Releases: jdutton/vibe-validate
Release list
Release v0.19.6
Fixed
-
vv pre-commitno longer blocks legitimate post-rebase commits. Aftergit pull --rebaseor a rebase against an updated base, your local branch is "diverged" from its tracking branch — both ahead and behind. The old check treated that state as "behind" and blocked the commit with an unhelpful error.pre-commitnow distinguishes "purely behind" (legitimate stop — you're missing remote commits) from "diverged" (post-rebase shape — pass with an informational notice), and short-circuits the sync check entirely during a mid-flight rebase, mirroring the existing mid-merge handling. (#160) -
vibe-validateworks under pnpm strict isolation. The umbrella package's bin wrappers (vibe-validate,vv) used a hardcoded relative path to locate@vibe-validate/cli, which only resolves under flat-hoistednode_modules(npm classic, bun, yarn classic). Under pnpm's default strict isolation (node-linker=isolated),@vibe-validate/cliis a sibling ofvibe-validateinside.pnpm/<id>/node_modules/rather than nested, so every CLI command crashed withERR_MODULE_NOT_FOUND. The wrappers now resolve the CLI via Node's module algorithm (createRequire), which works under every layout: npm flat, pnpm isolated, yarn berry PnP, and bun. (#161)
Release v0.19.5
Added
- Nested
vv runpass-through — When apackage.jsonscript wraps a tool withvibe-validate runand is invoked fromvibe-validate validate, the innervv runnow switches automatically to pass-through mode: it inherits the parent's stdio, propagates the exit code, and skips its own capture/extract/cache. The outer captures the real underlying tool's output (vitest, eslint, etc.) instead of an inner YAML summary, so error extraction runs on actual data andvv watch-prcan recover failures from CI logs. A depth cap of 3 fails loudly on recursive misconfiguration. Signaled via the newVV_PARENT_CONTEXTenvironment variable, set automatically by the parent. vv doctornested-invocation reporting — Doctor now reportsRunning inside parent vibe-validate (runId=…, depth=N, step="…")when invoked under a parent vv process, and fails loudly whenVV_PARENT_CONTEXTis set but malformed.
Changed
generate-workflow— Generated workflows now usepnpm/action-setup@v5(upgraded fromv2). Existing users should re-runvv generate-workflowto pick up the new version and silence Node.js 20 deprecation warnings in CI.- Per-step
env:is now actually applied to step subprocesses. The field was declared in theValidationStepschema but silently dropped at execution time. Per-stepenv:takes precedence over config-levelenv:. (#157)
Fixed
-
Prevent silent corruption of the parent repository when validation steps shell out to
git. (#157)When vv runs as a git pre-commit hook, git sets
GIT_DIR,GIT_INDEX_FILE,GIT_WORK_TREE, and related vars on the hook process. These vars were inherited by every subprocess vv spawned, including multi-process step chains likenpm run test → vitest → fork(worker). Inside those subprocesses,GIT_*vars override thecwdpassed to git — so a validation step (typically a test) that creates a temp git repo withmkdtempSync+cwd: <tmpdir>and runsgit init/git commit/git configwould silently operate on the parent repository's.git/indexand branch refs instead.vv now strips a focused blacklist of dangerous
GIT_*env vars at two layers: (1) the runner adapter strips them when snapshottingprocess.envinto the runner config, and (2)spawnCommandstrips them from the final merged spawn env (parent ∪ caller-provided), so no caller can accidentally re-inject one viaoptions.env. Together this guarantees no dangerousGIT_*reaches a step subprocess or anything it spawns. Everything elseGIT_*(identity, editor, SSH/credentials, tracing, pager) is inherited normally.Stripped:
GIT_DIR,GIT_INDEX_FILE,GIT_WORK_TREE,GIT_COMMON_DIR,GIT_OBJECT_DIRECTORY,GIT_ALTERNATE_OBJECT_DIRECTORIES,GIT_NAMESPACE,GIT_CEILING_DIRECTORIES,GIT_DISCOVERY_ACROSS_FILESYSTEM,GIT_CONFIG,GIT_CONFIG_GLOBAL,GIT_CONFIG_SYSTEM,GIT_CONFIG_NOSYSTEM,GIT_CONFIG_COUNT, all numberedGIT_CONFIG_KEY_*/GIT_CONFIG_VALUE_*,GIT_NOTES_REF,GIT_SHALLOW_FILE,GIT_GRAFT_FILE.This is not a regression — the risk has existed since vv first supported the pre-commit-hook workflow. This release closes the gap.
