Skip to content

ci: bump fallow-rs/fallow from 2.101.0 to 3.2.0#139

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/fallow-rs/fallow-3.2.0
Open

ci: bump fallow-rs/fallow from 2.101.0 to 3.2.0#139
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/fallow-rs/fallow-3.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown

Bumps fallow-rs/fallow from 2.101.0 to 3.2.0.

Release notes

Sourced from fallow-rs/fallow's releases.

v3.2.0: configurable large-function threshold, surfaced in the health summary

Health: a configurable "function too big" threshold, surfaced in the summary

This release makes the unit-size (large-function) check configurable and reports the effective ceiling in the health output.

health.maxUnitSize: raise the large-function bar instead of switching it off

The line count at which a function is reported as an oversized "large function" was hardcoded to 60 LOC. That made test suites noisy: a describe() callback spans hundreds of lines, and each large it() body trips the threshold too. The only escape was health.ignore, which drops every health signal (complexity, CRAP, hotspots) for those files, so you lost complexity checking on your test code as well.

You can now raise the bar rather than turning it off:

  • Set a global health.maxUnitSize (default 60).
  • Or scope it to a glob with a per-file thresholdOverrides entry, for example { "files": ["**/*.test.*"], "maxUnitSize": 500 }. Leave functions empty so the override covers both the describe() wrapper and the individual it() blocks.

Complexity, cognitive, and CRAP findings on those files are unchanged. Like the existing maxCyclomatic / maxCognitive / maxCrap overrides, this filters the reported "large functions" list; the descriptive unit-size profile and the health score still reflect raw sizes (use health.ignore to remove a file from the score entirely). Resolved thresholds are inspectable via fallow config. Thanks @​digulla for the request. (Closes #1731)

The health JSON summary reports the effective unit-size threshold

The summary block on fallow health --format json already carried max_cyclomatic_threshold, max_cognitive_threshold, and max_crap_threshold, but not a unit-size sibling, so a consumer reading the summary to learn which thresholds a run uses saw only three of the four. It now also carries max_unit_size_threshold (the effective global health.maxUnitSize, default 60). The human report's "Large functions" section reflects the configured global instead of a static "60" when health.maxUnitSize is raised project-wide. This is an additive-required field matching the existing max*Threshold siblings; no change to the unit-size check itself. (Closes #1750)

Other changes

  • Reuse the audit analysis context in the programmatic API path for less redundant work per run.
  • Benchmark-harness coverage and CI sharding improvements (internal).

Full Changelog: fallow-rs/fallow@v3.1.0...v3.2.0

v3.1.0: dev-dependency-in-production rule, member tracing, conditional dynamic imports

Features

New rule: dev-dependency-in-production

The promote-side mirror of test-only-dependency and type-only-dependency. A package in devDependencies that a production (non-test, non-config) file imports at runtime is flagged so you can promote it to dependencies, because pnpm install --prod omits devDependencies and the import breaks in production.

Only imports from files reachable from a runtime entry point count as evidence, so repo tooling (scripts/, benchmarks, rollup-config chains) does not trigger it, and workspace-owned files are governed by their own manifest. Type-only production imports are not flagged, and a package also present in dependencies / peerDependencies / optionalDependencies is left alone. Defaults to warn; suppress a package via ignoreDependencies. Surfaces in human, JSON, SARIF, Code Climate, compact, and markdown output, in fallow explain, and as an LSP diagnostic.

Thanks @​CallumHoward for the implementation.

Trace tooling now covers class, enum, and store members

fallow dead-code --trace FILE:MEMBER previously errored export 'X' not found when pointed at a class member, so a member finding could not be debugged from the trace tool. On an export miss the trace now falls back to a member trace that names the owning class, reports its reachability and usage, lists who imports it, and points at the right --unused-class-members inspection command. The MCP trace_export tool and Code Mode return the same member trace in-process, so AI agents get parity with the CLI. Trace not-found errors across trace_export / trace_file / trace_clone now carry an actionable help pointer to the right discovery tool.

