chore: release v1.4.0

[miccy]

Pull Request

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context.

Changelog

[1.4.0] - 2025-11-30

Changed

• Updated packageManager to pnpm@10.24.0

Fixed

• Added pnpm-lock.yaml to ensure consistent dependency installation in CI
• Improved scripts/release.sh to insert comparison links at the top of the list
• Fixed scripts/release.sh to include package.json in the release commit
• Fixed scripts/release.sh to correctly rename [Unreleased] section and append comparison links

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Summary by CodeRabbit

Release Notes - Version 1.4.0

• Chores
  • Version bumped to 1.4.0
  • Enhanced release automation with improved changelog link generation and expanded release commit tracking

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A version bump to 1.4.0 across the project with updates to version constants in shell scripts, package.json, and CHANGELOG documentation. The release script gains improved changelog link insertion logic and now includes package.json in release commits.

Changes

Cohort / File(s)	Summary
Version Bumps package.json, scripts/check-github-repos.sh, scripts/detect.sh, scripts/full-audit.sh, scripts/harden-npm.sh, scripts/quick-audit.sh, scripts/set-language.sh	Version constants and package version updated from 1.3.4 to 1.4.0 across all project scripts and manifest.
Release Script Enhancements scripts/release.sh	Modified changelog link insertion to place links before the first existing link (if present) using sed, instead of always appending. Added package.json to git staging for release commits alongside CHANGELOG.md and scripts/.
Changelog Documentation CHANGELOG.md	New 1.4.0 release entry dated 2025-11-30 documenting three fixes to scripts/release.sh (link insertion, package.json inclusion, and Unreleased section renaming). Added 1.4.0 comparison link reference.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Majority of changes are homogeneous version bumps (repetitive pattern)
• Logic tweaks in scripts/release.sh are straightforward sed-based link insertion and git staging expansion
• Changelog documentation is straightforward release documentation
• May warrant closer inspection: scripts/release.sh to verify sed logic handles edge cases (missing link sections, malformed markdown)

Possibly related PRs

• Preview/v1.3.2 #6 — Both modify scripts/release.sh release behavior
• chore: release v1.3.3 #7 — Both modify scripts/release.sh changelog link insertion and release staging logic
• Preview/v1.3.4 #8 — Both modify scripts/release.sh duplicate-link checks and Unreleased section handling

Poem

🚀 Version bumps across the board today,
Scripts all dressed in 1.4.0's way,
Release script learns a smarter trick,
Links and packages staged so slick!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: release v1.4.0' clearly and concisely summarizes the main change: a version release bump to 1.4.0, which is directly reflected in the changeset across package.json, CHANGELOG.md, and all version strings in scripts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch preview/v1.4.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

scripts/release.sh (1)

87-98: Add clarifying comments for the changelog link insertion logic.

The new logic for finding and inserting the release link into CHANGELOG.md is sound, but it lacks comments explaining the regex pattern and conditional branches. Per the coding guidelines, shell scripts should use English-only comments for clarity and consistency.

Consider adding brief comments to clarify the approach:

 # Check if link already exists to avoid duplicates
 if ! grep -Fq "$LINK" CHANGELOG.md; then
~    # Find the first link line to insert before
~    FIRST_LINK_LINE=$(grep -n "^\[.*\]: http" CHANGELOG.md | head -n 1 | cut -d: -f1)
~
~    if [ -n "$FIRST_LINK_LINE" ]; then
~        # Insert before the first link
~        sed -i.bak "${FIRST_LINK_LINE}i\\
~$LINK" CHANGELOG.md && rm CHANGELOG.md.bak
~    else
~        # No links found, append to end
~        echo "" >> CHANGELOG.md
~        echo "$LINK" >> CHANGELOG.md
~    fi

The regex ^\[.*\]: http correctly targets link reference lines (e.g., [1.3.0]: https://...). The logic gracefully handles both cases: inserting before existing links (maintaining link grouping) and appending when none exist.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 722fddb and dc9bf15.

📒 Files selected for processing (9)

• CHANGELOG.md (2 hunks)
• package.json (1 hunks)
• scripts/check-github-repos.sh (1 hunks)
• scripts/detect.sh (1 hunks)
• scripts/full-audit.sh (1 hunks)
• scripts/harden-npm.sh (1 hunks)
• scripts/quick-audit.sh (1 hunks)
• scripts/release.sh (2 hunks)
• scripts/set-language.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (AGENTS.md)

Use English-only comments in shell scripts (.sh files) for code clarity and consistency

Files:

• scripts/harden-npm.sh
• scripts/set-language.sh
• scripts/quick-audit.sh
• scripts/full-audit.sh
• scripts/detect.sh
• scripts/release.sh
• scripts/check-github-repos.sh

**/*.{json,yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

Use English-only comments in configuration files (.json, .yml) for consistency across the security tooling

Files:

• package.json

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.273Z
Learning: Always update CHANGELOG.md when making any changes to code, configuration, or documentation

📚 Learning: 2025-11-30T20:33:32.637Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:32.637Z
Learning: Do not make breaking changes to public APIs or script interfaces

Applied to files:

• scripts/harden-npm.sh

📚 Learning: 2025-11-30T20:33:47.273Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.273Z
Learning: Applies to cs/**/CHANGELOG.md : Follow the Keep a Changelog format (https://keepachangelog.com) when updating CHANGELOG.md

Applied to files:

• CHANGELOG.md
• scripts/release.sh

📚 Learning: 2025-11-30T20:33:32.637Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:32.637Z
Learning: Update CHANGELOG.md using Keep a Changelog format when making any changes (code, config, docs) to the repository

Applied to files:

• CHANGELOG.md
• scripts/release.sh

📚 Learning: 2025-11-30T20:33:47.273Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.273Z
Learning: Always update CHANGELOG.md when making any changes to code, configuration, or documentation

Applied to files:

• CHANGELOG.md
• scripts/release.sh

📚 Learning: 2025-11-30T20:33:47.273Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.273Z
Learning: Do not make breaking changes to the public API/interface of detection scripts

Applied to files:

• scripts/detect.sh

🔇 Additional comments (9)

CHANGELOG.md (1)

8-18: ✅ Changelog entry follows Keep a Changelog format properly.

The v1.4.0 release section is well-structured with accurate date, clear categorization (Changed/Fixed), and concise descriptions. The comparison link at line 177 maintains consistency with existing entries.

Based on learnings, this aligns with the Keep a Changelog format requirement when making any changes to the repository.

scripts/quick-audit.sh (1)

2-2: ✅ Version bump maintains backward compatibility.

Simple version constant update with no changes to script behavior or interface.

scripts/detect.sh (1)

26-26: ✅ Version bump maintains script interface compatibility.

Simple version constant update with no changes to detection logic or CLI interface. Backward compatible as per learnings.

scripts/set-language.sh (1)

2-2: ✅ Version bump maintains compatibility.

Simple version constant update with no functional changes.

scripts/full-audit.sh (1)

20-20: ✅ Version bump maintains backward compatibility.

Simple version constant update with no changes to audit script behavior or interface.

scripts/check-github-repos.sh (1)

2-2: ✅ Version bump maintains backward compatibility.

Simple version constant update with no changes to script behavior or CLI interface.

package.json (1)

3-3: ✅ Version field consistent across all project files.

Package version bumped to 1.4.0, matching CHANGELOG entry and all shell script versions.

scripts/harden-npm.sh (1)

2-2: ✅ Version bump maintains backward compatibility.

Simple version constant update with no changes to hardening script functionality or interface.

scripts/release.sh (1)

128-128: Verify that package.json is properly staged with CHANGELOG.md and scripts/.

The change to include package.json in the release commit is aligned with the PR objectives and the version sync workflow. This ensures that the version bump in package.json is captured alongside the changelog and script updates.

Please confirm that the version synchronization logic in ./scripts/sync-version.sh (invoked at line 117) updates package.json correctly before this git add command executes. If there's any possibility of a race condition or ordering issue, please verify the execution flow.