Who was at risk: any repository where (1)
vvruns as a git pre-commit hook, AND (2) a validation step shells out togitagainst a temp directory (commonly tests for tooling that itself wraps git — release orchestrators, scaffolders, plugin generators). The vast majority of validation steps (lint, typecheck, build, unit tests that don't touch git) were unaffected.Failure mode if hit: branch refs in the parent worktree get rewritten to test commits,
.git/configmay get test author identity written to it, and the user's real commits survive only in the reflog. The corruption is silent — no error is raised.See
docs/skills/vibe-validate/git-hook-safety.mdfor details and the per-step opt-back-in mechanism.
Release v0.19.4
Changed
- Claude Code skill — Split the monolithic
vibe-validateskill into a thin router plus seven intent-scoped sub-skills (vv-validate-dev-loop,setting-up-projects,caching-and-locking,recovering-work,authoring-extractors,vv-watch-pr,integrating-agents). Adopters get more focused guidance and smaller context loads; the plugin now follows the VAT 0.1.33 router pattern. generate-workflow— Generated workflows now useactions/checkout@v6andactions/setup-node@v6(upgraded fromv4). Existing users should re-runvv generate-workflowto pick up the new versions.vibe-agent-toolkitdependency — Bumped to^0.1.33(stable).
Fixed
- Code duplication check on Windows —
pnpm duplication-checknow runs on Windows instead of silently skipping. Fixed a path-handling bug in@jscpd/findervia a pnpm patch and normalized path separators in baseline comparison. - Windows Node 24+ compatibility (
@vibe-validate/utils) —safeExecSync/safeExecResultnow build a single shell-quoted command string when invoking.cmd/.bat/.ps1wrappers, instead of passing args as a separate array withshell: true. Silences Node.jsDEP0190deprecation warnings on Windows CI and future-proofs against the eventual hard error. watch-pr --fail-fast— Now exits on first failure extraction instead of waiting for all failures, matching the documented "exit immediately" behavior.
Release v0.19.3
Fixed
- Claude marketplace CI — Stable releases now update both
claude-marketplaceandclaude-marketplace-nextbranches, matching npm's@latest/@nexttag behavior
Changed
- README — Added Claude Code plugin install instructions (marketplace,
/pluginslash command, project-scope)
Release v0.19.2
Added
- Claude marketplace distribution — Users can now install the vibe-validate skill directly from GitHub via
claude plugin marketplace add jdutton/vibe-validate#claude-marketplace, no npm account required. Pre-release channel available viaclaude-marketplace-nextbranch.
Release v0.19.1
Added
ci.registryUrlconfig — Setregistry-urlonactions/setup-nodefor GitHub Packages authentication in generated workflowsci.envconfig — Add workflow-level environment variables (e.g.,NODE_AUTH_TOKEN) to generated workflowsci.permissionsconfig — Add GitHub Actionspermissions:block to generated workflows for scoped token accessci.concurrencyconfig — Addconcurrency:block to cancel in-progress CI runs on new pushesci.setupStepsconfig — Inject custom GitHub Actions steps (e.g.,actions/setup-dotnet, Chrome install) after checkout in generated workflowsrunScopestep property — SetrunScope: ciorrunScope: localon validation steps to control where they run. CI-only steps are skipped locally (shown as "skipped"), local-only steps are skipped in CI.
Changed
- Skill distribution migrated to vibe-agent-toolkit plugin system — Skills now install as Claude Code plugins via
~/.claude/plugins/instead of flat files at~/.claude/skills/. Upgrading from older versions automatically cleans up the legacy flat-skill install.
Fixed
generate-workflowhardening —ci.permissionsandci.envare now applied to thevalidateandcoveragejobs instead of at workflow level, so theall-validation-passedgate job no longer inherits unnecessary access (resolves SonarQube workflow-level permissions flag).contents: readis auto-injected whenci.permissionsis set, since job-level permissions replace all defaults andactions/checkoutalways needs it. Also fixed check script indentation and build step auto-detection (no longer matches on step name substring — checkspackage.jsonfor abuildscript instead).watch-prcrashes on repos with non-main default branch —fetchFileChangeshardcodedorigin/mainfor git diff, causing failures on repos usingmaster,develop, or other base branches. Now uses the PR's actual base branch from GitHub metadata.
Release v0.19.0
Breaking Changes
- CI workflow generation now uses a single validate job. Run
npx vibe-validate generate-workflowto regenerate your workflow file. TheuseMatrixoption has been removed. - Cached failures are now returned instantly.
vv validatereturns the last cached result for the current tree hash, even if it failed — no more redundant re-runs. Use--forceto bypass cache when needed. - TreeHashResult structure simplified for projects with submodules. Projects without submodules are unaffected. See Migration Guide below.
