You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
Default to — files exceeding the limit are skipped at walk time, consistent with jscpd v4's behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
now correctly takes effect on every call (previously silently no-op'd after the first invocation)
Release v5.0.6
New Features
v4 config backward compatibility — fields , , , and are now read and applied, matching jscpd v4 behavior
and are now distinct: matches file-level globs, matches code-level regex patterns (previously conflated)
path config support — reads scan directories from the field, resolving relative paths against the config file's directory
npm wrapper package — publishes the same Rust binary under the name on npm with v5.x versioning
now matches v4 behavior: accepts optional integer value ( exits 1, exits 2); and are now independent
Performance improvements: memory-mapped file I/O (via ) eliminates heap copies of file contents; SIMD-accelerated line counting (via ); parallel detection pipeline uses to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @auterium, #808)
Bug Fixes
Fixed to match jscpd v4's behavior (was boolean, now optional integer)
Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)
Release v5.0.4
New Features
CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
Side-by-side blame comparison in console-full reporter
Clone list display in console reporter
Bug Fixes
HTML reporter now outputs jscpd-report.html at the output_dir root
Resolved all clippy warnings across workspace
Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())
Release v4.2.5
Bug Fixes
JSON reporter duplicate token counts — was always reported as in JSON output; now computed from token positions () (#801).
Gitignore parent-directory walk — files in parent directories up to the repo root are now read and combined with scan-directory files. Also reads and the global for full parity with Git's ignore resolution (#741).
Commander v15 migration — CLI option parsing migrated from direct property access (, etc.) to the API required by Commander v8+. The / flag handling was rewritten to use Commander's native negation support instead of inspection.
Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.
Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's test/bundler with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon ThreadPool with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
Default --max-size to 1mb — files exceeding the limit are skipped at walk time, consistent with jscpd v4's maxSize behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
--workers N now correctly takes effect on every run() call (previously build_global() silently no-op'd after the first invocation)
5.0.6
New Features
v4 config backward compatibility — .jscpd.json fields path, pattern, ignore, and ignorePattern are now read and applied, matching jscpd v4 behavior
ignore and ignorePattern are now distinct: ignore matches file-level globs, ignorePattern matches code-level regex patterns (previously conflated)
.jscpd.json path config support — reads scan directories from the path field, resolving relative paths against the config file's directory
jscpd npm wrapper package — publishes the same Rust binary under the jscpd name on npm with v5.x versioning
--exit-code now matches v4 behavior: accepts optional integer value (--exit-code exits 1, --exit-code 2 exits 2); --threshold and --exit-code are now independent
Performance improvements: memory-mapped file I/O (via memmap2) eliminates heap copies of file contents; SIMD-accelerated line counting (via memchr); parallel detection pipeline uses flat_map to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @auterium, #808)
Bug Fixes
Fixed --exit-code to match jscpd v4's --exitCode behavior (was boolean, now optional integer)
Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)
5.0.4
New Features
CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
Side-by-side blame comparison in console-full reporter
Clone list display in console reporter
Bug Fixes
HTML reporter now outputs jscpd-report.html at the output_dir root
Resolved all clippy warnings across workspace
Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())
5.0.3
New Features
Rust-based cpd CLI with full feature parity to TypeScript jscpd
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This major version bump to jscpd v5 introduces a Rust-based engine rewrite, which represents a significant architectural shift. While automated quality metrics remain stable, the PR lacks evidence that the new engine is compatible with the project's existing .jscpd.json configuration and ignore patterns. Additionally, the transition to a compiled binary may introduce OS-level dependencies (such as specific glibc versions) not previously required, which could break the current CI pipeline. Verification of the new engine's behavior in the project environment is recommended before merging.
About this PR
The upgrade from v4 to v5 is a major version change involving a complete rewrite of the core engine in Rust. While the release notes highlight backward compatibility, there are no tests or CI configuration changes in this PR to verify that the new engine correctly interprets the project's existing configuration or ignore patterns.
Test suggestions
Verify jscpd version update in package.json
Verify execution of jscpd scan with existing configuration to ensure backward compatibility
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify execution of jscpd scan with existing configuration to ensure backward compatibility
Low confidence findings
The transition to a Rust-based binary might introduce execution environment dependencies (e.g., glibc versions) that could impact existing CI/CD pipelines, which is not addressed in the PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
Bumps jscpd from 4.2.4 to 5.0.7.
Release notes
Sourced from jscpd's releases.
Changelog
Sourced from jscpd's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)