chore: version packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

eslint-plugin-react-doctor@0.5.2

Patch Changes

• #766 94f9f4f Thanks @devin-ai-integration! - Bump engines.node to ^20.19.0 || >=22.13.0 so the declared support range matches transitive dependencies (eslint-scope@9, eslint-visitor-keys@5 require ^22.13.0), preventing EBADENGINE warnings on npm and hard install failures on Yarn 1 under Node 22.12.x.

• Updated dependencies [94f9f4f, 038aaf7, c4f0e60]:

  • oxlint-plugin-react-doctor@0.5.2

oxlint-plugin-react-doctor@0.5.2

Patch Changes

• #766 94f9f4f Thanks @devin-ai-integration! - Bump engines.node to ^20.19.0 || >=22.13.0 so the declared support range matches transitive dependencies (eslint-scope@9, eslint-visitor-keys@5 require ^22.13.0), preventing EBADENGINE warnings on npm and hard install failures on Yarn 1 under Node 22.12.x.

• #784 038aaf7 Thanks @rayhanadev! - Fix a false positive in nextjs-missing-metadata (#775): an App Router page is no longer flagged as "missing metadata for search previews" when it inherits metadata / generateMetadata from a co-located or ancestor layout.*. Next.js merges metadata down the segment chain, so a page covered by a parent layout's title/description already has search-preview metadata. The rule now walks up the App Router directory tree (bounded, stopping at app/) and stays quiet when an ancestor layout supplies metadata; pages with no metadata anywhere in the chain are still flagged.

• #782 c4f0e60 Thanks @rayhanadev! - only-export-components now recognizes the route/special files of every file-routing framework react-doctor covers and skips them, so the documented "co-export config/metadata next to the default component" shape stops producing false-positive "non-component export" warnings:

  • Next.js — App Router (page, layout, loading, error, not-found, template, default, global-error, route) and Pages Router (_app, _document, _error) special files, plus metadata image routes (opengraph-image, twitter-image, icon, apple-icon, incl. numbered variants), which fixes the alt / size / contentType / revalidate exports in opengraph-image.tsx (#776).
  • Expo Router — _layout and the +html / +not-found / +native-intent reserved files.
  • TanStack Router / Start — __root and *.lazy route modules.
  • Remix / React Router — root, entry.client, and entry.server modules.

react-doctor@0.5.2

Patch Changes

• #767 486c68f Thanks @rayhanadev! - The GitHub Action's blocking input now defaults to none (advisory) instead of error. Every PR still gets the full React Doctor report — the sticky summary comment, inline review comments, and a commit status with the health score — but the check no longer fails on findings, so a brand-new install can't red-X a teammate's PR on day one (trust-before-gate). To turn the gate back on, set blocking: warning (fail on any finding) or blocking: error (fail on error-severity findings) on the action. The generated react-doctor.yml documents this inline.

  Note: this changes behavior for existing millionco/react-doctor@v2 workflows that never set blocking — they were gating on error-severity findings and will now run advisory. Add blocking: error to the action's with: block to keep the previous behavior.

  The CLI / config default is unchanged: react-doctor (and --blocking / the blocking config key) still defaults to error, so local runs, pre-commit hooks, and non-action CI keep failing on error-severity findings.

• #766 94f9f4f Thanks @devin-ai-integration! - Bump engines.node to ^20.19.0 || >=22.13.0 so the declared support range matches transitive dependencies (eslint-scope@9, eslint-visitor-keys@5 require ^22.13.0), preventing EBADENGINE warnings on npm and hard install failures on Yarn 1 under Node 22.12.x.

• #731 1ca6f0e Thanks @aidenybai! - Bundle Effect into the published CLI so npx react-doctor@latest no longer installs Effect's ini@7 dependency and avoids the Node 22.19 engine warning.

• #791 22268f7 Thanks @rayhanadev! - Cap the oxlint dependency to >=1.66.0 <1.67.0. oxlint 1.67.0 added an optional peer dependency on vite-plus, which in pnpm workspaces that install vite-plus at the root forces a second peer-resolution context for the Vite+ toolchain. That split installs a duplicate copy of the Vitest fork (@voidzero-dev/vite-plus-test), and test runs fail at collection with Vitest failed to find the current suite because hooks register in one copy while suites live in the other (#699). Pinning below 1.67 keeps react-doctor's oxlint free of the vite-plus peer edge, so pnpm dedupes the toolchain back to a single instance.

• #769 2f26228 Thanks @rayhanadev! - Consolidate the scan-scope controls into one --scope flag (and scope config option) with four values, shared verbatim by the CLI and the GitHub Action:

  • full (default) — the whole project, every issue. Whole-project checks (dead-code, environment, supply-chain) run only here.
  • files — only the files changed vs the base, with all issues in them (no compare-to-main). What --staged and an uncommitted --diff did.
  • changed — only issues the change introduced vs the base (the baseline delta). What --diff <base> and the action's scope: changed did.
  • lines — only issues on the lines the change actually touched. New: previously this scoping existed only inside the GitHub Action's inline-review-comment step; it now lives in the engine, so the CI gate, score display, summary, and inline comments all honor one scope.

  --base <ref> sets the comparison base for files / changed / lines (auto-detected when omitted). Behavior is unchanged by default: the CLI --scope defaults to full and the action scope input still defaults to changed. --diff / config.diff keep working as a deprecated alias (--diff <base> → --scope changed --base <base>, --diff false → --scope full) and emit a one-time deprecation warning; --staged is retained as the source selector and composes with --scope files / --scope lines.

• #784 038aaf7 Thanks @rayhanadev! - Fix a false positive in nextjs-missing-metadata (#775): an App Router page is no longer flagged as "missing metadata for search previews" when it inherits metadata / generateMetadata from a co-located or ancestor layout.*. Next.js merges metadata down the segment chain, so a page covered by a parent layout's title/description already has search-preview metadata. The rule now walks up the App Router directory tree (bounded, stopping at app/) and stays quiet when an ancestor layout supplies metadata; pages with no metadata anywhere in the chain are still flagged.

• #768 a64093c Thanks @rayhanadev! - CI onboarding now resolves the repository's actual default branch instead of assuming main. The pull request opened during setup asks GitHub (gh repo view) for the default branch — falling back to origin/HEAD, then main/master — and uses it as the PR base, and the installed workflow's push trigger scans that same branch (master, develop, …) so the health-score trend works on repos whose default branch isn't main.

• #783 a48fb06 Thanks @devin-ai-integration! - Add a --output-dir <dir> flag that writes the full diagnostics dump (diagnostics.json + one .txt per rule) to a directory of your choice instead of a random temp folder, prints the written path whenever the flag is set (previously --verbose-only), and makes the agent handoff reuse that directory instead of writing a second temp copy. Without the flag, behavior is unchanged.

• #780 f5f539a Thanks @rayhanadev! - The Socket supply-chain check now gates on the security axes (supply chain, vulnerability) instead of Socket's overall score, and the diagnostic names the exact axis that failed. Socket's overall is its lowest axis, so a package with perfect security scores could fail the Security gate purely on quality/maintenance — @types/bun was reported as having a "supply-chain score of 48" while socket.dev showed Supply Chain 100 (issue #770). Known-bad packages (event-stream@3.3.6, vulnerable minimist/lodash releases) are still flagged via their vulnerability axis, and the reported number now always matches the axis named on the socket.dev package page.

• Updated dependencies [94f9f4f, 038aaf7, c4f0e60]:

  • oxlint-plugin-react-doctor@0.5.2

@react-doctor/api@0.5.2

Patch Changes

• Updated dependencies [2f26228, a48fb06]:
  • @react-doctor/core@0.5.2

@react-doctor/core@0.5.2

Patch Changes

• #769 2f26228 Thanks @rayhanadev! - Consolidate the scan-scope controls into one --scope flag (and scope config option) with four values, shared verbatim by the CLI and the GitHub Action:

  • full (default) — the whole project, every issue. Whole-project checks (dead-code, environment, supply-chain) run only here.
  • files — only the files changed vs the base, with all issues in them (no compare-to-main). What --staged and an uncommitted --diff did.
  • changed — only issues the change introduced vs the base (the baseline delta). What --diff <base> and the action's scope: changed did.
  • lines — only issues on the lines the change actually touched. New: previously this scoping existed only inside the GitHub Action's inline-review-comment step; it now lives in the engine, so the CI gate, score display, summary, and inline comments all honor one scope.

  --base <ref> sets the comparison base for files / changed / lines (auto-detected when omitted). Behavior is unchanged by default: the CLI --scope defaults to full and the action scope input still defaults to changed. --diff / config.diff keep working as a deprecated alias (--diff <base> → --scope changed --base <base>, --diff false → --scope full) and emit a one-time deprecation warning; --staged is retained as the source selector and composes with --scope files / --scope lines.

• #783 a48fb06 Thanks @devin-ai-integration! - Add a --output-dir <dir> flag that writes the full diagnostics dump (diagnostics.json + one .txt per rule) to a directory of your choice instead of a random temp folder, prints the written path whenever the flag is set (previously --verbose-only), and makes the agent handoff reuse that directory instead of writing a second temp copy. Without the flag, behavior is unchanged.

• Updated dependencies [94f9f4f, 038aaf7, c4f0e60]:

  • oxlint-plugin-react-doctor@0.5.2

@react-doctor/language-server@0.5.2

Patch Changes

• Updated dependencies [2f26228, a48fb06]:
  • @react-doctor/core@0.5.2

---

Note

Medium Risk
No new runtime code in the diff, but merging publishes behavior changes—notably GitHub Action blocking defaulting to advisory—that can surprise existing CI workflows until they opt back into blocking: error.

Overview
Automated Changesets release that bumps the monorepo from 0.5.1 → 0.5.2, rolls consumed .changeset files into package CHANGELOG entries, and updates version fields so merge triggers npm publish.

The 0.5.2 notes (already implemented on main) cover react-doctor: GitHub Action blocking default none (advisory; set blocking: error to restore prior gating), unified --scope / scope (full | files | changed | lines) with deprecated --diff aliases, --output-dir, Socket supply-chain gating on security axes only, CI onboarding using the repo’s real default branch, bundled Effect for npx, oxlint capped below 1.67, and Node engines ^20.19.0 || >=22.13.0. @react-doctor/core ships scope consolidation and --output-dir; oxlint-plugin-react-doctor fixes nextjs-missing-metadata inheritance and broadens only-export-components skips for framework route files.

^{Reviewed by Cursor Bugbot for commit 9fc4c18. Bugbot is set up for automated code reviews on this repo. Configure here.}