Added
--retry-failedflag — Re-runs only failed validation steps while preserving passed results from cache. Detects and reports flaky tests when retried steps pass. Usage:vv validate --retry-failed- Dependency lock check — Verifies lock files are in sync before validation to prevent cache poisoning. Auto-detects your package manager (npm, pnpm, yarn, bun). Configure via
ci.dependencyLockCheck.runOn. watch-primprovements:- Errors extracted and displayed immediately as CI checks fail (no waiting for final output)
- Log files saved with paths included in YAML output for easy follow-up
VV_TEMP_DIRenvironment variable — Override the default temp directory for project-local storage, CI builds, or network storage- Flakiness detection — Warns when the same code produces different validation outcomes across runs
Performance
- 19x faster pre-commit secret scanning — secretlint now scans only staged files (15s → 0.8s). Zero configuration required.
- 10x faster ESLint — Caching enabled automatically (18s → 1.8s on warm runs)
- Instant cached validation — History health checks and git notes listing optimized from hundreds of subprocess calls to single batch operations
- Flattened temp directory structure — Reduces permission prompts in AI coding assistants to one approval per day
Changed
- Cache messaging improved — Results displayed authoritatively ("Validation failed for this code") instead of defensive language ("Cached result: ...") that caused AI assistants to doubt cache validity
watch-prdefault timeout reduced from 30 minutes to 10 minutes. Override with--timeout.watch-proutput optimized — Stripped internal metadata to reduce token usage (~30-50 tokens saved per failed check)
Fixed
- Validation now always runs from project root, regardless of which subdirectory you invoke
vv validatefrom - Git submodule cache invalidation — Changes in submodule working trees now correctly invalidate the cache
- Git notes storage fixed for submodules — Notes now store structured data instead of composite hashes that were incompatible with Git's SHA-1 object references
- Validation history recording — Fixed bug where
vv validate --forceon the same tree hash would silently fail to record history watch-pr --fail-fastnow waits for error extraction to complete before exiting
Migration Guide
Projects with submodules:
- Cache entries from v0.18.x are incompatible — first validation after upgrade will be a fresh run
- Subsequent runs use the new cache format automatically
Projects without submodules:
- Fully backward compatible, no action required
v0.18.4
Bug Fixes
- Fixed validation locking race condition in pre-commit (Issue #110)
- Migrated to proper-lockfile for 99.9% reliable locking
- Prevents concurrent validation runs from interfering
- Fixed worktree corruption in git integration tests
- Windows compatibility: removed Unix-specific
findcommand (PR #108)- Build commands now work cross-platform
- Shift-left CHANGELOG validation to prevent publish failures
- Added Check 11 to pre-publish-check: validates CHANGELOG.md has entry for current version
- Prevents npm publish success followed by GitHub Release failure
- Skips check in development mode (
--skip-git-checks) for workflow flexibility
Internal
- Turborepo integration for 79x faster cached builds (PR #108)
- Cold build: 5.3s → Cached build: 67ms (79x speedup)
- Intelligent content-based caching with parallel execution
- Clean architecture: vibe-validate → turbo → tool
- Error extraction works automatically through Turbo output
- See
docs/comparisons/turborepo.mdfor detailed comparison
- Refactored dev tools to symmetric monorepo structure (PR #112)
- Moved tools/ to packages/dev-tools/ for consistency with other packages
- Enhanced pre-publish-check with 11 validation checks (up from 10)
- Added --skip-git-checks flag to prevent circular dependencies
- Reduced code duplication by 70% (4.73% → 0.86%)
- Added comprehensive ESLint rules for code quality (custom rules for security and architecture enforcement)
Release v0.18.3
Bug Fixes
- CRITICAL: Fixed history recording failure due to YAML/JSON format mismatch (Issue #106, PR #107)
- Problem: History recording failed silently when validating the same code twice, losing all previous runs
- Root cause:
mergeNotes()used JSON.parse/stringify but notes are written as YAML - Impact: Affected v0.18.1 and v0.18.2-rc.1 (Dec 28 - Jan 5)
- Fix: Replace JSON operations with YAML operations in git notes merge logic
- Testing: Added regression test "should merge YAML-formatted notes correctly"
- Users can now validate the same code multiple times without losing history
Release v0.18.2
Bug Fixes
- Complete atomic safety for concurrent worktrees (Issue #103, PR #105)
- Implemented true atomic compare-and-swap (CAS) operations for git notes merge
- Eliminates race condition from PR #104's optimistic locking approach
- Uses git plumbing commands (hash-object, ls-tree, mktree, commit-tree, update-ref)
- Guarantees zero data loss under any concurrency level
- 7 git commands per conflict vs 3 (acceptable trade-off for 100% safety)