Skip to content

build(deps-dev): bump npm-build-zip from 1.0.4 to 2.0.0#185

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-build-zip-2.0.0
Open

build(deps-dev): bump npm-build-zip from 1.0.4 to 2.0.0#185
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-build-zip-2.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps npm-build-zip from 1.0.4 to 2.0.0.

Changelog

Sourced from npm-build-zip's changelog.

[2.0.0] - 2026-06-24

⚠️ BREAKING CHANGES

  • Minimum Node.js is now 22.0.0 (was 18). The --exclude flag uses fs.promises.glob, which is stable in Node 22+. If you can't upgrade, stay on 1.2.x.
  • Package is now ESM-first ("type": "module"). CJS consumers can still use it via the index.cjs shim, but with one constraint: pack is async-only. Sync require('npm-build-zip').pack(...) is no longer supported — use the returned Promise (.then() / await).
  • Runtime dependencies dropped from 4 to 2: removed archiver-promise, sanitize-filename, yargs. The CLI parser is hand-rolled, sanitize() is inlined, and archiver is used directly. Only archiver and npm-packlist remain.
  • --include_hidden and --all semantics unchanged. The bundled option to npm-packlist still uses the v1 API (pinned to ^1.4.4).
  • Pinned npm-packlist to ^1.4.4 to keep the simple { path, bundled } API. v3+ switched to a Tree-based API that would have required adding @npmcli/arborist.

Added

  • --exclude / -x flag for glob-based file exclusion. Comma-separated patterns, evaluated with fs.promises.glob(pattern, { cwd: source }). Example: npm-build-zip --exclude="*.map,**/*.test.js". Works in both default mode and --include_hidden mode.
  • Hand-rolled CLI parser (no yargs). Supports all the previous flags and aliases (-s, -d, -i, -n, -no, -v, --all, --src, --dst, --in) plus the new -x short alias for --exclude. Adds --version short alias -V.
  • Dual ESM/CJS distribution via package.json#exports: { "import": "./index.js", "require": "./index.cjs" }.
  • loadPackageJson(cwd?) now accepts an optional cwd argument for testability. Default is process.cwd().
  • sanitize(name) is now exported and reused internally. Inlined from sanitize-filename (MIT) — covers unsafe chars, whitespace, and trim.
  • CJS shim tests verify require('npm-build-zip').pack(...) works for legacy consumers.
  • fs.promises.glob integration for --exclude (Node 22+ stable).

Changed

  • archiver-promisearchiver direct (more control over global options like forceUTC and comment).
  • yargs removed; CLI parser is ~60 lines, no deps.
  • sanitize-filename removed; sanitize inlined.
  • ESLint config updated for ESM (sourceType: "module").
  • Test split: unit.test.mjs (ESM, imports index.js directly) and cli.test.cjs / integration.test.cjs / cjs-shim.test.cjs (CJS, invoke the bin via child_process).
  • CI matrix is now Node 22 only (was 18/20/22). The package's engines.node is >=22, so testing below that is meaningless and breaks on fs.promises.glob (** glob) and --test directory walking introduced after 18.

[1.2.0] - 2026-06-24

Added

  • --no-timestamp flag for reproducible builds. When set, every entry in the zip gets mtime 1980-01-01 00:00, the archive uses forceUTC: true and comment: '', and entries are sorted alphabetically for byte-level determinism.
  • --help output now includes describe text for every flag.
  • .check() in the CLI rejects --name_only without --name with a clear, actionable error.
  • Error messages are prefixed with [npm-build-zip] for log-grep friendliness.
  • Tests via node:test (built-in, no new dependency): 23 tests across unit, cli, and integration suites. CI runs on Node 18, 20, and 22.
  • GitHub Actions: .github/workflows/ci.yml (test matrix) and .github/workflows/publish.yml (tag-triggered npm publish --provenance).
  • Internal helpers (loadPackageJson, walkAllFiles, resolveFilename) are exposed under _internal for unit testing.
  • files whitelist in package.json so the published tarball is small.

Changed

  • Upgrade yargs 13.3.0 → ^17.7.2 (Node ≥10; drops ~11 transitive deps).
  • ESLint ecmaVersion 6 → latest.
  • loadPackageJson() is only called when we actually need name/version from package.json — fixes a latent bug where --name --name_only still required a package.json in cwd.
  • The test script now runs node --test test/*.test.cjs instead of just executing the CLI.

Fixed

... (truncated)

Commits
  • 53dd2c4 2.0.0: ESM-first + drop 2 deps + --exclude
  • dfebfd6 1.2.0: hardening release
  • 0bd3f5b Merge pull request #13 from roberto-slopez/dependabot/npm_and_yarn/minimatch-...
  • bb30200 Merge pull request #14 from roberto-slopez/dependabot/npm_and_yarn/ansi-regex...
  • 7ee6ba7 Merge pull request #11 from roberto-slopez/dependabot/npm_and_yarn/async-2.6.4
  • 00a50bf Merge pull request #6 from roberto-slopez/dependabot/npm_and_yarn/lodash-4.17.21
  • bc9ae5f Merge pull request #5 from roberto-slopez/dependabot/npm_and_yarn/y18n-4.0.1
  • 3dc254a Bump minimatch from 3.0.4 to 3.1.2
  • 1e979b8 Bump ansi-regex from 4.1.0 to 4.1.1
  • 5487667 Bump async from 2.6.2 to 2.6.4
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [npm-build-zip](https://github.com/roberto-slopez/npm-build-zip) from 1.0.4 to 2.0.0.
- [Release notes](https://github.com/roberto-slopez/npm-build-zip/releases)
- [Changelog](https://github.com/roberto-slopez/npm-build-zip/blob/master/CHANGELOG.md)
- [Commits](roberto-slopez/npm-build-zip@v1.0.4...v2.0.0)

---
updated-dependencies:
- dependency-name: npm-build-zip
  dependency-version: 2.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants