chore: sync plus with upstream main (conflicts)

[riderx]

Merge Conflict Resolution Required

The automatic sync of the plus branch with upstream main encountered merge conflicts.

What happened

• Claude Code attempted to resolve the merge conflicts
• The workflow created this PR so CI and manual review can finish the merge safely

Action needed: Review the branch and resolve any remaining concerns before merging.

---

This PR was created automatically by the Capacitor+ sync workflow

Summary by CodeRabbit

• Bug Fixes

  • Fixed iOS package handling logic for SPM mode.
  • Updated telemetry metrics endpoint.

• Chores

  • Updated changelogs for versions 8.3.4, 8.3.3, and 8.3.2.
  • Updated package metadata across multiple packages.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR rebrands capacitor-plus packages to capacitor under Ionic ownership, updates all package metadata and changelogs to reference the upstream ionic-team/capacitor repository, and adjusts CLI telemetry routing and SPM plugin-handling logic.

Changes

Package namespace migration and runtime updates

Layer / File(s)	Summary
Package name and metadata rebranding core/package.json, cli/package.json, android/package.json, ios/package.json	All four package manifests updated from @capacitor-plus/* to @capacitor/* namespace, with description, homepage, and author fields changed to reflect Ionic branding and capacitorjs.com domain.
Changelog updates for all packages CHANGELOG.md, core/CHANGELOG.md, android/CHANGELOG.md, cli/CHANGELOG.md, ios/CHANGELOG.md	Release notes across all changelogs switched to ionic-team/capacitor compare links, version notes updated to "version bump only" format, and bug-fix descriptions adjusted for consistency.
CLI telemetry and SPM plugin handling cli/src/ios/update.ts, cli/src/ipc.ts	Telemetry request now targets metrics-capacitor.outsystems.com with /metrics path and expects HTTP 202 instead of 204. Plugin-package skip logic made conditional on SPM mode.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• ⚠️ Upstream sync requires manual conflict resolution capacitor-firebase#11: Both involve coordinated upstream sync with package.json and CHANGELOG updates across multiple packages.

Poem

🐰 From plus to core, the rebranding is clear,
Ionic's now steering this ecosystem dear,
Changelogs rewritten, telemetry flows free,
SPM logic refined for packages that be!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: sync plus with upstream main (conflicts)' accurately describes the main change—syncing the plus branch with upstream main while handling merge conflicts.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/plus-upstream-20260513-060815

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jest-environment-jsdom@​29.7.0
	jest@​29.7.0
	@​types/​xml2js@​0.4.5
	@​types/​prompts@​2.4.9
	@​types/​tmp@​0.2.6
	jest-jasmine2@​29.7.0
	@​types/​plist@​3.0.5
	@​types/​fs-extra@​11.0.4
	@​types/​jest@​29.5.14
	kleur@​4.1.5
	prompts@​2.4.2
	xml2js@​0.6.2
	@​types/​debug@​4.1.13
	native-run@​2.0.3
	commander@​12.1.0
	plist@​3.1.1
	typescript@​5.0.4
	ts-jest@​29.4.9

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/jest-environment-jsdom@29.7.0 → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 6-30: Revert any manual edits to CHANGELOG.md and restore the
CI-generated content exactly as produced by the release workflow; remove any
hand-modified lines (the version entries and notes in CHANGELOG.md) and do not
commit manual changelog changes, then re-run or trigger the repository's release
workflow/CI job that regenerates CHANGELOG.md so the correct auto-generated
entries are committed by the pipeline.

In `@ios/package.json`:
- Around line 2-6: The package name change to the Ionic-owned scope will block
publishes; update the "name" field in ios/package.json (currently
"@capacitor/ios") back to your org scope (e.g., "@capacitor-plus/ios") or
coordinate/ensure ownership of the "@capacitor" scope and registry auth before
merging; make the same revert/config change for any other packages renamed to
"@capacitor/*" so Lerna's publish scripts and .npmrc remain valid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 24ee00c0-e3ab-44f0-89d6-e689aa367c86

📥 Commits

Reviewing files that changed from the base of the PR and between f3aefab and 79bc33a.

📒 Files selected for processing (11)

• CHANGELOG.md
• android/CHANGELOG.md
• android/package.json
• cli/CHANGELOG.md
• cli/package.json
• cli/src/ios/update.ts
• cli/src/ipc.ts
• core/CHANGELOG.md
• core/package.json
• ios/CHANGELOG.md
• ios/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not manually modify generated changelog entries.

This file is CI/CD-managed, so these edits should be reverted and regenerated by the release workflow to avoid divergence.

As per coding guidelines, Do not manually edit CHANGELOG.md; it is managed automatically by CI/CD.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` around lines 6 - 30, Revert any manual edits to CHANGELOG.md
and restore the CI-generated content exactly as produced by the release
workflow; remove any hand-modified lines (the version entries and notes in
CHANGELOG.md) and do not commit manual changelog changes, then re-run or trigger
the repository's release workflow/CI job that regenerates CHANGELOG.md so the
correct auto-generated entries are committed by the pipeline.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify package identity consistency and cross-package references.
python - <<'PY'
import json, pathlib

pkg_files = [p for p in pathlib.Path('.').rglob('package.json') if 'node_modules' not in p.parts]
rows = []
for p in sorted(pkg_files):
    try:
        data = json.loads(p.read_text())
    except Exception:
        continue
    name = data.get("name")
    version = data.get("version")
    peer = data.get("peerDependencies", {})
    deps = data.get("dependencies", {})
    refs = sorted([k for k in {**peer, **deps}.keys() if k.startswith("@capacitor/") or k.startswith("@capacitor-plus/")])
    if name or refs:
        rows.append((str(p), name, version, refs))

print("== Package identities and capacitor-scope references ==")
for p, name, version, refs in rows:
    print(f"{p}\n  name={name}\n  version={version}\n  refs={refs}\n")
PY

Repository: Cap-go/capacitor-plus

Length of output: 533

---

🏁 Script executed:

# Check root package.json and npm publishing configuration
cat package.json | head -40

Repository: Cap-go/capacitor-plus

Length of output: 2599

---

🏁 Script executed:

# Look for any npm registry or publishing configuration
find . -maxdepth 2 -type f \( -name ".npmrc" -o -name ".npm*" -o -name "*.yml" -o -name "*.yaml" \) | head -20

Repository: Cap-go/capacitor-plus

Length of output: 195

---

🏁 Script executed:

# Check git remote and repository metadata
git remote -v 2>/dev/null || echo "No git remote"
git config --get remote.origin.url 2>/dev/null || echo "No origin URL"

Repository: Cap-go/capacitor-plus

Length of output: 241

---

🏁 Script executed:

# Check if there are any npm publish scripts or CI/CD configuration
find . -maxdepth 2 -type f -name "*.json" | xargs grep -l "publish" 2>/dev/null | head -10

Repository: Cap-go/capacitor-plus

Length of output: 161

---

🏁 Script executed:

cat ./.npmrc

Repository: Cap-go/capacitor-plus

Length of output: 83

---

🏁 Script executed:

cat ./cli/.npmrc ./core/.npmrc 2>/dev/null || echo "No individual .npmrc in subdirs"

Repository: Cap-go/capacitor-plus

Length of output: 101

---

🏁 Script executed:

# Check if there are any references to Cap-go or capacitor-plus scope in package.json files
grep -r "capacitor-plus" . --include="package.json" | head -20

Repository: Cap-go/capacitor-plus

Length of output: 837

---

Scope rename to @capacitor/* will block package publishing without ownership of the scope.

The workspace is configured with Lerna to automatically publish packages via npm publish (see root package.json publish scripts), but renaming all packages to @capacitor/*—which is owned by Ionic—will fail with permission denied on npmjs unless your organization owns that scope. The .npmrc contains no registry overrides. Either revert the package names to @capacitor-plus/* or configure scope ownership before merging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ios/package.json` around lines 2 - 6, The package name change to the
Ionic-owned scope will block publishes; update the "name" field in
ios/package.json (currently "@capacitor/ios") back to your org scope (e.g.,
"@capacitor-plus/ios") or coordinate/ensure ownership of the "@capacitor" scope
and registry auth before merging; make the same revert/config change for any
other packages renamed to "@capacitor/*" so Lerna's publish scripts and .npmrc
remain valid.