chore(deps-dev): bump fallow from 2.91.0 to 2.96.0

[dependabot]

Bumps fallow from 2.91.0 to 2.96.0.

Release notes

Sourced from fallow's releases.

v2.96.0: dupes ignores imports by default, Impact moves to user dir, VS Code mute fix

Highlights

This release changes two analysis defaults, relocates Fallow Impact history out of your repo, and fixes the VS Code diagnostic-mute toggle.

Changed

fallow dupes ignores import declarations by default

Token-identical sorted import blocks are a structural property of well-formatted code, not copy-paste, so they no longer surface as clone groups. ignoreImports (opt-in since 2.33.0) now defaults to true.

• Opt out with "ignoreImports": false in config, --no-ignore-imports on fallow dupes, or --dupes-no-ignore-imports on bare fallow. The MCP find_dupes / trace_clone tools accept ignore_imports: false, and the VS Code fallow.duplication.ignoreImports setting controls both directions.
• Scope: ES import declarations only; CommonJS require() and export ... from re-export blocks are still counted.
• Upgraders on a duplicates.threshold gate: the measured duplication percentage drops, so re-baseline against the new numbers (or set "ignoreImports": false to keep the old behavior). Saved duplication baselines should be re-saved; a one-time step-down in duplication trend at the upgrade boundary is expected.

Thanks @​danielo515 for the report (#1224).

Fallow Impact history moved to your user config dir

Enabling Impact (or recording a run) no longer creates a .fallow/ directory or edits the repo's .gitignore. The per-project store moved to <config-dir>/fallow/impact/<key>.json (~/Library/Application Support/fallow/ on macOS, $XDG_CONFIG_HOME/fallow/ on Linux, %APPDATA%\fallow\ on Windows). The store is keyed by repo identity, so any subdirectory or git worktree of a repo shares one history, and nothing is written into the working tree. An existing in-repo .fallow/impact.json is imported once on first run. Impact is now explicitly off in CI.

Added

• fallow impact default on|off turns Impact on once for every project (a user-global opt-in); a per-project enable / disable always wins. The report and the impact MCP tool gain an enabled_source field (project / user / default).
• fallow impact reset [--all] deletes stored history for this project, or with --all every project's history; the user-global default toggle is left untouched. fallow impact now prints the resolved store path and project key.

Fixed

VS Code: "Toggle Hide All Findings" can be undone again

After the extension moved open-file diagnostics to the LSP 3.17 pull path, toggling a mute updated only the push diagnostic collection, which the language server keeps empty for open files once the editor starts pulling. So hiding took effect only on the next edit, un-hiding did nothing visible, and findings stayed hidden through reinstalls and restarts (the muted state persists per workspace). Three fixes:

• Mute toggles now re-pull open documents, so squiggles and Problems entries hide and show instantly.
• Open-file findings no longer render twice after a toggle (pull results are no longer cached into the separate push collection).
• Unchecking "All Fallow Findings" in the Manage Hidden Findings picker now reveals findings instead of silently re-hiding each category.

Thanks @​VariableVince for the report (discussion #287).

Full Changelog: fallow-rs/fallow@v2.95.0...v2.96.0

v2.95.0: Docker image, per-file health thresholds, scoped policy suppressions

Highlights

First-party Docker image

Fallow now ships a checksum-verified Dockerfile for the pinned Linux musl release binary, a source-built contributor Dockerfile, and a copyable Compose example. Projects mount at /workspace with host UID/GID mapping, so .fallow/ caches and reports stay host-owned. The runtime bundles git (for audit base detection) plus Node.js, npm, and Corepack for project dependency installs, and CI now builds the image on Dockerfile changes.

docker build -t fallow:local .
docker run --rm -v "$PWD:/workspace" --user "$(id -u):$(id -g)" fallow:local audit --format json --quiet
</tr></table> 

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.96.0] - 2026-06-13

Changed

• fallow dupes now ignores import declarations by default. Token-identical sorted import blocks are a structural property of well-formatted code, not copy-paste, so they no longer surface as clone groups. ignoreImports (shipped opt-in in 2.33.0) now defaults to true. Opt out with "ignoreImports": false in config, --no-ignore-imports on fallow dupes, or --dupes-no-ignore-imports on bare fallow; the MCP find_dupes / trace_clone tools accept ignore_imports: false, and the VS Code fallow.duplication.ignoreImports setting now controls both directions. Scope: ES import declarations only; CommonJS require() calls and export ... from re-export blocks are still counted (extending coverage to those is queued as #1225).

  Operational notes for upgraders:

  • duplicates.threshold gate users: the measured duplication percentage drops, so a threshold tuned against import-inclusive counts is now effectively looser. Re-baseline against the new numbers, or set "ignoreImports": false to keep the old behavior.
  • Baseline / trend users: import-block clone groups disappear from the next run, so a saved duplication baseline (--save-baseline / --save-regression-baseline) should be re-saved after upgrading, and a one-time step-down in fallow impact / duplication trend at the upgrade boundary is expected, not a real regression.

  Thanks @​danielo515 for the report. (Closes #1224.)

• Fallow Impact history now lives in your user config dir, not in each repo. Enabling Impact (or recording a run) no longer creates a .fallow/ directory or edits the repo's .gitignore; the per-project store moved to <config-dir>/fallow/impact/<key>.json (the same base as telemetry.json: ~/Library/Application Support/fallow/ on macOS, $XDG_CONFIG_HOME/fallow/ on Linux, %APPDATA%\fallow\ on Windows). The store is keyed by repo identity (git rev-parse --git-common-dir), so running fallow impact from any subdirectory or any git worktree of a repo resolves to one shared history, and nothing is ever written into the working tree. Per-finding attribution baselines are namespaced per worktree internally, so concurrent worktrees of one repo no longer prune each other's baseline. An existing in-repo .fallow/impact.json is imported once on first run (the old file is left untouched); a multi-package monorepo with several subdir stores imports whichever subdir runs first. After that one-time import the in-repo file is no longer read, so running an OLDER fallow binary on the same repo after upgrading writes to the legacy file and does not feed the new user store (a transient mixed-version condition). Impact is now also explicitly forced off in CI (previously it was only off because a fresh CI checkout had no store file), so a user-global default cannot start recording on a CI runner.

• CSS Module class extraction now uses a real CSS parser. Standard .module.css class names are read from a parsed CSS syntax tree instead of a stack of regular expressions, removing a class of edge-case bugs around cascade layers, @scope, and CSS Modules :global() / :local() selectors. Output is unchanged on existing projects; warm caches re-parse CSS Module files once after upgrading. (Refs #550.)

Added

• fallow impact default on|off turns Impact on once for every project. A single user-global opt-in (stored at <config-dir>/fallow/impact.json) so new projects record without re-enabling each one; a per-project fallow impact enable / disable always wins over the default. The fallow impact --format json report and the impact MCP tool gain an enabled_source field (project / user / default) explaining why tracking is on, and pair with explicit_decision so an agent can tell a never-asked project (offer to enable) from one you deliberately disabled (stay quiet).

• fallow impact reset [--all] deletes stored history. Removes this project's history, or with --all clears every project's history; the user-global default toggle is left untouched so a data wipe does not silently re-disable Impact. fallow impact (human output) now also prints the resolved store path and project key so you can find, inspect, or remove the file directly.

Fixed

• Undoing "Fallow: Toggle Hide All Findings" in VS Code now brings diagnostics back immediately. After the extension moved open-file diagnostics to the LSP 3.17 pull path, toggling a mute (or per-category hide, or "Show All Findings") only re-published the push diagnostic collection, which the language server keeps empty for open files once the editor starts pulling. So hiding took effect only on the next edit, and un-hiding did nothing visible, leaving findings stuck hidden through reinstalls and restarts because the muted state persists per workspace. Mute toggles now also ask VS Code to re-pull open documents, so squiggles and Problems entries hide and show instantly again. Thanks @​VariableVince for the report. (Refs [discussion #287](How can easily toggle problems reported by fallow in VSCode? (Hide squiggly lines) fallow#287).)

• VS Code no longer renders Fallow squiggles twice after a mute toggle. The pull diagnostic provider owns its own collection, distinct from the push collection the mute filter re-publishes into. Because open-file pull results were cached and then re-published into the push collection on every mute, severity, or baseline change, each open-file finding could render twice (once per collection). Pull results are no longer cached (they are re-fetched on every re-pull), so open files render once.

• Unchecking "All Fallow Findings" in the Manage Hidden Findings picker now reveals findings. While hide-all was active the picker auto-checked every category row, so unchecking the global row and accepting silently re-hid every category individually and findings stayed hidden. Category rows now reflect their real per-category state, so unchecking the global row shows everything (and any genuine per-category hide is preserved).

[2.95.0] - 2026-06-12

Added

• Docker users now have a first-party CLI image recipe. The repo ships a checksum-verified Dockerfile for the pinned Linux musl release binary, a source-built contributor Dockerfile, and a copyable Compose example that mounts projects at /workspace with host UID/GID mapping so .fallow/ caches and reports stay host-owned. The runtime includes git for audit base detection plus Node.js, npm, and Corepack for project dependency installs, and CI now builds the Docker image on Docker-file changes. Thanks @​nic0michael for the Docker Compose starting point. (Closes #1205.)

• Rule-pack policy findings can now be suppressed per rule. Suppression comments accept policy-violation:<pack>/<rule-id> for both fallow-ignore-next-line and fallow-ignore-file, so a waiver can target one rule-pack finding without hiding every policy violation at the same scope. Bare policy-violation remains supported as the family-wide token. Rule-pack names and rule ids now reject ambiguous characters so scoped tokens do not need escaping, stale-suppression output preserves the scoped token, and generated suppress actions prefer the scoped form. (Closes #1180.)

• fallow health now supports per-file threshold overrides for complexity and CRAP. Configure health.thresholdOverrides[] with files globs, optional exact functions, and any of maxCyclomatic, maxCognitive, or maxCrap to raise local ceilings for intentional legacy hotspots while keeping global gates strict. The resolved thresholds flow through health and audit, finding actions use the effective ceiling, and JSON, human, markdown, and compact output report active, stale, and full-run no-match override state so temporary exceptions remain visible. Thanks @​velios for the report. (Closes #1206.)

Fixed

• unused-class-members no longer fires on Playwright page-object methods reached through fixture wrappers. mergeTests(...) wrappers and chained wrapper .extend(...) calls now inherit the fixture definitions from their wrapped Playwright test objects before callback-side member uses are correlated. The extractor records conservative wrapper-alias sentinels for Playwright's named mergeTests import, including aliased named imports, and for .extend(...) calls on fixture wrappers. The analyzer expands those aliases transitively with cycle protection, so page-object methods used through merged or extended fixtures are credited while genuinely unused decorated methods still report. Local functions named mergeTests and unmatched wrapper aliases do not create credit. Thanks @​vethman for the report. (Closes #1210.)

[2.94.0] - 2026-06-12

Added

• Bare fallow now accepts Istanbul coverage inputs for the embedded health pass. The combined default command can now read --coverage / --coverage-root, FALLOW_COVERAGE / FALLOW_COVERAGE_ROOT, and health.coverage / health.coverageRoot so fallow --format json uses the same exact CRAP scoring path as fallow health. Standalone health and bare combined mode resolve each coverage input independently with CLI, then env, then config, then auto-detection precedence. The GitHub Action and GitLab CI default combined runs now forward their coverage inputs to the bare command too. Thanks @​stieglma for the follow-up. (Refs #300.)

... (truncated)

Commits

• 24a30b1 chore: release v2.96.0
• 5d837a2 docs(impact): drop intra-doc link to cfg(test)-only TEST_FORCE_CI
• 7bed9e4 fix(impact): isolate the CI record-gate in unit tests
• 0f54c7e feat(impact): relocate store to user config dir; global opt-in default
• ee7768c fix(vscode): re-pull open documents on diagnostic mute toggle (#1228)
• 4925a49 feat(dupes): make ignoreImports the default with opt-out (#1226)
• 0fee75b docs(vscode): use canonical 'fallow dead-code' over legacy 'fallow check'
• 12504f5 chore(napi): sync package.json / package-lock / index.js to v2.95.0
• 7efec6d chore: release v2.95.0
• f4d2d51 fix: credit Playwright fixture wrapper members
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codspeed-hq]

Merging this PR will not alter performance

✅ 156 untouched benchmarks
⏩ 76 skipped benchmarks¹

---

_{Comparing dependabot/npm_and_yarn/fallow-2.96.0 (b14e4db) with main (78e804b)}

Footnotes

1. 76 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