Skip to content

chore(deps-dev): bump @varlock/bumpy from 1.10.2 to 1.13.2#119

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/varlock/bumpy-1.13.2
Open

chore(deps-dev): bump @varlock/bumpy from 1.10.2 to 1.13.2#119
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/varlock/bumpy-1.13.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown
Contributor

Bumps @varlock/bumpy from 1.10.2 to 1.13.2.

Release notes

Sourced from @​varlock/bumpy's releases.

@​varlock/bumpy v1.13.2

  • #101 (patch) - Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
    • Detect the new-package case before any side effects. When OIDC is the only available auth path (no NPM_TOKEN/NODE_AUTH_TOKEN, no .npmrc auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a 0.0.0 placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable id-token: write for provenance attestations alongside token auth are unaffected.
    • Replace blanket git push --tags after publish with per-tag force push. gh release create --draft --target SHA creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and git push --tags rejects with "already exists". The new logic iterates releasePlan.releases minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.

Published to

@​varlock/bumpy v1.13.1

  • #99 (patch) - Fix scrolling in bumpy add when there are many packages. The interactive bump-select prompt now renders a viewport that fits within the terminal, scrolling the package list (with ▲ N more / ▼ N more indicators) as the cursor moves. Previously, when the list exceeded terminal height, navigating up would snap the cursor back to the bottom because the redraw cursor-up lost its anchor once content scrolled off-screen. Closes #96.

Published to

@​varlock/bumpy v1.13.0

  • #97 (minor) - Recommend pull_request_target for the bumpy ci check workflow so fork PRs receive release-plan comments. Previously, fork PRs running under pull_request got a read-only token, so the check would fail red with no helpful comment — a bad first impression for OSS projects. bumpy ci check now recognizes the pull_request_target event when reading the PR number from GITHUB_EVENT_PATH, and emits a clearer warning that links to the new docs when comment posting fails on a fork PR. See the updated GitHub Actions docs for the new workflow (the version is resolved from the base branch's package.json, so no version pinning duplication).

Published to

... (truncated)

Changelog

Sourced from @​varlock/bumpy's changelog.

1.13.2

2026-06-05

  • #101 (patch) - Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
    • Detect the new-package case before any side effects. When OIDC is the only available auth path (no NPM_TOKEN/NODE_AUTH_TOKEN, no .npmrc auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a 0.0.0 placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable id-token: write for provenance attestations alongside token auth are unaffected.
    • Replace blanket git push --tags after publish with per-tag force push. gh release create --draft --target SHA creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and git push --tags rejects with "already exists". The new logic iterates releasePlan.releases minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.

1.13.1

2026-06-03

  • #99 (patch) - Fix scrolling in bumpy add when there are many packages. The interactive bump-select prompt now renders a viewport that fits within the terminal, scrolling the package list (with ▲ N more / ▼ N more indicators) as the cursor moves. Previously, when the list exceeded terminal height, navigating up would snap the cursor back to the bottom because the redraw cursor-up lost its anchor once content scrolled off-screen. Closes #96.

1.13.0

2026-06-03

  • #97 (minor) - Recommend pull_request_target for the bumpy ci check workflow so fork PRs receive release-plan comments. Previously, fork PRs running under pull_request got a read-only token, so the check would fail red with no helpful comment — a bad first impression for OSS projects. bumpy ci check now recognizes the pull_request_target event when reading the PR number from GITHUB_EVENT_PATH, and emits a clearer warning that links to the new docs when comment posting fails on a fork PR. See the updated GitHub Actions docs for the new workflow (the version is resolved from the base branch's package.json, so no version pinning duplication).

1.12.0

2026-06-03

  • #94 (minor) - Detect catalog entry changes as package changes. When a catalog version in pnpm-workspace.yaml (pnpm) or root package.json (bun/yarn catalog/catalogs, plus workspaces.catalog/workspaces.catalogs) is modified, bumpy add and bumpy check now flag every package that references the changed entry via catalog: / catalog:<name> as changed. Closes #92.

1.11.0

2026-06-02

  • #91 (minor) - Add --expect-mode flag to bumpy ci release for asserting the detected release mode (version-pr or publish). Enables split-job release workflows where each job fails loudly if the runtime state doesn't match what the job expects. Refactored ReleaseOptions to rename the existing mode field to autoPublish: boolean and add assertMode. --expect-mode and --auto-publish cannot be combined.
Commits
  • 6c9adb5 🐸 Versioned release (#103)
  • 199e729 fix: harden publish for trusted publishing + stranded tags (#101)
  • a2cf1d6 🐸 Versioned release (#100)
  • b7bb4fc fix: viewport scrolling in bumpy add prompt (#99)
  • eb0f9da 🐸 Versioned release (#98)
  • bb37d26 feat: use pull_request_target for ci check workflow (#97)
  • 010a74e 🐸 Versioned release (#95)
  • 79b1dac feat: detect catalog entry changes as package changes (#94)
  • dabcc73 feat: enable npm staged publishing for bumpy's own releases
  • a1b44e5 🐸 Versioned release (#93)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps-dev): bump @varlock/bumpy from 1.10.2 to 1.13.2
b8ef52b 
Bumps [@varlock/bumpy](https://github.com/dmno-dev/bumpy/tree/HEAD/packages/bumpy) from 1.10.2 to 1.13.2.
- [Release notes](https://github.com/dmno-dev/bumpy/releases)
- [Changelog](https://github.com/dmno-dev/bumpy/blob/main/packages/bumpy/CHANGELOG.md)
- [Commits](https://github.com/dmno-dev/bumpy/commits/@varlock/bumpy@1.13.2/packages/bumpy)

---
updated-dependencies:
- dependency-name: "@varlock/bumpy"
  dependency-version: 1.13.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 11, 2026
@netlify

netlify Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for typedcss-validator ready!

Name Link
🔨 Latest commit b8ef52b
🔍 Latest deploy log https://app.netlify.com/projects/typedcss-validator/deploys/6a2b151bbb142b00089c85fb
😎 Deploy Preview https://deploy-preview-119--typedcss-validator.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@socket-security

socket-security Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​varlock/​bumpy@​1.13.27910010097100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants