chore: version packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

deslop-cli@0.5.9

Patch Changes

• #936 ba2af1b Thanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-date LICENSE file so the terms travel with the tarball.

  The react-doctor CLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.

• Updated dependencies [ba2af1b, b69f4a7, a7ad969, 03b7a5f, 7f9e7f4]:

  • deslop-js@0.5.9

deslop-js@0.5.9

Patch Changes

• #936 ba2af1b Thanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-date LICENSE file so the terms travel with the tarball.

  The react-doctor CLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.

• #915 b69f4a7 Thanks @skoshx! - Fix false positives in Expo config plugin detection for package-name plugins and nested expo config

  Expo config plugins can be referenced by package name (not just local file paths) from app.json / app.config.*, but the collector dropped any plugin entry that didn't resolve to a local file — so packages referenced only as config plugins were reported as unused. The app.config.{js,ts} AST path also only matched a top-level plugins property and never descended into the standard { expo: { plugins: [...] } } shape (the JSON app.json path already read expo.plugins).

  Fixed by:

  • Tracking package-name plugins (e.g. @config-plugins/detox, @react-native-firebase/app) alongside local file-path plugins
  • Descending into the nested expo object in the config-object AST collector
  • Marking those package-name plugins as used in detectStalePackages (gated on the declared dependency set, so unrelated strings can't suppress real unused deps)

  Closes #914

• #971 a7ad969 Thanks @rayhanadev! - Fix deslop/unused-export false positive for namespace-imported components used in JSX

  A component referenced only through a namespace import in JSX —
  import * as S from "./style" then <S.Custom /> — was reported as an unused
  export. The usage walker recorded namespace member access in regular expressions
  (MemberExpression, e.g. S.helper()) but not in JSX (JSXMemberExpression),
  so a member used solely as <S.x /> was missed whenever the namespace had any
  other accessed member. Closes #875.

• #963 03b7a5f Thanks @skoshx! - Exclude TypeScript 6.x to fix bunx installation crash

  TypeScript 6.0.3 has an internal circular dependency with its Comparison enum
  that triggers a known Bun module loader bug, causing bunx react-doctor install
  to crash with "ReferenceError: Cannot access 'Comparison' before initialization".
  Narrow the dependency range to >=5.0.4 <6 until Bun fixes enum initialization
  order (see Importing enum inside of class is broken since 1.1.18 oven-sh/bun#12805).

  The constraint covers both react-doctor (whose CLI imports typescript at
  startup) and deslop-js (loaded by the dead-code scan, which can run under bun),
  so no published package pulls TypeScript 6.x into a consumer's install tree.

  npx continues to work because npm's resolver handles the circular dependency
  correctly. TypeScript 5.9.3 is stable and tested; TypeScript 6.x support will
  return once the upstream bug is resolved.

  Closes #962

• #916 7f9e7f4 Thanks @rayhanadev! - Rework unused-dependency detection to lean on real package metadata instead of hand-maintained whitelists.

  • Treat any installed dependency that ships a CLI binary as used. A package that declares a bin is routinely invoked outside what a static scan can see (Makefiles, CI, git hooks, ad-hoc npx), so it's no longer flagged just because no package.json script names the binary. Empty bin fields ("" / {}) don't count.
  • Drop the hardcoded fallback tables now that the bin/peer scans read real node_modules metadata: the binary→package map (CLI_BINARY_TO_PACKAGE + the babel/jest/remark fallbacks), the env-wrapper binary set, the static peer-dependency map, and the implicit-companion map. With dependencies installed (the normal scan condition) detection is unchanged — a package's real bin and peerDependencies cover what the tables used to hardcode.

  Trade-off: when scanning without node_modules, a CLI dependency whose binary name differs from its package name (e.g. vp → vite-plus) can no longer be resolved from scripts, and a few heuristic peer relationships that aren't declared peerDependencies (e.g. @hookform/resolvers → zod) are no longer inferred. The always-used lists for tooling that can't be detected statically (typescript, eslint, @types/*, eslint-plugin-*, …) are unchanged.

eslint-plugin-react-doctor@0.5.9

Patch Changes

• #936 ba2af1b Thanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-date LICENSE file so the terms travel with the tarball.

  The react-doctor CLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.

• #958 c72b560 Thanks @aidenybai! - Fix jsx-key's spread-overwrites-key check to key off the spread's position. A {...spread} can only clobber an explicit key when it appears after the key — the later attribute wins under the classic runtime ({ key, ...spread }) and React falls back to createElement under the automatic runtime, so the later spread wins there too. The rule now reports <App key="x" {...spread} /> (and the sandwiched <App {...a} key="x" {...b} />) and stays silent on <App {...spread} key="x" />, which previously produced a false positive. Spreads of object literals that provably carry no key (e.g. {...{}}, {...{ className }}) are never treated as overwriting.

• Updated dependencies [ba2af1b, c72b560, f69f216, 6339f71]:

  • oxlint-plugin-react-doctor@0.5.9

oxlint-plugin-react-doctor@0.5.9

Patch Changes

• #936 ba2af1b Thanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-date LICENSE file so the terms travel with the tarball.

  The react-doctor CLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.

• #958 c72b560 Thanks @aidenybai! - Fix jsx-key's spread-overwrites-key check to key off the spread's position. A {...spread} can only clobber an explicit key when it appears after the key — the later attribute wins under the classic runtime ({ key, ...spread }) and React falls back to createElement under the automatic runtime, so the later spread wins there too. The rule now reports <App key="x" {...spread} /> (and the sandwiched <App {...a} key="x" {...b} />) and stays silent on <App {...spread} key="x" />, which previously produced a false positive. Spreads of object literals that provably carry no key (e.g. {...{}}, {...{ className }}) are never treated as overwriting.

• #911 f69f216 Thanks @skoshx! - fix: reduce false positives in supabase-rls-policy-risk

  The rule now classifies each CREATE POLICY statement individually (over
  comment/string-sanitized SQL) instead of matching the whole file with one
  regex. A permissive using/with check (true) policy whose TO clause names
  only server-only roles (service_role, postgres, supabase_admin) is
  treated as hardening, not a public bypass — including two-clause FOR ALL /
  FOR UPDATE forms and all-server-only role lists that the previous
  negative-lookbehind missed. anon / authenticated (and a TO clause that
  mixes one in, or no TO clause at all → PUBLIC) stay flagged, since those are
  client-reachable via a JWT.

  auth.role() = 'service_role' checks inside policy bodies are still flagged
  (true runtime bypasses). The previous IF EXISTS suppression on DISABLE ROW LEVEL SECURITY was removed: it silently downgraded a real risk on live tables,
  and the dropped-table case it targeted needs cross-migration analysis — deferred
  with the issue's cross-migration class.

  Fixes #910

• #954 6339f71 Thanks @rayhanadev! - fix(rn-no-raw-text): report raw text by where it actually crashes, resolving imported wrappers across files

  The rn-no-raw-text rule reported raw text inside any element it couldn't prove was a text component — including a custom component imported from another file (e.g. a <MyButton> that wraps its label in <Text> internally), which produced false positives on the common "custom component that renders Text" pattern.

  The rule now anchors its report on where React Native actually crashes — a host boundary — and resolves imported components across files instead of guessing:

  • Raw text is reported inside a known host primitive (View, ScrollView, Pressable, the Touchable* family, Modal, …), a lowercase intrinsic, or an in-file component proven to forward its children into one.
  • A component imported from another first-party file (relative or tsconfig-alias) is resolved and classified the same way: one that wraps its children in <Text> is left alone, while one that renders them into a <View> is still reported — so genuine crashes inside imported wrappers are kept.
  • Components the resolver can't follow (node_modules, namespace imports, unanalyzable exports) are left unreported rather than assumed to crash; rawTextWrapperComponents / textComponents config still covers those.
  • React's structural <Fragment> / <React.Fragment> now counts as a transparent wrapper alongside fbtee's <fbt> / <fbs>, so an <fbt> nested under a <Fragment> inside a <Text> is no longer falsely flagged.

react-doctor@0.5.9

Patch Changes

• #936 ba2af1b Thanks @aidenybai! - Update the license to MIT with additional restrictions: the software may not be used as training, fine-tuning, or evaluation data for machine-learning models or AI systems, nor sold or resold as a commercial product or service (e.g. a paid API, SaaS, or hosted/managed service) whose value derives substantially from the software, without prior written permission (contact founders@million.dev). Each version's additional restrictions expire on the second anniversary of its release, after which that version is available under the standard MIT License (an FSL-style grant of future license). Each published package now ships its own up-to-date LICENSE file so the terms travel with the tarball.

  The react-doctor CLI also now prints a one-time notice (once per run) when it detects it is running inside an AI/ML training pipeline or agent sandbox, pointing to the license terms.

• #941 5774deb Thanks @rayhanadev! - Speed up cold scans and bound dead-code memory on multi-project workspaces.

  • Overlap the project security scan with the lint pass instead of running it synchronously beforehand. The content-regex security sweep (shipped artifacts, dotenv, SQL — files lint never parses) was the single heaviest CPU phase on real repos and blocked the event loop the whole time. It now runs on a cooperative background fiber that yields between file chunks, so its cost hides under the subprocess-bound lint pass and stops starving a multi-project scan's concurrent git/network work. Cold scans are measurably faster (~30% on a mid-size project and workspace in local benchmarks); diagnostics are byte-identical.
  • Cap concurrent dead-code (deslop) workers by a memory budget so a multi-project scan can't oversubscribe memory with many simultaneous worker processes on a small CI runner. On a roomy machine the cap exceeds the project count, so nothing serializes and scan time is unchanged.

• #929 5f2bd72 Thanks @skoshx! - fix: validate string array config fields (projects, textComponents, etc.)

  Non-string entries in config.projects caused selectProjects to crash with requestedName.trim is not a function. The validator now filters non-string entries from projects, textComponents, rawTextWrapperComponents, and serverAuthFunctionNames with warnings instead of crashing.

  Fixes #921 (Sentry REACT-DOCTOR-1R)

• #940 441e6af Thanks @rayhanadev! - Stop a scan from crashing when a git subprocess fails synchronously (fixes REACT-DOCTOR-1E, REACT-DOCTOR-1P, REACT-DOCTOR-20). Unlike a missing binary (ENOENT, which arrives on the catchable 'error' event), child_process.spawn throws synchronously when the working directory isn't a directory (ENOTDIR) or the argument list exceeds the OS command-line limit (ENAMETOOLONG — e.g. --scope lines on a 1,000+-file diff on Windows). That throw escaped Effect's error channel entirely and took down the whole scan (reported to Sentry as a raw spawn error). The git runner now pre-flights both conditions and fails on its normal channel, so the existing fallbacks recover instead: a bad working directory degrades like an unavailable git, and an over-long --scope lines diff degrades to file-level scope.

• #966 bd0f465 Thanks @skoshx! - Fix Cursor agent handoff on Windows. Cursor installs its CLI as a PowerShell-wrapped .cmd that Node's spawn() cannot execute without shell: true (which would mangle the multi-line handoff prompt). The launcher now resolves Cursor's bundled node.exe + index.js under %LOCALAPPDATA%\cursor-agent\versions\<latest>\ and spawns it directly — preserving argv integrity and bypassing the PowerShell hop. Closes #964.

• #974 b6d1a87 Thanks @rayhanadev! - Show staged findings in the pre-commit hook instead of swallowing them

  The generated pre-commit hook captured react-doctor's output to a temp file and
  deleted it before printing, so a failing scan showed only a generic "found
  staged regressions" notice — never the actual findings (#969). The hook now
  writes the scan output to stderr before cleanup, in both the raw hook and the
  hook-manager command. It stays non-blocking by design (the commit still
  proceeds); the diagnostics are simply visible now so you know what to fix.

• #963 03b7a5f Thanks @skoshx! - Exclude TypeScript 6.x to fix bunx installation crash

  TypeScript 6.0.3 has an internal circular dependency with its Comparison enum
  that triggers a known Bun module loader bug, causing bunx react-doctor install
  to crash with "ReferenceError: Cannot access 'Comparison' before initialization".
  Narrow the dependency range to >=5.0.4 <6 until Bun fixes enum initialization
  order (see Importing enum inside of class is broken since 1.1.18 oven-sh/bun#12805).

  The constraint covers both react-doctor (whose CLI imports typescript at
  startup) and deslop-js (loaded by the dead-code scan, which can run under bun),
  so no published package pulls TypeScript 6.x into a consumer's install tree.

  npx continues to work because npm's resolver handles the circular dependency
  correctly. TypeScript 5.9.3 is stable and tested; TypeScript 6.x support will
  return once the upstream bug is resolved.

  Closes #962

• #934 970babc Thanks @skoshx! - Fix --project resolution when scanning from within a project directory whose basename matches the requested project name.

  When running react-doctor from a subdirectory (e.g., apps/website) and passing --project website, the CLI now correctly recognizes that the current directory is the requested project instead of failing with "Project 'website' is not a directory under /path/to/apps/website."

  This affects users who scan a single (non-workspace) project directory and pass that directory's own name as the project — e.g. directory: apps/website together with --project website (or projects: ["website"] in config). The * ("all projects") default is unaffected: it short-circuits to the root directory and never goes through name resolution.

• #938 229ea2e Thanks @skoshx! - fix(staged): log warning when getStagedSourceFiles encounters git errors

  When git commands fail (missing git binary, corrupted repo, permission errors), getStagedSourceFiles now logs a warning message showing the error instead of silently returning an empty array. This makes --staged failures much easier to debug while still gracefully degrading.

• #957 5893a56 Thanks @skoshx! - Fix mojibake (ÔÇö, ×) in CLI output on Windows. The console was decoding
  react-doctor's UTF-8 bytes with a non-UTF-8 code page (CP-850/437 in cmd.exe),
  so —, ×, ›, and box-drawing rendered as garbage — including in VS Code's
  terminal. Switch the Windows console to UTF-8 (code page 65001) once at CLI
  startup (console-only, best-effort), which fixes every glyph at the source
  rather than swapping individual characters for ASCII. Closes #956.

• #967 43267da Thanks @skoshx! - Install agent hooks (Cursor, Claude Code) as a Node .mjs runner invoked via node instead of a #!/bin/sh script, so they run on Windows without Git Bash/WSL/Cygwin. Closes #965.

• #930 ea4d9af Thanks @skoshx! - Degrade gracefully when git is unavailable or diff base ref is missing (fixes REACT-DOCTOR-F, REACT-DOCTOR-1K, REACT-DOCTOR-14, REACT-DOCTOR-22). CI containers without git installed and shallow clones missing the diff base ref now fall back to a full scan with a clear warning instead of crashing and reporting to Sentry.

• #926 b8188e0 Thanks @skoshx! - Fix react-doctor install crashes on pre-existing malformed/conflicting agent config. The install command now handles three user-environment failure modes gracefully with clear error messages instead of unhandled exceptions:

  1. Malformed JSON in ~/.claude/settings.json or ~/.cursor/hooks.json (REACT-DOCTOR-25)
  2. Directory path blocked by an existing file at ~/.claude/skills or parent paths (REACT-DOCTOR-17)
  3. Permission denied when target directories aren't writable (REACT-DOCTOR-1A)

  These errors are now treated as expected user-environment conditions (not react-doctor bugs) and surface actionable messages without Sentry reports.

• #939 986557d Thanks @rayhanadev! - Align react-doctor install's agent selection with the Vercel skills CLI so it stops scattering skill directories across your project. The prompt previously detected every agent with a config dir anywhere in $HOME (~/.codebuddy, ~/.crush, ~/.goose, ~/.kilocode, …) and pre-selected all of them, so a single Enter copied .codebuddy/, .crush/, .goose/, … into the project root.

  Now, following that CLI's heuristic, the default selection is:

  • your remembered last pick (persisted globally, like skills' lastSelectedAgents lock), else
  • a small curated set of popular agents (claude-code, cursor, codex, opencode), else
  • a lone detected agent when that's the only one — and otherwise nothing, so you make a deliberate choice.

  Every detected agent is still shown so the rest are one keystroke away; they're just no longer pre-checked. A non-interactive run (--yes / CI) still installs to all detected agents, matching skills' --yes.

• #947 05cafc6 Thanks @skoshx! - Add --json-out <path> flag to write JSON reports to a file instead of stdout

• #944 0c19858 Thanks @rayhanadev! - Organize the per-scan Sentry "wide event" under dotted namespaces. The root-span attributes had accreted into a flat, half-namespaced set (~50 keys, most bare); each now carries a namespace matching its concept — scan.* (config + scan.fileCount), action.* (CI/action knobs), outcome.* (verdict), diag.* (findings), score.*, lint.*, deadCode.*, supplyChain.*, timing.* — alongside the already-namespaced migration.*/baseline.*. Applied via a single withNamespace helper so the prefix lives in one place instead of being hand-spelled per key. Pure rename: value types are preserved (numbers stay numeric so p75/avg keep working) and the keys stay filter-/group-/aggregate-able in Sentry's Spans dataset. Run/project base tags and all metrics are unchanged.

• #917 7a673d2 Thanks @rayhanadev! - Remember the post-scan "What would you like to do next?" pick. The interactive handoff prompt now pre-selects whatever the user chose last (an agent, "copy to clipboard", or "skip"), so the common "always hand off to the same agent" path is a single Enter. The choice is remembered per user in the existing CLI state file via a new Preference lifecycle primitive; a remembered agent that's since been uninstalled falls back to highlighting the first option, and pressing Esc leaves the prior preference untouched.

• #928 734c564 Thanks @skoshx! - Stop reporting unactionable environment errors to Sentry. A narrow set of filesystem conditions react-doctor cannot fix — a full disk (ENOSPC), a failing or read-only disk (EIO/EROFS), denied permissions (EACCES/EPERM), a path blocked by a file (ENOTDIR), or a missing binary (spawn … ENOENT) — now exit cleanly with an actionable message instead of crashing with a stack trace and appearing as product defects in Sentry. The set is deliberately narrow: codes that usually indicate a react-doctor bug (a missing file we expected, or an over-long argv such as ENAMETOOLONG) keep reaching Sentry. A low-cardinality cli.env_error metric, keyed by code, tracks how often these occur without inflating the crash dashboard. Closes REACT-DOCTOR-13, REACT-DOCTOR-1V, REACT-DOCTOR-24.

• Updated dependencies [ba2af1b, b69f4a7, a7ad969, 03b7a5f, c72b560, f69f216, 6339f71, 7f9e7f4]:

  • oxlint-plugin-react-doctor@0.5.9
  • deslop-js@0.5.9

@react-doctor/api@0.5.9

Patch Changes

• Updated dependencies [99f2417, 5f2bd72, 441e6af, fff9466, c2ce298, ea4d9af]:
  • @react-doctor/core@0.5.9

@react-doctor/core@0.5.9

Patch Changes

• #973 99f2417 Thanks @rayhanadev! - Add runtimeGlobals config to silence jsx-no-undef false positives for runtime-injected identifiers

  jsx-no-undef is a single-file rule, so it flags capitalized JSX identifiers
  that are provided at runtime rather than imported in the file — react-live's
  <LiveProvider scope={...}>, Storybook globals, MDX live blocks, or an ambient
  declare global in a separate .d.ts. List those names in the new
  runtimeGlobals config array and jsx-no-undef treats them as known. Opt-in —
  an empty/absent list leaves behavior unchanged.

  Closes #959

• #929 5f2bd72 Thanks @skoshx! - fix: validate string array config fields (projects, textComponents, etc.)

  Non-string entries in config.projects caused selectProjects to crash with requestedName.trim is not a function. The validator now filters non-string entries from projects, textComponents, rawTextWrapperComponents, and serverAuthFunctionNames with warnings instead of crashing.

  Fixes #921 (Sentry REACT-DOCTOR-1R)

• #940 441e6af Thanks @rayhanadev! - Stop a scan from crashing when a git subprocess fails synchronously (fixes REACT-DOCTOR-1E, REACT-DOCTOR-1P, REACT-DOCTOR-20). Unlike a missing binary (ENOENT, which arrives on the catchable 'error' event), child_process.spawn throws synchronously when the working directory isn't a directory (ENOTDIR) or the argument list exceeds the OS command-line limit (ENAMETOOLONG — e.g. --scope lines on a 1,000+-file diff on Windows). That throw escaped Effect's error channel entirely and took down the whole scan (reported to Sentry as a raw spawn error). The git runner now pre-flights both conditions and fails on its normal channel, so the existing fallbacks recover instead: a bad working directory degrades like an unavailable git, and an over-long --scope lines diff degrades to file-level scope.

• #972 fff9466 Thanks @rayhanadev! - Stop react-doctor from flagging its own toolchain as an unused dependency

  After react-doctor install — especially via bunx, where react-doctor is
  declared in package.json but never materialized in node_modules — a scan
  reported react-doctor itself as an unused devDependency. It's used via the CLI,
  git hooks, CI, and the agent skill (never imported in source), so the dead-code
  import graph can't see it, and deslop's "ships a binary → used" heuristic can't
  read its bin when it isn't installed. The dead-code pass now never reports
  react-doctor's own CLI / plugin packages (react-doctor,
  eslint-plugin-react-doctor, oxlint-plugin-react-doctor) as unused.

  Closes #961

• #927 c2ce298 Thanks @skoshx! - Fix crash when disable comments contain Object.prototype keys (constructor, toString, valueOf, etc.)

  Resolves REACT-DOCTOR-1Y and fixes #920.

  The suppression near-miss detector would crash with TypeError: bareRuleKey.includes is not a function when an eslint-disable or oxlint-disable comment contained a token matching an Object.prototype member name. Indexing the LEGACY_RULE_KEY_TO_NATIVE_RULE_KEY lookup map with such a token returned an inherited method (which the ?? fallback let through), so canonicalizeRuleKey now guards the lookup with a typeof check and only treats the result as an alias when it is a string.

• #930 ea4d9af Thanks @skoshx! - Degrade gracefully when git is unavailable or diff base ref is missing (fixes REACT-DOCTOR-F, REACT-DOCTOR-1K, REACT-DOCTOR-14, REACT-DOCTOR-22). CI containers without git installed and shallow clones missing the diff base ref now fall back to a full scan with a clear warning instead of crashing and reporting to Sentry.

• Updated dependencies [ba2af1b, b69f4a7, a7ad969, 03b7a5f, c72b560, f69f216, 6339f71, 7f9e7f4]:

  • oxlint-plugin-react-doctor@0.5.9
  • deslop-js@0.5.9

@react-doctor/language-server@0.5.9

Patch Changes

• Updated dependencies [99f2417, 5f2bd72, 441e6af, fff9466, c2ce298, ea4d9af]:
  • @react-doctor/core@0.5.9

---

Note

Low Risk
Release bookkeeping only (version bumps, changelogs, deleted changesets); runtime changes were reviewed in prior PRs.

Overview
Changesets release PR that bumps the monorepo from 0.5.8 → 0.5.9, removes consumed .changeset/* entries, and rolls accumulated patch notes into each package CHANGELOG.md and package.json.

No new application source in this diff — merging triggers npm publish for the already-landed work. Highlights now tagged 0.5.9:

License & distribution: MIT with AI/commercial-use restrictions (FSL-style future MIT grant); per-package LICENSE in tarballs; CLI one-time notice in AI/ML sandboxes.

CLI (react-doctor): Faster cold scans (security scan overlaps lint); dead-code worker memory cap; --json-out; namespaced Sentry telemetry; remembered handoff/install agent picks; Windows UTF-8 console, Cursor handoff, Node .mjs hooks; graceful git/env/install handling; pre-commit shows staged findings; TypeScript pinned <6 for bunx.

Core: runtimeGlobals config; config array validation; git spawn preflight; self-toolchain excluded from unused-deps; Object.prototype disable-comment crash fix.

Rules / deslop: jsx-key spread position; rn-no-raw-text cross-file resolution; Supabase RLS false-positive fixes; Expo config-plugin unused-dep fixes; namespace JSX unused-export fix; metadata-based unused dependency detection.

^{Reviewed by Cursor Bugbot for commit e57763a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-react-doctor@918

npm i https://pkg.pr.new/oxlint-plugin-react-doctor@918

npm i https://pkg.pr.new/react-doctor@918

commit: f3a3aeb