feat: show warning for dist tags

README.md

@@ -45,6 +45,7 @@
 | `npmx.diagnostics.deprecation`      | Show warnings for deprecated packages                                                   | `boolean` | `true`              |
 | `npmx.diagnostics.replacement`      | Show suggestions for package replacements                                               | `boolean` | `true`              |
 | `npmx.diagnostics.vulnerability`    | Show warnings for packages with known vulnerabilities                                   | `boolean` | `true`              |
+| `npmx.diagnostics.distTag`          | Show warnings when a dependency uses a dist tag                                         | `boolean` | `true`              |
 
 <!-- configs -->
 

package.json

@@ -88,6 +88,11 @@
           "type": "boolean",
           "default": true,
           "description": "Show warnings for packages with known vulnerabilities"
+        },
+        "npmx.diagnostics.distTag": {
+          "type": "boolean",
+          "default": true,
+          "description": "Show warnings when a dependency uses a dist tag"
         }
       }
     },

playground/package.json

@@ -5,7 +5,7 @@
     "nuxt": "npm:4.3.0"
   },
   "devDependencies": {
-    "array-includes": "",
+    "array-includes": "latest",
     "axios": "",
     "is-number": "",
     "lodash": "catalog:"

src/providers/diagnostics/index.ts

@@ -10,6 +10,7 @@ import { computed, useActiveTextEditor, useDisposable, useDocumentText, watch }
 import { languages } from 'vscode'
 import { displayName } from '../../generated-meta'
 import { checkDeprecation } from './rules/deprecation'
+import { checkDistTag } from './rules/dist-tag'
 import { checkReplacement } from './rules/replacement'
 import { checkUpgrade } from './rules/upgrade'
 import { checkVulnerability } from './rules/vulnerability'
@@ -32,6 +33,8 @@ export function useDiagnostics() {
       rules.push(checkUpgrade)
     if (config.diagnostics.deprecation)
       rules.push(checkDeprecation)
+    if (config.diagnostics.distTag)
+      rules.push(checkDistTag)
     if (config.diagnostics.replacement)
       rules.push(checkReplacement)
     if (config.diagnostics.vulnerability)

src/providers/diagnostics/rules/dist-tag.ts

@@ -0,0 +1,24 @@
+import type { DiagnosticRule } from '..'
+import { npmxPackageUrl } from '#utils/links'
+import { isSupportedProtocol, parseVersion } from '#utils/version'
+import { DiagnosticSeverity, Uri } from 'vscode'
+
+export const checkDistTag: DiagnosticRule = (dep, pkg) => {
+  const parsed = parseVersion(dep.version)
+  if (!parsed || !isSupportedProtocol(parsed.protocol))
+    return
+
+  const tag = parsed.semver
+  if (!(tag in pkg.distTags))
+    return
+
+  return {
+    node: dep.versionNode,
+    message: `"${dep.name}" uses the "${tag}" version tag. This may lead to unexpected breaking changes. Consider pinning to a specific version.`,
+    severity: DiagnosticSeverity.Warning,
+    code: {
+      value: 'dist-tag',
+      target: Uri.parse(npmxPackageUrl(dep.name)),
+    },
+  }
+}

tests/diagnostics/dist-tag.test.ts

@@ -0,0 +1,35 @@
+import type { DependencyInfo } from '#types/extractor'
+import type { PackageInfo } from '#utils/api/package'
+import { describe, expect, it } from 'vitest'
+import { checkDistTag } from '../../src/providers/diagnostics/rules/dist-tag'
+
+function createDependency(name: string, version: string): DependencyInfo {
+  return {
+    name,
+    version,
+    nameNode: {},
+    versionNode: {},
+  }
+}
+
+function createPackageInfo(distTags: Record<string, string>): PackageInfo {
+  return { distTags } as PackageInfo
+}
+
+describe('checkDistTag', () => {
+  const packageInfo = createPackageInfo({ latest: '2.0.0' })
+
+  it('should flag when version matches a dist tag in metadata', async () => {
+    const dependency = createDependency('lodash', 'latest')
+    const result = await checkDistTag(dependency, packageInfo)
+
+    expect(result).toBeDefined()
+  })
+
+  it('should not flag when version does not match any dist tag in metadata', async () => {
+    const dependency = createDependency('lodash', 'next')
+    const result = await checkDistTag(dependency, packageInfo)
+
+    expect(result).toBeUndefined()
+  })
+})