You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore: finalize nxz-cli v6.1.0 release notes and TODO
- Curate `packages/nxz/CHANGELOG.md` v6.1.0 entry: keep the
`--memlimit-decompress` Added line, drop noise from older commits
the populate script picked up via the root `latestTag` baseline,
add a `### Notes` section pointing at transitive `tar-xz@6.1.0`
benefits (true streaming for `extract`/`list`, Win32 TOCTOU
hardening, native `memlimit` parity).
- TODO: mark #26 ✅ with PR #117 squash (`2e3c25f`) and release
commit (`ecff028`); add LOW follow-ups for the upstream
populate-script tag-baseline gap and the pre-existing
`parseCliArgs` cognitive-complexity-17 refactor candidate.
- Update package version matrix to reflect `nxz-cli@6.1.0`.
Copy file name to clipboardExpand all lines: TODO.md
+11-8Lines changed: 11 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,14 +14,16 @@ _None._
14
14
15
15
## Pending - LOW (Nice to Have)
16
16
17
-
-[ ][Release]**#26 — nxz-cli 6.0.0 → 6.1.0 visibility bump**— ready (#25 Phase 2 merged via `68d6d91`). 0 nxz-specific code changes since v6.0.0 verified ; npm `nxz-cli@6.0.0`already pulls `tar-xz@6.1.0` transitively via `^6.0.0`. Bump is metadata-only for CHANGELOG/lockfile signal. Trigger: `gh workflow run release.yml -f target_package=nxz-cli -f increment=patch`. Now that GIT_CHANGELOG_PATH is wired, the resulting CHANGELOG entry will be scoped to `packages/nxz/` commits only.
17
+
-[ ]💡 [Release]**release-it-preset upstream — package-aware tag baseline for monorepo workspaces.**`populate-unreleased-changelog.js` currently uses `latestTag` (= last GPG-signed root tag, e.g. `v5.0.0` from 2026-04-09) as the `since` baseline for `git log`, so every commit since the root tag that touched the package's subtree appears in the new release entry — even commits that already shipped in a prior workspace release. Concretely : nxz-cli@6.1.0 release captured commits from #108 (already in 6.0.0), #115 (biome refactor — body fragments), and `adfbc99` (changesets adoption — already removed). Suggested fix : detect the last `chore(<pkg>): release v*` commit on the same branch and use its SHA as the baseline when running from a subdirectory. Tracked here as a follow-up upstream PR for `oorabona/release-it-preset`.
18
18
-[ ][Release] Consider `engines.node` bump from `>=22.0.0` to `>=22.13.0` when 22.0–22.12 usage drops — surfaced by Copilot round 2 on PR #116 ; deferred because library itself runs fine on 22.0+, the 22.13 floor only applies to the dev/release toolchain (release-it@20). Re-evaluate if anyone reports install warnings.
19
19
-[ ][Lint] Single residual biome warning: `test/node-api.spec.ts:249` (`suppressions/unused` — pre-existing biome-ignore that no longer suppresses anything). Cosmetic 1-line cleanup for a future PR.
20
+
-[ ] 🔧 [Refactor]`parseCliArgs` cognitive complexity 17 (cap 15) — biome warning, surfaced by pre-push opus review on PR #117. Not introduced by #117 (pre-existing on the function ; nxz CLI parsing has accumulated branches). Out-of-scope for #26. Candidate for a small refactor PR : extract per-flag handlers OR split the function into compress/decompress/tar branches.
20
21
<!-- F-002 (HARDLINK + undefined linkname → TypeError) DROPPED 2026-04-29 by Copilot round-2 review on PR #115: TarEntry.linkname is typed as required string (parser returns '' for empty fields), and ensureSafeLinkname → ensureSafeName already rejects '' with "empty linkname" before reaching resolve(). The original concern was mischaracterized — there is no path where resolve(cwd, undefined) gets called with undefined. -->
21
22
22
23
23
24
## Completed
24
25
26
+
- [x] ✅ [Release] **#26 — nxz-cli `--memlimit-decompress` + 6.1.0 release — closed** (PR #117 squash `2e3c25f`, release commit `ecff028`, npm published 2026-04-30). Pivoted from a metadata-only visibility bump to a real minor with new user-facing capability after audit revealed nxz CLI never surfaced the `LZMAOptions.memlimit` already supported by the library (PRs #111 WASM + #112 Native). New `--memlimit-decompress <SIZE>` CLI flag mirrors `xz` standard : integer mantissa, IEC (1024-based) and SI (1000-based) suffixes, all-zero forms (`0`, `0MiB`, `max`) → no limit, decimal mantissa rejected for parity. Helper `parseMemlimitSize(s: string): bigint | undefined` extracted to `packages/nxz/src/memlimit.ts` (side-effect-free, importable by tests). 36 vitest cases (29 direct parser + 7 CLI binary), 707 tests across workspace. **Review trail** : opus + Codex parallel (Copilot quota exhausted ; Codex substituted via `llm-delegate.sh --codex --mode review`) ; R1 found 1 S (decimal precision elevated by Codex) + 4 M ; fix-round 1 closed S/M-1/M-2/M-3 ; Codex R2 found M-4 (test imports CLI module that auto-runs main) ; fix-round 2 extracted helper to standalone module ; pre-push opus on cumulative 3-commit state returned SAFE-TO-PUSH ; admin-merged. CHANGELOG curated post-release : populate-script picked up too much history (uses root `latestTag` baseline rather than last per-package release — tracked as upstream follow-up TODO). Transitive notes added manually for tar-xz@6.1.0 streaming + Win32 TOCTOU benefits.
25
27
- [x] ✅ [Release] **#25 — Per-package CHANGELOG scoping (release-it) — closed** (PR #116 squash `68d6d91`, 2026-04-30). Future workspace-package releases (`tar-xz`, `nxz-cli`) produce CHANGELOGs scoped to commits whose diffs touch their own subtree. **Phase 1** : upstream `oorabona/release-it-preset` v0.11.0 (commit `0b4f857`) added opt-in `GIT_CHANGELOG_PATH` env var + 9 vitest cases incl. security validation (rejects `../`, absolute paths, shell metacharacters). **Phase 2** (this PR) : bumped preset 0.9.0 → 0.11.0, bumped `release-it` 19.2.4 → 20.0.1 to satisfy preset peerDep (Copilot M round 1), wired `GIT_CHANGELOG_PATH=.` inline on the workspace bump step in `release.yml` after `cd "$PKG_DIR"` (the `.` resolves to the package's own subtree), removed dormant changesets pipeline (workflow + `.changeset/` + 2 devDeps + ~90 transitive lockfile entries). Net diff : 7 files, +279/-1011 (-732 lines after fix-round 1 lockfile). Senior reviewer opus pre-push verdict : SAFE-TO-MERGE 0 S/0 M/3 L. 2 Copilot review rounds : R1=2 findings (1 M peer dep + 2 L cosmetic), R2=1 L (engines.node) classified-and-rejected with rationale on PR thread. Resolves "changesets vs release-it" architecture question raised 2026-04-27 (`adfbc99`) → cleanup `4d24fde` left noise problem unsolved. Body-fragment parser issue tracked separately upstream as v0.11+ "Out-of-scope follow-up" in preset's TODO.
26
28
- [x] ✅ [Refactor] **Biome warnings sweep + cognitive-complexity extract-method — story REFACTOR-BIOME-2026-04-29 closed** (PR #115 squash `ad2e18f`, 2026-04-29). Pure refactor sweep across the workspace: **63 → 1 biome warnings (-98.4%)**. 5 phases: biome --write auto-fix (Phase 2, -23), manual noNonNullAssertion + cycle-ignore + useForOf (Phases 3+4, -26), test extract-method (Phase 5a, -8), low-risk src extract (Phase 5b-1, -3), HIGH-RISK security/streaming src extract (Phase 5b-2, -2). 11 helpers extracted in Phase 5b-2 alone (extractSymlinkEntry, extractHardlinkEntry, openFileExclusive, writeFileEntryPosix/Win32, writeFileEntry, ensureSafeLinkname for file.ts; nextParseEvent, drainEntryChunks, drainSkippedEntry, createEntryDataPull for extract.ts). Win32 TOCTOU contract preserved byte-identical (em-dash U+2014 in security error verbatim). Pre-push opus senior-review verdict: SAFE-TO-PUSH. **6 Copilot review rounds, 13 findings folded** (1→3→1→1→2→3 — last 3 were L-only comment-precision; class breakdown: 5 fail-fast invariant patterns, 2 doc/comment drift, 2 type-narrowing semantics, 4 stale doc pointers). 671 tests stable throughout. 1 residual warning is pre-existing unrelated (`test/node-api.spec.ts:249`). Net diff: 20 files / +808/-499. ~3h wall-clock.
