Skip to content

v2.78.0: production CodeClimate fix, --explain everywhere, Windows hardening

Choose a tag to compare

View all tags
@BartWaardenburg BartWaardenburg released this 22 May 12:11
· 521 commits to main since this release
v2.78.0
This tag was signed with the committer’s verified signature.
BartWaardenburg Bart Waardenburg
GPG key ID: 0F3DC0B8D9F6E258
Verified
Learn about vigilant mode.
e5e082a
This commit was signed with the committer’s verified signature.
BartWaardenburg Bart Waardenburg
GPG key ID: 0F3DC0B8D9F6E258
Verified
Learn about vigilant mode.

Highlights

Added

  • fallow flags covers 5 more SDKs by default: PostHog, Vercel Flags, ConfigCat, Optimizely, and Eppo. No config required; user-authored flags.sdkPatterns still layer on top. (Closes #563)
  • --explain now works on every invocation shape, not just subcommand+JSON. Human output gains a Description: line under each rule / metric. Combined-mode JSON gains a top-level _meta block aggregating the per-analysis metadata so fallow --explain --format json is a single-call discovery surface for rule docs. (Closes #559)
  • License clock-skew defense: fallow-license now rejects JWTs whose iat is more than 24h in the future (a forward-signed token, or a clock-behind-reality runner accepting a long-expired license). New LicenseError::ClockSkew variant, tolerance configurable via FALLOW_LICENSE_SKEW_TOLERANCE_SECONDS env var, default 24h matching jsonwebtoken / pyjwt / jjwt conventions. (Closes #453)

Changed

  • One persistent progress spinner instead of per-stage flicker. Before, each pipeline stage (discovery, extract, graph, analyze, dupes, health) had its own spinner; on fast machines none of them painted, so fallow on a moderately-sized project appeared frozen between command issue and final summary. Now a single spinner spawns at the start of the run, updates the stage label in place, and respects FALLOW_QUIET=1 / --quiet / non-TTY stderr. (Closes #560)

Fixed

  • fallow --score and fallow --trend now actually render the health score and trend in the terminal in combined mode. Previously the values were computed and emitted to JSON / SARIF / CodeClimate but the human renderer silently skipped them. (Closes #557)
  • fallow check --format codeclimate --production no longer panics with internal error: entered unreachable code when a --production-suppressed dep / export / member rule resolves to Severity::Off. Generic CodeClimate helpers now map severity lazily inside the loop body instead of eagerly before iteration. (Closes #452)
  • Workspace-relative paths instead of bare basenames in the nudge line, refactoring-targets nudge, Angular rollup line, and CRAP-coverage (inherited from ...) suffix. Nx / Angular / Rust monorepos with many same-named files (index.ts, mod.rs, *.component.ts, template.html) now show enough path context to identify which file fallow is pointing at. (Closes #547)
  • CSS Modules unused-export findings now report the real source line and column instead of line: 1, col: 0. LSP "go to definition" jumps to the actual class declaration; SARIF regions anchor to the right line; --diff-file line-overlap classification works correctly. (Closes #549)
  • CSS Modules nested cascade-layer sub-names (@layer foo.bar { ... }) no longer report as unused exports. Thanks @BowlingX for the report. (Closes #540)

Windows CI hardening

The push-to-main Windows CI matrix (added in #447) surfaced a class of long-latent Windows-only path-shape bugs that had been invisible because PR runs were ubuntu-only:

  • --changed-since and fallow audit now match findings on Windows instead of silently returning zero. Three sites moved from std::fs::canonicalize (which adds the \\?\ verbatim prefix on Windows) to dunce::canonicalize so canonical paths agree with opts.root shape. (Closes #561)
  • fallow audit --gate new-only no longer reports every inherited finding as freshly introduced on Windows; BASE-vs-HEAD finding-key intersection now strips the \\?\ prefix before strip_prefix. (Closes #561)
  • Diff-aware analyses (--diff-file, --diff-stdin, --changed-since) and the --file filter on fallow check now classify POSIX-style absolute paths (/foo/bar) correctly on Windows. New crates/cli/src/path_util::is_absolute_path_any_platform recognizes host-absolute, POSIX-root, and Windows-drive-prefix shapes regardless of host. (Closes #545)
  • Windows fallow binary now links with a 16 MiB main-thread stack (was Windows's 1 MiB default). Audit integration tests crashed with STATUS_STACK_OVERFLOW on a recursive code path inside fallow audit that exceeded 1 MiB but stayed under POSIX's 8 MiB default. (Closes #556)
  • The main Rust Check job now runs on Windows in addition to Linux on every push to main, catching this class of path-shape bug before the next release rather than at user-report time. PR runs stay ubuntu-only for fast feedback. (Closes #447)

Internal

  • Narrowed an import in crates/mcp/src/server/tests/run.rs so two Unix-only helpers are gated on #[cfg(unix)], silencing a Rust 1.95 unused-imports clippy regression on the windows-latest CI leg.

Install

npm install fallow@2.78.0
# or
cargo install fallow-cli --version 2.78.0
# or via Homebrew / direct binary download

Full Changelog: v2.77.0...v2.78.0

Assets 58
Loading