorepo-tools, but I'm not 100% convinced that's the right direction either. I will have to think about this some more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

team-core-platform

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cryptodev-2s @mcmire