27
29
-[x] ✅ [tar-xz]**Win32 symlink-swap TOCTOU hardening — story WIN32-TOCTOU-2026-04-29 closed** (PR #114 squash `b24040d`, 2026-04-29). JS-pure `'wx'`+retry fail-closed pattern in `extractFile` Win32 branch (no native addon expansion). fd-based `chmod`/`utimes` (best-effort wrap on Win32 to preserve master's FAT32/cloud-share semantics). Recon invalidated original "match node-tar with CreateFileW" framing — node-tar is pure JS and explicitly Unix-only (PR #456). 4 BDD scenarios + observable-proof byte-equality assertion + reparse-tag coverage table (SYMLINK / MOUNT_POINT / CLOUD_FILES) in SECURITY.md. Adversarial pass on 5 Win32 vectors (1 M folded, 4 L/None confirmed). 6 Copilot review rounds, **21 findings folded** (3 M → 1 M → 0 M for code; remainder L/cosmetic). 155/0 tests, 0 lint, 0 typecheck. Total wall-clock ~150 min, 6 implementer dispatches + 1 senior-review opus.
**Last merge:** PR #117 squash `2e3c25f` (2026-04-30) — `feat(nxz)`: `--memlimit-decompress` flag for CLI memory cap during decompression.
88
+
**Last release:**`nxz-cli@6.1.0` (release commit `ecff028`, npm published 2026-04-30) — first real feature minor since 6.0.0.
89
+
**Last audit:** opus pre-push SAFE-TO-PUSH on PR #117 cumulative (0 S/0 M/2 L). Codex (substituted for Copilot — quota out) caught 1 S decimal/precision elevation in R1 and 1 M test-import in R2 ; fix-rounds 1+2 resolved cleanly.
90
+
**Last story:**#26 — nxz `--memlimit-decompress` + 6.1.0 release — pivoted from metadata-only bump to real minor feature ; ~3h wall-clock incl. 2 fix-rounds + cross-LLM review.
-- release-it (existing release.yml + .release-it.json) is retained for ([adfbc99](https://github.com/oorabona/node-liblzma/commit/adfbc99))
39
-
- capture tar-xz v6 redesign in CHANGELOGs + TODO.md ([9abd0a2](https://github.com/oorabona/node-liblzma/commit/9abd0a2))
40
-
- test fails on revert, passes on fix. ([b2c8a8c](https://github.com/oorabona/node-liblzma/commit/b2c8a8c))
8
+
-`--memlimit-decompress <SIZE>` CLI flag for capping decompression memory (#117) ([2e3c25f](https://github.com/oorabona/node-liblzma/commit/2e3c25f)). Accepts plain integer bytes, IEC binary suffixes (`KiB`, `MiB`, `GiB`, `TiB`), and SI decimal suffixes (`KB`, `MB`, `GB`, `TB`). Special values `0` and `max` (case-insensitive) explicitly mean "no limit". Throws `LZMAMemoryLimitError` and exits 1 when the limit is exceeded. Mirrors `xz` CLI semantics.
9
+
10
+
### Notes
11
+
Transitive benefits via `tar-xz@6.1.0` (peer dep, automatic for users on `^6.0.0`) :
12
+
-**True streaming** for `extract()` and `list()` — memory is now `O(largest single entry)` instead of `O(archive)` when extracting / listing large `.tar.xz` archives.
13
+
-**Win32 symlink-swap TOCTOU hardening** for `extract()` (JS-pure `'wx'`+retry fail-closed pattern).
14
+
-**Native `memlimit` parity** with WASM (now exposed via the new `--memlimit-decompress` flag above).
0 commit comments