chore(deps): update dependency jscpd to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jscpd (source)	^4.0.5 → ^5.0.0

---

Release Notes

kucherenko/jscpd (jscpd)

v5.0.10

Compare Source

cpd (Rust) v5.0.10

Bug Fixes

• Emit scan-root-relative paths in all reporters when absolute: false (or the default). Previously, jscpd /abs/path from a different CWD left absolute paths in SARIF/JSON/XML/HTML/CSV/Markdown/console output, and Windows/macOS path canonicalization could leave \\?\ or ./ prefixes. Paths are now normalized against the canonicalized scan root (with CWD fallback) and stripped of any leading ./ or .\\ component. Fixes #​827
• Fix --skip-local to match jscpd v4 TypeScript semantics: it now filters clones where both fragments are under the same scan root, instead of only skipping clones in the same parent directory

Refactoring

• DRY duplication in reporters: extract shared helpers (print_clone_header, print_clone_locations, print_snippet, write_report_file, report statistics, test fixtures, etc.) into cpd-reporter/src/shared.rs. Console, console-full, CSV, JSON, HTML, Markdown, silent, XML, and SARIF reporters now reuse the same implementation, reducing the monorepo's reported duplication ratio from 5.0% to 0.56% and fixing a latent --absolute path relativization bug in the same pass
• Move blame enrichment from gitoxide to git blame --porcelain; capture elapsed time after blame so timing includes blame work
• Resolve needless_borrow clippy warnings in CSV and Markdown reporters

Documentation

• Add Nix and Homebrew install instructions to Rust READMEs. #​818
• Update project homepage URLs to https://jscpd.dev in all Cargo.toml and npm package.json files, add curl install method to READMEs, clean up outdated badges
• Remove defunct Universal Analytics tracking pixels from all READMEs

Published Packages

• cpd-core@0.1.5 on crates.io
• cpd-finder@0.1.8 on crates.io
• cpd-reporter@0.1.7 on crates.io
• cpd-tokenizer@0.1.6 on crates.io
• jscpd@5.0.10 on crates.io
• cpd@5.0.10 on npm
• jscpd@5.0.10 on npm
• cpd-darwin-arm64@​5.0.10 on npm
• cpd-darwin-x64@​5.0.10 on npm
• cpd-linux-x64-gnu@5.0.10 on npm
• cpd-linux-arm64-gnu@5.0.10 on npm
• cpd-linux-x64-musl@5.0.10 on npm
• cpd-windows-x64-msvc@5.0.10 on npm

Install

npm install -g cpd

# or
npm install -g jscpd

# or
cargo install jscpd

v5.0.9

Compare Source

New Features

• GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

Bug Fixes

• Resolve platform binary resolution when cpd is installed as a nested dependency (e.g. in a project's node_modules via a parent package). The runner now correctly locates the platform-specific binary relative to the installed package rather than assuming a top-level install. Fixes #​816

---

v5.0.8

Compare Source

Bug Fixes

• Prevent mmap exhaustion crashes when scanning repositories with more files than vm.max_map_count (default 131 072 on Linux). The walker previously held a live Mmap per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #​813
• Fix --pattern not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like src/**/*.ts now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like *.ts gain a **/ prefix to match at any depth. Fixes #​811
• Fix trailing-newline off-by-one in line-count filter: files not ending with \n now count the final line correctly

---

v5.0.7

Compare Source

Bug Fixes

• Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's test/bundler with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon ThreadPool with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
• Default --max-size to 1mb — files exceeding the limit are skipped at walk time, consistent with jscpd v4's maxSize behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
• --workers N now correctly takes effect on every run() call (previously build_global() silently no-op'd after the first invocation)

---

v5.0.6

Compare Source

New Features

• v4 config backward compatibility — .jscpd.json fields path, pattern, ignore, and ignorePattern are now read and applied, matching jscpd v4 behavior
• ignore and ignorePattern are now distinct: ignore matches file-level globs, ignorePattern matches code-level regex patterns (previously conflated)
• .jscpd.json path config support — reads scan directories from the path field, resolving relative paths against the config file's directory
• jscpd npm wrapper package — publishes the same Rust binary under the jscpd name on npm with v5.x versioning
• --exit-code now matches v4 behavior: accepts optional integer value (--exit-code exits 1, --exit-code 2 exits 2); --threshold and --exit-code are now independent
• Performance improvements: memory-mapped file I/O (via memmap2) eliminates heap copies of file contents; SIMD-accelerated line counting (via memchr); parallel detection pipeline uses flat_map to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @​auterium, #​808)

Bug Fixes

• Fixed --exit-code to match jscpd v4's --exitCode behavior (was boolean, now optional integer)
• Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)

---

v5.0.5

Compare Source

v5.0.4

Compare Source

New Features

• CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
• Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
• Side-by-side blame comparison in console-full reporter
• Clone list display in console reporter

Bug Fixes

• HTML reporter now outputs jscpd-report.html at the output_dir root
• Resolved all clippy warnings across workspace
• Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())

---

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[w3nl]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.