Skip to content

build(deps): Bump jscpd from 4.2.4 to 5.0.8#62

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/jscpd-5.0.8
Closed

build(deps): Bump jscpd from 4.2.4 to 5.0.8#62
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/jscpd-5.0.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps jscpd from 4.2.4 to 5.0.8.

Release notes

Sourced from jscpd's releases.

Release v5.0.8

Bug Fixes

  • Prevent mmap exhaustion crashes when scanning repositories with more files than (default 131 072 on Linux). The walker previously held a live per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #813
  • Fix not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like gain a prefix to match at any depth. Fixes #811

Release v5.0.7

Bug Fixes

  • Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
  • Default to — files exceeding the limit are skipped at walk time, consistent with jscpd v4's behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
  • now correctly takes effect on every call (previously silently no-op'd after the first invocation)

Release v5.0.6

New Features

  • v4 config backward compatibility — fields , , , and are now read and applied, matching jscpd v4 behavior
  • and are now distinct: matches file-level globs, matches code-level regex patterns (previously conflated)
  • path config support — reads scan directories from the field, resolving relative paths against the config file's directory
  • npm wrapper package — publishes the same Rust binary under the name on npm with v5.x versioning
  • now matches v4 behavior: accepts optional integer value ( exits 1, exits 2); and are now independent
  • Performance improvements: memory-mapped file I/O (via ) eliminates heap copies of file contents; SIMD-accelerated line counting (via ); parallel detection pipeline uses to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @​auterium, #808)

Bug Fixes

  • Fixed to match jscpd v4's behavior (was boolean, now optional integer)
  • Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)

Release v5.0.4

New Features

  • CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
  • Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
  • Side-by-side blame comparison in console-full reporter
  • Clone list display in console reporter

Bug Fixes

  • HTML reporter now outputs jscpd-report.html at the output_dir root
  • Resolved all clippy warnings across workspace
  • Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())

Release v4.2.5

Bug Fixes

  • JSON reporter duplicate token counts — was always reported as in JSON output; now computed from token positions () (#801).
  • Gitignore parent-directory walk — files in parent directories up to the repo root are now read and combined with scan-directory files. Also reads and the global for full parity with Git's ignore resolution (#741).

... (truncated)

Changelog

Sourced from jscpd's changelog.

5.0.8

Bug Fixes

  • Prevent mmap exhaustion crashes when scanning repositories with more files than vm.max_map_count (default 131 072 on Linux). The walker previously held a live Mmap per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #813
  • Fix --pattern not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like src/**/*.ts now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like *.ts gain a **/ prefix to match at any depth. Fixes #811
  • Fix trailing-newline off-by-one in line-count filter: files not ending with \n now count the final line correctly

5.0.7

Bug Fixes

  • Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's test/bundler with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon ThreadPool with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
  • Default --max-size to 1mb — files exceeding the limit are skipped at walk time, consistent with jscpd v4's maxSize behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
  • --workers N now correctly takes effect on every run() call (previously build_global() silently no-op'd after the first invocation)

5.0.6

New Features

  • v4 config backward compatibility — .jscpd.json fields path, pattern, ignore, and ignorePattern are now read and applied, matching jscpd v4 behavior
  • ignore and ignorePattern are now distinct: ignore matches file-level globs, ignorePattern matches code-level regex patterns (previously conflated)
  • .jscpd.json path config support — reads scan directories from the path field, resolving relative paths against the config file's directory
  • jscpd npm wrapper package — publishes the same Rust binary under the jscpd name on npm with v5.x versioning
  • --exit-code now matches v4 behavior: accepts optional integer value (--exit-code exits 1, --exit-code 2 exits 2); --threshold and --exit-code are now independent
  • Performance improvements: memory-mapped file I/O (via memmap2) eliminates heap copies of file contents; SIMD-accelerated line counting (via memchr); parallel detection pipeline uses flat_map to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @​auterium, #808)

Bug Fixes

  • Fixed --exit-code to match jscpd v4's --exitCode behavior (was boolean, now optional integer)
  • Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)

5.0.4

New Features

  • CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
  • Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
  • Side-by-side blame comparison in console-full reporter
  • Clone list display in console reporter

Bug Fixes

  • HTML reporter now outputs jscpd-report.html at the output_dir root

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): Bump jscpd from 4.2.4 to 5.0.8
252d062 
Bumps [jscpd](https://github.com/kucherenko/jscpd/tree/HEAD/rust/jscpd) from 4.2.4 to 5.0.8.
- [Release notes](https://github.com/kucherenko/jscpd/releases)
- [Changelog](https://github.com/kucherenko/jscpd/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kucherenko/jscpd/commits/v5.0.8/rust/jscpd)

---
updated-dependencies:
- dependency-name: jscpd
  dependency-version: 5.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@dependabot dependabot Bot mentioned this pull request Jun 19, 2026
Closed
github-actions[bot]
github-actions Bot approved these changes Jun 19, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dependabot merge

@codacy-production

codacy-production Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

codacy-production[bot]
codacy-production Bot reviewed Jun 19, 2026
View reviewed changes

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates jscpd from version 4.2.4 to 5.0.8. While the analysis shows the project remains up to standards, this is a major version increment that may introduce breaking changes in CLI behavior or configuration handling. Two specific improvements are required for the manifest: moving the tool to the appropriate dependency block and pinning its version for security. Verification is needed to ensure the new version does not negatively impact existing CI/CD pipelines.

About this PR

  • This is a major version bump (v4 to v5). While the release notes mention backward compatibility for configuration, major updates often introduce breaking changes in CLI output or API behavior that may affect CI pipelines. It is recommended to verify the output format and exit codes in a test environment before merging.

Test suggestions

  • Verify that jscpd execution completes successfully on the project codebase without crashes (e.g., mmap exhaustion or stack overflow fixed in v5).
  • Ensure that existing .jscpd.json configuration fields (path, pattern, ignore) are still respected by the new version.
  • Verify that the exit code behavior remains consistent with project expectations (v5.0.6 restored v4-like exit code behavior).
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify that jscpd execution completes successfully on the project codebase without crashes (e.g., mmap exhaustion or stack overflow fixed in v5).
2. Ensure that existing .jscpd.json configuration fields (path, pattern, ignore) are still respected by the new version.
3. Verify that the exit code behavior remains consistent with project expectations (v5.0.6 restored v4-like exit code behavior).

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

Comment thread package.json
"homepage": "https://github.com/codacy/codacy-duplication-jscpd#readme",
"dependencies": {
"jscpd": "^4.2.4"
"jscpd": "^5.0.8"

@codacy-production codacy-production Bot Jun 19, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

Suggestion: jscpd is a development/static analysis tool and should be moved from 'dependencies' to 'devDependencies' to avoid bloating the production environment. Additionally, it is safer to pin the dependency to an exact version (e.g., "5.0.8") instead of using a range like "^5.0.8" to ensure deterministic installs and mitigate risks of dependency hijacking.

Suggested change
"jscpd": "^5.0.8"
"jscpd": "5.0.8"

See Issue in Codacy

@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #63.

@dependabot dependabot Bot closed this Jun 22, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/jscpd-5.0.8 branch June 22, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes
+1 more reviewer
@codacy-production codacy-production[bot] codacy-production[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants