Comparing cloud-hybrid:master...observing:master · cloud-hybrid/pre-commit · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cloud-hybrid/pre-commit
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: observing/pre-commit
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 3 commits
  • 8 files changed
  • 2 contributors

Commits on Apr 28, 2026

  1. fix: upgrade cross-spawn (ReDoS), harden hook install and spawn handl… 

    …ing (observing#169)

* fix: upgrade cross-spawn (ReDoS), harden hook install and spawn handling

- Bump cross-spawn to ^7.0.5 and which to ^4; drop unused spawn-sync.
- Fix spawnSync result checks (use status/signal/error, not .code).
- Treat non-zero / null close codes from npm run spawns reliably.
- Install hook via absolute path to package hook script for Yarn PnP; chmod 0755.
- Hook: cd to git root before require.resolve; use exec for node.
- Install: guard gitdir parse; avoid fs.existsSync(null) on missing .git.
- Dev: mocha 10, assume 2, nyc; engines node>=16; stub tty in tests.
- Version 1.2.3; add package-lock.json; ignore .nyc_output.

Addresses observingGH-167, observingGH-160, observingGH-157; mitigates observingGH-166 (cwd / exit handling).

Made-with: Cursor

* chore: fold in fixes from open PRs (observing#127, observing#148, observing#112)

Addresses long-standing open PRs whose intent fits the cross-spawn /
hook-hardening cleanup:

* observing#127 - install.js: "backuped" -> "backed up".
* observing#148 - magit workaround: emit `unset GIT_LITERAL_PATHSPECS` in the
  generated `.git/hooks/pre-commit` wrapper, and also at the top of
  the package's `hook` script for defense-in-depth, so hooks invoked
  from emacs/magit behave the same as on the command line.
* observing#112 - resilience for missing pre-commit package: when a user
  switches to a branch without `node_modules`, the generated wrapper
  now exits 0 instead of failing the commit, and the `hook` script
  detects an unresolvable `pre-commit` package and skips with a
  friendly warning instead of throwing a Node module-not-found stack.

Made-with: Cursor

* fix(install): handle submodules and tighten engines.node

* getGitFolderPath previously recursed past a `.git` *file*, which made
  the existing submodule-aware gitdir parsing block unreachable -- in a
  submodule we silently walked up to the super-project's `.git` dir and
  installed the hook there instead. Return the `.git` path whether it is
  a file or directory.
* Resolve `gitdir:` pointers against the directory containing the `.git`
  file (path.dirname(git)) instead of the package root, since git stores
  those paths relative to the file. Fixes submodules whose `.git` file
  is not at the package root, and linked worktrees.
* Tighten engines.node to >=16.13.0 to match `which@4`'s minimum
  (`^16.13.0 || >=18.0.0`); the previous `>=16` allowed Node 16.0-16.12
  where `which@4` will warn/fail at install time.

Addresses copilot-pull-request-reviewer feedback on PR observing#169.
Supersedes the submodule-install half of observing#75.

Made-with: Cursor

* chore: regenerate package-lock

* chore(release): bump to 2.0.0

This release contains breaking changes that warrant a major bump:

* Drops support for Node < 16.13 by introducing
  `engines.node: ">=16.13.0"` (matches `which@4`'s minimum). Previous
  releases declared no engine, so anything old enough to run them is
  now incompatible.
* Production deps make jumps that raise the floor and change result
  shapes: `cross-spawn` ^5 -> ^7 (`spawnSync` returns `status`, not
  `code`), `which` 1.2.x -> ^4. The runtime `spawn-sync` dep is dropped
  in favor of `cross-spawn.spawnSync`.
* The generated `.git/hooks/pre-commit` wrapper format is rewritten
  (single `exec bash <abs-hook> "\$@"` instead of the previous inline
  bash). Anyone parsing or scripting against the previous wrapper
  shape will see a different file.
* Hook file mode tightened from 0777 to 0755 (CIS 6.1.10).
* Submodule install location now resolves correctly to
  `<super>/.git/modules/<sub>/hooks` (previously the unreachable
  gitdir-parsing block silently caused submodule hooks to land in the
  super-project).

Minor / patch additions in the same release (carried by the same PR):

* Magit fix: generated wrapper and hook script `unset
  GIT_LITERAL_PATHSPECS` so hooks behave the same way under emacs.
* Resilient missing-package handling: a removed `pre-commit` (e.g.
  branch-switch without `node_modules`) skips with a friendly warning
  instead of breaking the commit.
* Internal: harden `index.js` spawn result checks; guard install-time
  gitdir parsing against null matches; spelling fix
  ("backuped" -> "backed up"); drop `istanbul` for `nyc`; modernize
  `mocha` and `assume` test deps.

Made-with: Cursor
    @3rd-Eden
    3rd-Eden authored Apr 28, 2026
    Configuration menu
    Copy the full SHA
    a24084c View commit details
    Browse the repository at this point in the history

  2. docs: add 2.0.0 changelog entry

    @3rd-Eden
    3rd-Eden committed Apr 28, 2026
    Configuration menu
    Copy the full SHA
    ad8d125 View commit details
    Browse the repository at this point in the history

  3. dist: 2.0.0 - set registry

    @3rd-Eden
    3rd-Eden committed Apr 28, 2026
    Configuration menu
    Copy the full SHA
    697d1ee View commit details
    Browse the repository at this point in the history
Loading