feat: add automated dependency bump checker and changelog validator

[cryptodev-2s]

Description

Adds a new check-deps command to automatically detect, validate, and update dependency bump entries in CHANGELOGs.

Key Features

• Detects dependency bumps from git diffs in package.json files
• Validates exact versions in changelog entries (catches stale entries)
• Auto-updates changelogs with --fix flag
• Preserves PR history when bumping same dependency multiple times
• Release-aware - adds entries to ## [X.Y.Z] section when package version changes, or [Unreleased] otherwise
• Repository agnostic - reads repo URL from package.json
• Handles renamed packages - automatically detects package rename info from package.json scripts to correctly parse changelogs with old package name tags

Example:

# Before (PR #7007):
- Bump `@metamask/transaction-controller` from `^61.0.0` to `^61.1.0` ([#7007](...))

# After fix (PR #1234):
- Bump `@metamask/transaction-controller` from `^61.0.0` to `^62.0.0` ([#7007](...), [#1234](...))

Implementation

New files:

• src/check-dependency-bumps.ts + tests (24 tests)
• src/changelog-validator.ts + tests (27 tests)

Modified:

• src/command-line-arguments.ts - Added check-deps command
• src/main.ts - Command routing
• Updated test files for command structure

Coverage: 100% (statements, branches, functions, lines) - 340 passing tests

Testing in MetaMask/core

# Build tool
cd /path/to/create-release-branch && yarn build

# From core
cd /path/to/core
git checkout -b test-dep-bumps

# In one or more packages, modify package.json to:
# - Bump some dependencies
# - Bump some peerDependencies  
# - Bump some devDependencies (to verify they're correctly excluded)
# - Change the package version (to test release detection)

git add . && git commit -m "Test: bump dependencies"

# Validate
node /path/to/create-release-branch/dist/cli.js check-deps

# Fix without PR number
node /path/to/create-release-branch/dist/cli.js check-deps --fix

# Fix with PR number
node /path/to/create-release-branch/dist/cli.js check-deps --fix --pr 4532

# Validate with github-tools (https://github.com/MetaMask/github-tools)
cd /path/to/github-tools
yarn run changelog:check "/path/to/core" "main" "4532"

---

Note

Introduces check-deps to detect dependency bumps from git diffs and validate/update package changelogs (incl. releases, peerDeps BREAKING, and package renames).

• CLI:
  • Add check-deps command via yargs in src/command-line-arguments.ts; route in src/main.ts.
• Core logic:
  • Implement src/check-dependency-bumps.ts to parse git diff of **/package.json, detect dependencies/peerDependencies version bumps (skip dev/optional), dedupe, and capture package version changes.
  • Implement src/changelog-validator.ts to validate and update changelog entries:
    • Exact version matching; distinguishes deps vs peerDeps (**BREAKING:**).
    • Adds/updates entries with PR concatenation (uses #XXXXX when missing).
    • Release-aware: updates [Unreleased] or a specific [X.Y.Z] section.
    • Supports renamed packages via scripts flags (--tag-prefix-before-package-rename, --version-before-package-rename).
• Shared types: Add src/types.ts for DependencyChange, PackageInfo, PackageChanges.
• Tests:
  • Extensive unit and functional tests for detection, validation, updating, routing, and edge cases.
• Docs/Changelog:
  • Update CHANGELOG.md with new command and usage.

^{Written by Cursor Bugbot for commit 703e1c3. This will update automatically on new commits. Configure here.}

[mcmire]

@cryptodev-2s I haven't had time to review this yet, but I have one initial thought:

Should we rename check-deps to validate? My thought is that we will want to include some more validation steps in the future (e.g. #176), and if we group everything under validate it will create room for that work.

[cryptodev-2s]

@cryptodev-2s I haven't had time to review this yet, but I have one initial thought:

Should we rename check-deps to validate? My thought is that we will want to include some more validation steps in the future (e.g. #176), and if we group everything under validate it will create room for that work.

Good point about future validation commands! However, I think check-deps should remain separate from release validation (#176) since:

1. Different scope: check-deps works on any branch (feature branches included), not just release branches
2. Independent use case: Validating dependency changelog entries is useful outside the release process
3. Clear separation: Release-specific validation (Add command for validating release branch #176) deserves its own command

Suggestion:

• Keep: check-deps (or rename to validate-deps for clarity)
• Add: validate-release for Add command for validating release branch #176

Side note: Given we're adding more commands beyond release creation, we could consider renaming the package to something like @metamask/monorepo-tools in a future major version. But that's a separate discussion.

