fix: harden validation, version prompt, and registry fetch

- Add AbortSignal.timeout(30_000) to the npm registry fetch in
  getPackageMetadata so hung requests fail after 30 s instead of hanging forever
- Validate that a custom version entered in selectVersionPrompt is greater than
  the current version, preventing accidental downgrades
- Throw ReleaseError (instead of plain Error) for missing token, invalid repo
  format, and package discovery failures so withErrorBoundary formats them
  consistently rather than letting them surface as unhandled exceptions

Author: luxass

src/core/npm.ts

@@ -83,6 +83,7 @@ async function getPackageMetadata(
       headers: {
         Accept: "application/json",
       },
+      signal: AbortSignal.timeout(30_000),
     });
 
     if (!response.ok) {

src/core/prompts.ts

@@ -3,12 +3,12 @@ import type { BumpKind } from "#shared/types";
 import {
   getNextPrereleaseVersion,
   getNextStableVersion,
-  getNextVersion,
   getPrereleaseIdentifier,
   isValidSemver,
 } from "#operations/semver";
 import farver from "farver";
 import prompts from "prompts";
+import semver from "semver";
 
 export async function selectPackagePrompt(
   packages: WorkspacePackage[],
@@ -121,11 +121,13 @@ export async function selectVersionPrompt(
       message: "Enter the new version number:",
       initial: suggestedVersion,
       validate: (custom: string) => {
-        if (isValidSemver(custom)) {
-          return true;
+        if (!isValidSemver(custom)) {
+          return "That's not a valid version number";
         }
-
-        return "That's not a valid version number";
+        if (!semver.gt(custom, currentVersion)) {
+          return `Version must be greater than the current version (${currentVersion})`;
+        }
+        return true;
       },
     });
 

src/index.ts

@@ -68,15 +68,15 @@ export async function createReleaseScripts(options: ReleaseScriptsOptionsInput):
       async list(): Promise<WorkspacePackage[]> {
         return withErrorBoundary(async () => {
           const result = await discoverWorkspacePackages(normalizedOptions.workspaceRoot, normalizedOptions);
-          if (!result.ok) throw new Error(result.error.message);
+          if (!result.ok) throw new ReleaseError(result.error.message);
           return result.value;
         });
       },
 
       async get(packageName: string): Promise<WorkspacePackage | undefined> {
         return withErrorBoundary(async () => {
           const result = await discoverWorkspacePackages(normalizedOptions.workspaceRoot, normalizedOptions);
-          if (!result.ok) throw new Error(result.error.message);
+          if (!result.ok) throw new ReleaseError(result.error.message);
           return result.value.find((p) => p.name === packageName);
         });
       },

src/options.ts

@@ -2,6 +2,7 @@ import type { GitHubClient } from "#core/github";
 import type { CommitTypeRule } from "#shared/types";
 import process from "node:process";
 import { createGitHubClient } from "#core/github";
+import { ReleaseError } from "#shared/errors";
 import { dedent } from "@luxass/utils";
 
 type DeepRequired<T> = Required<{
@@ -139,16 +140,16 @@ export function normalizeReleaseScriptsOptions(options: ReleaseScriptsOptionsInp
 
   const token = githubToken.trim();
   if (!token) {
-    throw new Error("GitHub token is required. Pass it in via options.");
+    throw new ReleaseError("GitHub token is required. Pass it in via options.");
   }
 
   if (!fullRepo || !fullRepo.trim() || !fullRepo.includes("/")) {
-    throw new Error("Repository (repo) is required. Specify in 'owner/repo' format (e.g., 'octocat/hello-world').");
+    throw new ReleaseError("Repository (repo) is required. Specify in 'owner/repo' format (e.g., 'octocat/hello-world').");
   }
 
   const [owner, repo] = fullRepo.split("/");
   if (!owner || !repo) {
-    throw new Error(`Invalid repo format: "${fullRepo}". Expected format: "owner/repo" (e.g., "octocat/hello-world").`);
+    throw new ReleaseError(`Invalid repo format: "${fullRepo}". Expected format: "owner/repo" (e.g., "octocat/hello-world").`);
   }
 
   const normalizedPackages = typeof packages === "object" && !Array.isArray(packages)