feat: show warning for dist tags

[nitodeco]

Closes #37

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new diagnostic rule that warns when dependency versions use dist-tags (e.g. latest, next, beta). Introduces config option npmx.diagnostics.distTag (boolean, default true), a new rule checkDistTag under diagnostics, a utility isDistTagLike and tests covering positive and negative cases. Also updates test mocks and vitest alias resolution.

Possibly related PRs

• feat: version upgrade diagnostics and quick fix #36 — Touches diagnostics registration and src/utils/version.ts, overlapping the utilities and rule registration changed here.
• refactor: enhance version parsing with protocol support and validation #30 — Modifies version parsing and protocol validation used by the new dist-tag diagnostic.

Suggested reviewers

• 9romise

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description is directly related to the changeset, mentioning issue #37 and displaying images of the dist-tag warning feature being implemented.
Linked Issues check	✅ Passed	The code changes fully implement the objective from issue #37: detecting dist-tags (latest, next, beta) and displaying warnings to encourage pinning to specific versions.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the dist-tag warning feature, including configuration, diagnostic rules, utility functions, tests, and build configuration updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/utils/package.ts (1)

17-31: ⚠️ Potential issue | 🟡 Minor

Fix false positives for v-prefixed semver versions in dist-tag detection.

The current pattern treats any alpha-leading token as a dist tag. Since parseVersion() does not strip the leading v, a pinned version like v1.2.3 would match and trigger an incorrect warning (npm's semver parser accepts and strips the v prefix, but this code does not). Users would see a misleading message claiming a specific version is a distribution tag.

Adjust the pattern to exclude v-prefixed semver strings:

Suggested fix

-const DIST_TAG_PATTERN = /^[a-z][\w.-]*$/i
+// Exclude v-prefixed semver to avoid false positives (e.g., "v1.2.3").
+const DIST_TAG_PATTERN = /^(?!v?\d+\.\d+\.\d+(?:[-+][\w.-]+)?$)[a-z][\w.-]*$/i

[9romise]

Thanks! Can you please resolve the conflicts and check if #38 (review) is valid?

[9romise]

I'm not sure if we really need to warn about versions that aren't in dist‑tags. It's hard for us to decide when it's actually a problem. 🤔