[cryptodev-2s]

@metamaskbot publish-preview

[github-actions]

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/[email protected]

See these instructions for more information about preview builds.

[github-actions]

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/[email protected]

See these instructions for more information about preview builds.

[mcmire]

check-deps works on any branch (feature branches included), not just release branches

Hmm. Currently this tool is centered around release management, so adding code that doesn't strictly relate to releases feels wrong. I did see your note about renaming this tool to monorepo-tools, but I'm not 100% convinced that's the right direction either. I will have to think about this some more.

[cryptodev-2s]

@metamaskbot publish-preview

[github-actions]

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/[email protected]

See these instructions for more information about preview builds.

[Gudahtt]

This is how we'd call the script from other repos? How is that possible when this isn't registered in package.json as a bin script?

[cryptodev-2s]

The command was incorrect, this step is actually handled by the create-release-branch CLI. I’ve just fixed the changelog accordingly.

By the way, I’m in the process of moving this over to auto-changelog instead. Here’s the draft PR: MetaMask/auto-changelog#267, I’ll mark it ready shortly.

[Gudahtt]

Oh I see, didn't see this comment until now. Maybe this should be moved back into draft then?

[cryptodev-2s]

No worries, I will move it back to draft and apply all the suggestions you mentioned here. They are also relevant for auto-changelog, since much of the logic is moved.
Thank you for the review!

[cursor]

Bug: File path regex fails for paths containing /b/ directory

The regex /b\/(.+)/u used to extract file paths from git diff headers matches the first occurrence of b/ in the line. For a diff line like diff --git a/packages/b/package.json b/packages/b/package.json, the regex incorrectly matches the b/ inside packages/b/ and captures package.json b/packages/b/package.json instead of the intended packages/b/package.json. The regex could be changed to b\/(.+)$/u to match the space-prefixed b/ that marks the destination path at the end of the line.

 

[Gudahtt]

Was is this for? Do we need to return this from readCommandLineArguments? It doesn't seem to be used anywhere.

[Gudahtt]

I see that this type assertion can be removed if you undo the tempDirectory type change (back to string | undefined). Is there a reason that type change was made? Ideally we'd avoid type assertions if we can.

[Gudahtt]

I see that the CheckDepsCommandArguments type assertion is there for the same reason.

[Gudahtt]

Nit: Descriptions would be helpful for these properties

[Gudahtt]

Nit: Should we call this baseBranch instead? The term defaultBranch suggests that this command is primarily meant for feature branches directed at main. But there is nothing about this workflow that seems to care whether the base branch is the default branch for the repo or not.

[Gudahtt]

Nit: Some of these messages could be pretty confusing if one of the parameters gets set to an empty string; it might return a warning message that doesn't tip us off to the problem. For example, if currentBranch was an empty string, this would suggest that the next line is the branch name, which it isn't. And with some of the later messages, inputting an empty string as the default branch name would be similarly confusing.

I have a habit of wrapping embedded parameters like this in single-quotes, so it's clear that there is something here in case it gets set to an unexpected value like an empty string, e.g.:

Suggested change

	stdout.write(`\n📌 Current branch: ${currentBranch}\n`);
	stdout.write(`\n📌 Current branch: '${currentBranch}'\n`);

Perhaps that would be helpful for these messages too

[Gudahtt]

Nit: This would end up being misleading a lot of the time, e.g. if main was out-of-date locally, the first attempt would succeed and give the wrong answer.

It also feels unexpected for this function to make guesses about what the default branch is. main and origin/main are different branches. If we're going to auto-prefix a remote name, at the very least we should document that the function will do that.

[Gudahtt]

I would suggest that this function accept the default branch as-is, but make the default ${remote}/main instead of main.

And speaking of which, we should also allow customizing the remote name. Using something other than origin is not uncommon.

[Gudahtt]

Nit: I see we're using merge-base in a similar manner in the restoreFiles function in src/repo.ts. Maybe we can consolidate the two implementations by using a utility function?

[Gudahtt]

Nit: 😅 sorry it took me way too long to understand what a "section header" was in this context. Here's a suggestion to maybe make it clearer

Suggested change

	'-U9999', // Show maximum context to ensure section headers are visible
	'-U9999', // Show maximum context to ensure full dependency lists are visible

[Gudahtt]

Nit: We should perhaps call this something less misleading, like getManifestGitDiff?

[Gudahtt]

Does it? It doesn't seem to when I've tried it.

[Gudahtt]

It looks like it only does this if you pass the --exit-code flag, which we haven't done here.