Bug fixes

Conditional and logical dynamic imports are now traced

import(cond ? './a' : './b') and import(x || './b') previously produced no module-graph edge, so every file reachable only through such an import (and its whole transitive subtree) was falsely reported as unused-files / unused-exports. Extraction now emits one edge per statically-resolvable branch, including parenthesized and no-substitution template forms, across all dynamic-import shapes: bare expressions, const x = await import(...) declarations, .then() callbacks, React.lazy / next/dynamic arrow wrappers, and Angular/Vue route loadComponent / component callbacks. Genuinely runtime arguments (import(someVar)) still yield no edge, and repeated literals across branches deduplicate to a single edge.

Thanks @​Jerc92 for the contribution.

... (truncated)

Changelog

Sourced from fallow-rs/fallow's changelog.

Changelog

All notable changes to fallow are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

  • fallow plugin-check: a read-only dry-run that makes external-plugin authoring verifiable for agents. Authoring a fallow-plugin-*.jsonc (and especially a manifestEntries rule) previously gave feedback only as tracing::warn! on stderr, invisible to anything parsing --format json. fallow plugin-check [--format json] now reports, per external plugin, whether it ACTIVATED (with the unmet detection/enabler requirement when it did not, so a plugin that never activates is no longer silent), and for active plugins with manifestEntries the per-rule result: the manifests it matched, each manifest's when-gate pass/fail, the entries it seeded (each with a path_exists flag), and typed warnings[] (manifests-matched-none, when-excluded-all, field-path-unresolved, entries-empty, manifest-parse-failed, entry-outside-root, seeded-paths-missing). Output is deterministic (sorted) and the command always exits 0 (advisory, never a gate). A dead-code --format json run with active external plugins and unused files now surfaces a verify-plugins next step pointing at it, and the fallow schema manifest's related_schemas gained plugin_schema_command / plugin_check_command pointers, so agents discover the authoring + verify loop without a full analysis.

  • External plugins can now seed entry points derived from framework manifest files (manifestEntries). Static entryPoints globs cannot read a framework manifest and derive entries from its fields, so monorepos whose plugins are loaded at runtime through per-package manifests (rather than a single app entry or package.json main/exports) had no entry points into their plugin trees and reported that source as unused. A fallow-plugin-*.jsonc can now declare manifestEntries: each rule finds manifest files by a recursive glob, parses them (JSON / JSONC), and for every manifest that passes a dotted-field when gate resolves each entries[].path relative to that manifest's directory (with ${dotted.field} interpolation that fans out over string / array fields) into an entry point under the plugin's entryPointRole. when uses strict equality; manifest discovery respects .gitignore and skips node_modules; and a warning fires when a manifests glob matches nothing, a when gate excludes every manifest, or a field path resolves in no matched manifest (a likely typo). This makes manifest-driven frameworks self-serviceable in a config file instead of requiring a built-in plugin. See custom plugins.

  • fallow schema now enumerates the security-candidate categories, so an agent can author security.categories.include / exclude without guessing. The config surface documented the include/exclude mechanism but not the valid

... (truncated)

Commits
  • 0d56827 chore: release v3.2.0
  • afa3c17 fix(health): pluralize the large-functions unit-size footer (#1753)
  • 185c6a7 feat(health): expose max unit size threshold in summary
  • 47220ee ci: shard benchmarks by affected component
  • 9dc768e perf: broaden codspeed benchmark coverage
  • 1d14a77 feat(health): add maxUnitSize threshold override for the large-function check...
  • c6bbfa3 docs: align benchmark file count
  • ede3bcd docs: correct benchmark ratio claims
  • d461313 chore: guard benchmark harness drift
  • 9ea521d chore: stabilize codspeed benchmark shards
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [fallow-rs/fallow](https://github.com/fallow-rs/fallow) from 2.101.0 to 3.2.0.
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@5da5e73...0d56827)

---
updated-dependencies:
- dependency-name: fallow-rs/fallow
  dependency-version: 3.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants