All notable changes to this project are documented here. The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
0.3.0 (2026-05-27)
debtctl now governs code patches alongside overrides. patch-package, pnpm patchedDependencies, and yarn berry's patch: protocol are all detected; the new patch-hash trigger fires when a patch file's content drifts from the recorded hash, catching the case where a developer edits a patch without updating its rationale. The sidecar schema bumps to v2; v1 sidecars auto-migrate on first read. See Patches in the README for the full story.
- update sidecar schema to v2 with auto-migration (7a7bdae)
- add patch-hash trigger type (2d046e1)
- add patch file content hashing helper with LF normalization (cf02728)
- parse patch-package patches (ed35c84)
- parse pnpm patchedDependencies (1136ebf)
- parse yarn berry patch protocol resolutions (844aa0e)
- include patches in init and check commands (9257d3c)
- support --only overrides:bucket and --only patches:bucket scoping (6725dea)
- exclude patch protocol values from yarn overrides parsers (98c38ff)
0.2.1 — 2026-05-26
npm run buildnow cleansdist/before compiling, and the publish pipeline runs asprepackinstead ofprepublishOnlysonpm packalso produces a fresh build. Prevents stale or removed source files from leaking into published tarballs.
debtctl --versionnow reports the version declared inpackage.json. Previously the CLI hardcoded0.1.0and continued to report it after the 0.2.0 release.- Malformed
package.jsonor.debtctl.jsonnow fails with a descriptiveFailed to parse <path>: <reason>error instead of a rawSyntaxErrorstack trace.
0.2.0 — 2026-05-26
- pnpm parser now reads overrides from
pnpm-workspace.yamlin addition topnpm.overridesinpackage.json. When the same key appears in both, the workspace YAML value wins (matches pnpm's own precedence). yamlruntime dependency for parsingpnpm-workspace.yaml.- Dependabot configuration for automated
npmand GitHub Actions dependency updates.
- Parser dispatcher (
parseOverrides) is now async and acceptscwdas a third argument. The pnpm parser signature is(packageJson, cwd) => Promise<Override[]>; other parsers retain their synchronous in-memory signatures. - README install instructions now recommend the per-project (dev dependency) flow, with global install documented as an alternative for ad-hoc use.
0.1.0 — 2026-05-26
Initial release.
debtctl init— scanspackage.jsonfor dependency overrides and scaffolds.debtctl.jsonwith stub metadata (reason,owner,revisitWhen).debtctl check— reports overrides that are missing metadata, incomplete (still containTODOfields), or due for review (their trigger has fired).--strictflag escalatesdueForReviewfrom a warning to a failure.--jsonflag emits machine-readable output for CI consumers.--only <bucket>flag filters output to a single category (missing,incomplete,dueForReview, ororphans).- Package-manager detection via
packageManagerfield with lockfile fallback. Supportsnpm,pnpm,yarn-classic, andyarn-berry. - Trigger types:
version-anchor(fires when a package's declared range drifts) anddate(fires when today ≥expires). - Range comparison is semver-aware via
semver.subset, with string-equality fallback for non-semver ranges likelatestandworkspace:*. - Warning when multiple lockfiles are present, with the matched set surfaced in JSON output.