Skip to content

JS Packages plugin setup wizard #1255

New issue
New issue
Open
Enhancement
Open
JS Packages plugin setup wizard#1255
Enhancement
Labels
🤓 UXUX improvement for CLI users🧩 create-cli🧩 js-packages-pluginPlugin for audit and outdated dependencies
@matejchalk

Description

@matejchalk
matejchalk
opened on Mar 2, 2026

User story

Our setup wizard should be able to configure a basic working version of each of our official plugins. Each plugin may prompt for its own specific configuration options and infer smart defaults from the user's repo. The resulting configuration code adds the plugin to the user's config and sets up some basic categories.

This issue is about @code-pushup/js-packages-plugin specifically.

Output example

import jsPackagesPlugin from '@code-pushup/js-packages-plugin';
import type { CoreConfig } from '@code-pushup/models';

const config: CoreConfig = {
  plugins: [
    await jsPackagesPlugin({ packageManager: 'pnpm' }),
  ],
  categories: [
    {
      slug: 'security',
      title: 'Security',
      description: 'Finds known **vulnerabilities** in 3rd-party packages.',
      refs: [
        {
          type: 'group',
          plugin: 'js-packages',
          slug: 'pnpm-audit',
          weight: 1,
        },
      ],
    },
    {
      slug: 'updates',
      title: 'Updates',
      description: 'Finds **outdated** 3rd-party packages.',
      refs: [
        {
          type: 'group',
          plugin: 'js-packages',
          slug: 'pnpm-outdated',
          weight: 1,
        },
      ],
    },
  ],
};

export default config;

Acceptance criteria

  • The JS Packages plugin is auto-selected if a package.json file is present in the root directory. Otherwise, it is unselected by default.
  • The user is prompted (or provides a CLI argument) for their package manager.
    • The options are npm, yarn (classic), yarn (modern) or pnpm. The default value depends on the packageManager field in the package.json or the presence of specific lock files (package-lock.json, yarn.lock, pnpm-lock.yaml). This logic is already implemented in the plugin and should be reused.
  • The user should confirm (via prompt or CLI argument) if they want both audit and outdated checks. Both are on by default, but it's also possible to select just one.
  • The user should confirm (via prompt or CLI argument) if they want to include all dependency groups. By default, production and development dependencies are selected, but any non-empty subset of production (dependencies), development (devDependencies), and optional (optionalDependencies) dependency groups may be selected.
  • The user should confirm (via prompt or CLI argument) if they want to also generate basic categories.
    • The default answer is yes (create the categories).
    • If confirmed, 1 or 2 categories are created depending on selected checks - Security (from {pm}-audit group) and Updates (from {pm}-outdated group).
    • If denied, no categories are created.
  • All of the above logic lives in @code-pushup/js-packages-plugin. The core of the setup wizard in @code-pushup/create-cli orchestrates plugin selection and generation, but doesn't know any specifics about individual plugins.

Metadata

Metadata

Assignees

No one assigned

    Labels

    🤓 UXUX improvement for CLI users🧩 create-cli🧩 js-packages-pluginPlugin for audit and outdated dependencies

    Type

    Enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions