feat: show warning for dist tags

[nitodeco]

Closes #37

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new diagnostic rule that warns when dependency versions use dist-tags (e.g. latest, next, beta). Introduces config option npmx.diagnostics.distTag (boolean, default true), a new rule checkDistTag under diagnostics, a utility isDistTagLike and tests covering positive and negative cases. Also updates test mocks and vitest alias resolution.

Possibly related PRs

• feat: version upgrade diagnostics and quick fix #36 — Touches diagnostics registration and src/utils/version.ts, overlapping the utilities and rule registration changed here.
• refactor: enhance version parsing with protocol support and validation #30 — Modifies version parsing and protocol validation used by the new dist-tag diagnostic.

Suggested reviewers

• 9romise

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description is directly related to the changeset, mentioning issue #37 and displaying images of the dist-tag warning feature being implemented.
Linked Issues check	✅ Passed	The code changes fully implement the objective from issue #37: detecting dist-tags (latest, next, beta) and displaying warnings to encourage pinning to specific versions.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the dist-tag warning feature, including configuration, diagnostic rules, utility functions, tests, and build configuration updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/utils/package.ts (1)

17-31: ⚠️ Potential issue | 🟡 Minor

Fix false positives for v-prefixed semver versions in dist-tag detection.

The current pattern treats any alpha-leading token as a dist tag. Since parseVersion() does not strip the leading v, a pinned version like v1.2.3 would match and trigger an incorrect warning (npm's semver parser accepts and strips the v prefix, but this code does not). Users would see a misleading message claiming a specific version is a distribution tag.

Adjust the pattern to exclude v-prefixed semver strings:

Suggested fix

-const DIST_TAG_PATTERN = /^[a-z][\w.-]*$/i
+// Exclude v-prefixed semver to avoid false positives (e.g., "v1.2.3").
+const DIST_TAG_PATTERN = /^(?!v?\d+\.\d+\.\d+(?:[-+][\w.-]+)?$)[a-z][\w.-]*$/i

[9romise]

Thanks! Can you please resolve the conflicts and check if #38 (review) is valid?

[9romise]

I'm not sure if we really need to warn about versions that aren't in dist‑tags. It's hard for us to decide when it's actually a problem. 🤔

[9romise]

I'm not sure if we really need to warn about versions that aren't in dist‑tags. It's hard for us to decide when it's actually a problem. 🤔

I'd like to merge this PR. What do you think about this? @nitodeco

[nitodeco]

I'm not sure if we really need to warn about versions that aren't in dist‑tags. It's hard for us to decide when it's actually a problem. 🤔

I'd like to merge this PR. What do you think about this? @nitodeco

Hi @9romise, sorry for the late reply I had a lot on my plate. Yes I agree its a bit of a guess that its an issue.

I'd change it to this:

• check if current version is in dist tags returned by api
• ignore if alphanumeric version is not found in dist tags

wdyt?

[9romise]

I'd change it to this:

• check if current version is in dist tags returned by api
• ignore if alphanumeric version is not found in dist tags

That sounds like a better fit to me.