Skip to content

v2.82.0: framework plugins, quieter output, safer fixes

Choose a tag to compare

View all tags
@BartWaardenburg BartWaardenburg released this 26 May 15:54
· 449 commits to main since this release
v2.82.0
This tag was signed with the committer’s verified signature.
BartWaardenburg Bart Waardenburg
GPG key ID: 0F3DC0B8D9F6E258
Verified
Learn about vigilant mode.
c9d5682
This commit was signed with the committer’s verified signature.
BartWaardenburg Bart Waardenburg
GPG key ID: 0F3DC0B8D9F6E258
Verified
Learn about vigilant mode.

Highlights

A broad framework-plugin release: ng-packagr Angular libraries, electron-vite, Playwright webServer, SvelteKit remote functions, k6, Supabase Edge Functions, Mintlify, and Iconify icon packages all stop producing false unused findings out of the box. Plus quieter JSON output, smarter fallow fix, and a binary-verification model that no longer relies on npm install scripts.

Features

Framework plugins

  • Angular ng-packagr libraries: lib.entryFile from ng-package.json / ng-package.prod.json (default src/public_api.ts) is now a package entry point, resolved relative to the config directory, so the library public API and everything reachable through its re-export chain stays alive instead of reporting as unused. Nested secondary-entry-point configs (packages/lib/client/ng-package.json) are scanned too, and the plugin also activates on a ng-packagr dependency. (#606)
  • electron-vite: renderer, preload, and main entries declared in electron.vite.config.* build.rollupOptions.input (string, array, and object forms, including resolve(__dirname, ...) path helpers) are treated as entry points. (#600)
  • Playwright webServer.command: CLI dependencies and local server scripts launched by webServer.command (object and array forms) are credited and kept reachable, with paths resolved relative to the config directory. (#621)
  • Vitest test.alias / resolve.alias: now recognized in vite.config.*, in test.projects[*], and in vitest.workspace.* files, covering mock and virtual-module aliases so they stop reporting as unresolved imports, unlisted dependencies, or unused exports. (#601)
  • SvelteKit remote functions: src/**/*.remote.{ts,js} files and their exported query / command / form / prerender functions are kept reachable. (#611)
  • k6: load-test scripts (*.k6.{js,ts,...}) act as runtime entry surfaces, the k6 CLI is credited, and the k6 / k6/* runtime namespace is recognized. (#625)
  • Supabase Edge Functions: Deno jsr: / npm: / URL imports resolve correctly, and supabase/functions/*/index.* files are runtime entry roots. (#624)
  • Mintlify: docs.json / mint.json, the mint / mintlify CLI, and MDX content under the docs root are recognized via a new built-in plugin. (#626)
  • Iconify: @iconify-json/<prefix> packages used only through static icon strings (<Icon name="jam:github" />) are credited as referenced. Thanks @nicolas-deyros for the report. (#608)

Bug fixes

  • Vite path-helper entries: build.rollupOptions.input / build.lib.entry written as resolve(__dirname, ...) / path.resolve(...) / join(...) / import.meta.dirname calls are evaluated to entry patterns; the shared extractor also benefits Webpack, Rspack, Rsbuild, Rolldown, Rollup, Vitest, and Drizzle. (#604)
  • Error subclass name: a name member on a class whose heritage reaches a native error constructor (Error, TypeError, ...) is treated as runtime-used rather than an unused class member. (#620)
  • new Class().method() receivers: methods called on a freshly-constructed instance, directly or through a self-returning fluent chain, are credited. (#605)
  • fallow fix low-confidence exports: export removals are withheld for files under off-graph consumer directories (__mocks__, e2e, fixtures, ...) and files with unresolved imports, so a fix never turns an analysis false positive into a broken build. A skipped_low_confidence_exports count and per-entry skip_reason are added to JSON output. (#602)
  • Quieter JSON / CI output: repeated workspace and plugin diagnostics on stderr are aggregated into one summary line per glob pattern or framework, instead of one line per directory. The structured workspace_diagnostics[] array is unchanged. (#637)

Changed

  • Binary verification moved from npm install's postinstall hook to first-run inside fallow, fallow-lsp, and fallow-mcp. The Ed25519 signature + SHA-256 digest check is preserved bit-for-bit (same key, same fail-closed behavior); a sentinel caches the verified state per install dir + binary hash. This removes the dependency on npm install scripts ahead of npm RFC 868. fallow --version now prints a verified: yes line; FALLOW_SKIP_BINARY_VERIFY=1 warns once per invocation when active, and FALLOW_VERIFY_CACHE_DIR redirects the sentinel for read-only install dirs.
  • --performance annotations: the parse/extract line gains a (parallel: ~Nms CPU) suffix, reused health stages read (measured above), and both breakdowns gain an (other) row so stages reconcile with TOTAL. JSON output gains observational parse_cpu_ms / shared_parse fields. (#481)
Assets 58
Loading