Releases: rahuldk1105/roast-my-codebase
Release list
v1 — Now Your PRs Get Roasted Too
Your codebase has been getting roasted locally for a while. Now it happens in public, on every PR, with a
comment your whole team can see.
What's new
GitHub Action
Add one file to your repo and every PR gets a roast comment automatically. Health score, top findings,
inline burns. Teams screenshot these. They spread.
Inline roasts
The burn now appears directly under the finding that earned it — not in a separate section three scrolls
down. Fact and punchline in the same breath.
Meme energy
Every roast category got new entries. Little Bobby Tables, Gru's plan, "This is fine 🔥", "Works on my
machine™", LGTM (did not read). The personality is now actually a personality.
Share CTA
After your verdict, a pre-filled tweet URL. One click to post your score. Zero infrastructure.
Bug fix
npx roast-my-codebase crashed on the first run for most people (Dynamic require of "path" is not
supported). That's fixed. Embarrassing that it shipped. Here we are.
How to use the Action
Copy .github/workflows/roast.yml from this repo, or run:
npx roast-my-codebase --init-ci
No secrets to configure beyond GITHUB_TOKEN, which GitHub provides automatically.
Your codebase got a 4/100. The PR comment is live. The team has seen it. This is fine. 🔥
v1.3.0 — CLI tools, CI/CD suite, 11 languages, security hardening
What's new in v1.3.0
New CLI Features
--explain [category]— Offline knowledge base: 38 categories with why-it-matters, how-to-fix, and code examples--file <path>— Per-file drill-down: scan one file and show only its findings (great for pre-commit)--breakdown— Score breakdown by category: see exactly which categories are costing the most points--perf— Scanner timing: bar chart showing how long each scanner group took--output-dir <path>— Save all 5 report formats (JSON/HTML/SARIF/JUnit/Markdown) in one command--since-commit <sha>— Diff mode: only show findings for files changed since a git ref--exit-codes— Meaningful exit codes: 2=threshold, 3=regression, 4=trend, 5=security, 6=license--notify <url>— Slack/Teams/Discord webhook notifications with platform-native formatting--update-readme— Auto-update health badge in README.md after every scan--fail-on-trend— Smarter CI gating: only fail when score drops 3+ consecutive runs (with sparkline)--bundle— Bundle size regression detection vs last recorded baseline--monorepo— Scan each workspace package separately with per-package scores and rollup--init— Interactive wizard to generate.roastrc.json--serve— Live web dashboard with SSE auto-refresh on file changes
New Scanners
- License compliance — Flag GPL/AGPL/LGPL deps in commercial projects
- Database queries — Prisma/TypeORM/Sequelize/Mongoose anti-patterns (N+1, raw SQL, force:true)
- Config auditor — tsconfig.json strictness, ESLint coverage, Prettier configuration
- Test quality — Empty blocks,
.only, always-true assertions, skipped tests, hardcoded delays - Bundle size — Track dist/ output size over time, alert on regressions
- Custom Rule DSL — Define lint rules in
.roastrc.jsonwithout writing TypeScript
4 New Languages (11 total)
Ruby, PHP, Swift, Kotlin — each with 3 scanners
GitHub Actions
- Step Summary — Auto-writes markdown report to the Actions run page (zero config)
- SARIF output — Findings appear as native Code Scanning alerts
Performance
- 3-5x faster — All core scanners run with
Promise.all - Finding deduplication — Near-identical findings merged automatically
Roast Improvements
- 100+ new roast entries, expanded to 8-12 per category
- Combo roast when 4+ critical categories fire simultaneously
- Contextual opening line based on score + finding count
- Severity-aware large-file roasts
generateContextualVerdict— smarter verdicts for security/critical/test issues
Security Fixes
--filepath traversal protection- Custom rules ReDoS protection
--perf/--breakdownno longer corrupt JSON/SARIF stdout--thresholdnow works without--json- ESLint
extendsstring detection fixed - SPDX OR license expressions correctly parsed
Full changelog
See commit history
v1.2.0 — Web Dashboard, 11 Languages, CI/CD Suite
What's new in v1.2.0
🌐 Web Dashboard
--serve— Opens a live interactive browser dashboard with health gauge, donut chart, filterable/sortable findings, category bar chart, and Export JSON button
🌍 4 New Languages (11 total)
- Ruby — complexity, God classes, SQL injection, eval, frozen_string_literal
- PHP — complexity, SQL injection, MD5 passwords, system(), strict_types
- Swift — complexity, force-unwrap overuse, callback pyramid, mixed concurrency
- Kotlin — complexity, !! overuse, GlobalScope, runBlocking
🔄 CI/CD Suite
--junit/--junit-file— JUnit XML for Jenkins, GitLab CI, Bitbucket Pipelines--sarif/--sarif-file— SARIF for GitHub Code Scanning--pr-comment— Post report as GitHub PR comment--init-ci— Generate.github/workflows/roast.ymlin one command--fail-on-regression— Fail CI if health score dropped vs last snapshot--install-hooks— Git pre-commit hook installer
⚡ Performance
- 3-5x faster — All core scanners now run in parallel with
Promise.all
🔌 Plugin System
- Plugins now actually run on every scan
--list-plugins— Show configured plugins with load status--init-plugin <name>— Scaffold a new plugin package
📦 Monorepo Support
--monorepo— Scan each workspace package separately (npm/yarn/pnpm/lerna/nx)
🗂 More Features
--init— Interactive wizard to generate.roastrc.json--hotmap— ASCII directory tree with issue density per folder.roastignore— Exclude files/folders from all scans--incremental/--since <ref>— Only scan changed files--html-file— Standalone HTML report with charts- Dependency health scanner —
npm auditCVEs +npm outdatedstale packages
🔒 Security
- Path traversal fix in
--init-plugin - Symlink loop protection (
followSymbolicLinks: false) across all scanners - Markdown injection prevention in PR comments
- Package name validation in auto-fix uninstall
- Dependabot configured for weekly dependency updates
Full changelog
See commit history for details.
v1.1.2 - Multi-Language Release
What's New in v1.1.x
Multi-Language Support 🌍
Full scanner support for 5 additional languages beyond JavaScript/TypeScript:
- Python (7 scanners) — Complexity, type hints, imports, docstrings, code smells, security, class design
- Go (3 scanners) — Complexity, error handling, lint conventions
- Rust (3 scanners) — Complexity, unsafe usage, clippy hints
- Java (3 scanners) — Complexity, code smells, naming conventions
- C# (3 scanners) — Complexity, code smells, async patterns
Language detection is automatic via package files.
Python Deep Analysis 🐍
Python now has the most comprehensive analysis:
- Docstring coverage detection
- Security scanner (eval/exec, pickle, shell=True, SQL injection, secrets)
- Code smell detection (bare except, mutable defaults, globals, long lines)
- Class design analysis (God classes, @DataClass candidates, inheritance depth)
VS Code Extension 💻
Full VS Code extension included in vscode-extension/:
- Real-time inline diagnostics
- Status bar health score widget
- Tree view panels for findings and stats
- Interactive HTML report viewer
- Badge generation from command palette
CI/CD ⚙️
- GitHub Actions CI: tests on Node 20 & 22
- Auto-publish to npm on release
Fixed in v1.1.2
- Repository URL in package.json for npm provenance
- CI publish workflow verification
Full Changelog: v1.0.0...v1.1.2
v1.1.1 - Fix CI publish workflow
Fixed
- Fixed publish workflow verification step to properly validate bundle in ESM context
This is a patch release that fixes the automated npm publishing. No code changes to the CLI tool itself.
Full Changelog: v1.1.0...v1.1.1
v1.1.0 - Multi-Language Support
What's New
Multi-Language Support
Full scanner support for 5 additional languages beyond JavaScript/TypeScript:
- Python (7 scanners) — Complexity, type hints, imports, docstrings, code smells, security, class design
- Go (3 scanners) — Complexity, error handling, lint conventions
- Rust (3 scanners) — Complexity, unsafe usage, clippy hints
- Java (3 scanners) — Complexity, code smells, naming conventions
- C# (3 scanners) — Complexity, code smells, async patterns
Language detection is automatic via package files (requirements.txt, go.mod, Cargo.toml, pom.xml, .csproj).
VS Code Extension
A full VS Code extension is now included (vscode-extension/):
- Real-time inline diagnostics
- Status bar health score widget
- Tree view panels for findings and stats
- Interactive HTML report viewer
- Badge generation from command palette
CI/CD
- GitHub Actions CI: tests on Node 20 & 22, lint, type check
- Auto-publish to npm on GitHub release
Python Security Scanning
New dedicated Python security scanner detects:
eval()/exec()usagepickledeserializationsubprocesswithshell=True- Hardcoded secrets
- SQL injection via string formatting
Full Changelog: v1.0.0...v1.1.0