## Post-1.2.0 (bundled-dep feature followups) - [x] **v1.2.1/1.2.2 (bug): reconcile change-detection is version-aware.** 1.2.1 switched `reconcile_bundle_deps` to detect change via `_url_version` (parsed version, not raw URL string) but mis-parsed several real URL shapes; 1.2.2 completes it. `_url_version` strips the URL's own github repo name from the basename (handles digit/dash dep names like `lua-compat-5.3`, bare-tag package-rev suffixes like `1.52.1-0`, sha pins), and `_url_repo` is lowercased (fixes the `JuliaStrings/utf8proc` vs `juliastrings/utf8proc` case mismatch that had utf8proc reporting no-match + in the FYI). Report shows `name old-ver -> new-ver`. Verified against all 13 live neovim 0.12.4 deps: all match + current, no false change, real bump still detected. Tests T-BM17/22/23. Compares version strings only, not `NAME_SHA256`; add sha compare if a same-version-different-content case ever appears. - [ ] add a `--special` flag to add a package to the bundled list, asking for a link to it's upstream deps list file - [~] split `mkhint` into multiple files — **deferred (2026-07-08).** 1568 lines / 46 functions with clear section markers is under the threshold where a split pays off, and bash has no module system: "split" means `source lib/*.sh`, which complicates the single-binary VM deploy (`scp mkhint` → copy a dir + fixed libdir, or a concatenate build step) and means auditing shared globals (`REPO_DIR`, `VERSION`, `FORCE`, config-source order) crossing file boundaries. Revisit trigger: file grows toward ~2500+ lines, OR a change to one area starts breaking an unrelated one, OR you can't find where something lives. When that happens, extract ONLY the self-contained bundled-dep block (`# ── bundled-dep manifest handling ──` … `# ── end`, already has begin/end markers and its own T-BM tests) as a single `lib/bundle.sh` — do not do a full teardown. - [x] **(this session):** add a NoDL column to `--list` (✓ when `NODOWNLOAD=yes`), same `_pad_glyph` treatment as DelReq. Tests T68/T69. - [ ] add a `RepoVer` column to `--list`: the latest version we actually ship for the package in `PACKAGES_DIR` (parse from the built `*.txz` name, glob `PACKAGES_DIR/*//-*.txz` like `pkg_in_repo`). Color: reuse the SBo-vs-hint `sort -V` green-the-newer-cell logic, but the comparison is between the **newest of {hint, SBo}** and the repo (built) version, so you see at a glance whether what's shipped is behind the newest source-side version. No repo package → blank/plain cell (same as absent SBOVer). Needs a helper to extract the version from the txz basename (strip `-` prefix and the `--.txz` suffix). - [x] **v1.2.4:** suppress `prompt_continuation_urls` for manifest-listed packages (Phase 2 already corrects those lines; avoids the double-touch during the primary bump) - [x] **v1.2.5: expand nvchecker source autodetection.** `_detect_nvchecker_source` maps github/gitlab/bitbucket/gitea/codeberg/pagure (owner/repo) plus pypi/npm/gems/cratesio/cpan/hackage/packagist/cran registries in `add_nvchecker_section` (single global emitter, used by `--new` and `--check` populate). github → `use_latest_release` + commented `use_max_tag`/`prefix` fallbacks; other forges → `use_max_tag` + commented `# prefix = "v"`; registries → name from URL via `_registry_name_from_url`, fall back to PRGNAM. Unrecognised → `# TODO` stub. - [x] **v1.2.5:** `--new`/`-n` echoes the managed nvchecker stanza fenced on stdout (added or already-present, via `_extract_nvchecker_section`). - [x] **v1.2.5:** `--info`/`-i program`: green `category/program` header then the README, paged with sticky header (`less --header=1`) only when taller than the terminal; missing pkg exit 2, missing README `(no README)`. Handler `show_info`. - [ ] `--check --dry-run`: report what would change across all listed packages without prompting or writing (audit before acting) - [ ] cache the manifest per run: `reconcile_bundle_deps` currently fetches it twice (report + apply); fetch once and reuse - [ ] verify md5 against the manifest `SHA256`: cross-check the downloaded file's sha256 against the manifest entry before writing MD5SUM (integrity check) - [ ] config validation command (e.g. `--check-config`): sanity-check nvchecker.toml sections, bundle-manifests URLs, phantom-deps file, and that configured paths exist - [ ] batch `--check` summary report at the end: counts of updated / bundled-deps bumped / skipped, instead of only per-package interleaved output - [ ] check if package ships an nvchecker stanza and use that instead in case our functions would simply print the stub when adding the .hint file. - [ ] **backslash-continuation in bundle-manifests loader.** `load_bundle_manifests` reads one physical line per entry, so a long sha-mode line (openvino: 8 `name=path` deps) can't be split across lines for readability: a trailing `\` silently breaks parsing (only the first physical line is read, `rest` becomes `\` → submodule path `%5C` → GitHub contents API 404). Fix: join `\` → single space before parsing (shell-style continuation). Test: a continued sha-mode line parses identically to the one-line form (mode, dep count, each `name=path`). Workaround in place: openvino entry one-lined by hand on the VM.