feat: show warning for dist tags

[nitodeco]

Closes #37

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces a new diagnostic rule that warns developers when dependencies use distribution tags (such as latest, next, and beta) instead of pinned versions. The changes include a new configuration option npmx.diagnostics.distTag, a new diagnostic rule implementation in src/providers/diagnostics/rules/dist-tag.ts, a constant set of common distribution tags, integration of the rule into the diagnostics pipeline, comprehensive test coverage, and updates to the Vitest configuration to use tsconfig-paths for path resolution.

Possibly related PRs

• refactor: migrate to fast-npm-meta #18: Introduces DiagnosticRule typing changes and PackageInfo shapes that the new dist-tag diagnostic depends upon
• feat(completion): support 'npm:'-prefixed versions #29: Modifies diagnostics behaviour around version parsing and handling, operating on the same code area as the new dist-tag diagnostic

Suggested reviewers

• 9romise

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	The vitest.config.ts changes introducing tsconfig-paths integration appear to be infrastructure support for path resolution rather than core feature implementation.	Clarify whether the vitest.config.ts and vite-tsconfig-paths dependency changes are necessary for the dist-tag feature or represent scope creep.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description references issue #37 and includes visual examples of the implemented feature showing dist-tag warnings and configuration UI.
Linked Issues check	✅ Passed	All code changes directly implement the requirement from issue #37 to show warnings for dist-tag usage in dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

tests/dist-tag.test.ts (2)

7-14: Consider stricter type safety for mock nodes.

The mock objects use empty objects {} for nameNode and versionNode. This works because the rule only passes these through without accessing properties, but using as unknown as ValidNode would make the type casting explicit and intentional.

♻️ Suggested improvement

 function createDependency(name: string, version: string): DistTagDependency {
   return {
     name,
     version,
-    nameNode: {},
-    versionNode: {},
+    nameNode: {} as DistTagDependency['nameNode'],
+    versionNode: {} as DistTagDependency['versionNode'],
   }
 }

---

39-49: Consider expanding test coverage for case-insensitive matching.

The checkDistTag rule uses tag.toLowerCase() when checking against COMMON_DIST_TAGS. Consider adding a test case to verify this case-insensitive behaviour works as expected (e.g., "LATEST", "Next", "BETA").

🧪 Suggested additional test case

it('should flag dist tags case-insensitively', async () => {
  const variations = ['LATEST', 'Next', 'BETA']

  for (const tag of variations) {
    const dependency = createDependency('lodash', tag)
    const packageInfo = createPackageInfo({})
    const result = await checkDistTag(dependency, packageInfo)

    expect(result).toBeDefined()
  }
})

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[9romise]

We could put the vite-tsconfig-paths change in its own PR.

[9romise]

Why do we check for COMMON_DIST_TAGS? I might be missing some specific use cases here.

[nitodeco]

In pretty much every project I've worked on before, using a dist tag for a version was considered bad practice because it can lead to all sorts of problems (stale installations, keeping track of changes in deps, package updates breaking apps, etc.). It would be nice to get a warning about this, because a lot of boilerplate/starter apps use dist tags in their package.json (for example when setting up a project with pnpm create).

This might not be the general expectation or experience shared by other developers, and I'm curious what your opinion on this is. I think having the option for a warning would be nice, and I'm fine with it being off by default :)

[9romise]

I totally agree that using dist‑tags for version pinning is not a good practice.
Just curious why do we check for isCommonDistTag rather than warning on any dist‑tag?