feat: Add option to use Oxfmt for formatting changelog

[Mrtenz]

This adds a new --formatter option, which can be set to either "prettier" or "oxfmt", and deprecates the --prettier option. I've also refactored the logic to load Prettier dynamically, so both Oxfmt and Prettier are now optional peer dependencies.

Tested in MetaMask/core:

• chore: Format changelogs with Oxfmt core#8442

---

Note

Medium Risk
Moderate risk: changes CLI flags and formatting behavior via dynamic imports, which could affect consumers relying on the deprecated --prettier flag or missing optional peer deps at runtime.

Overview
Adds a new --formatter CLI option to choose changelog formatting (prettier or oxfmt, with none for validate) and deprecates the legacy --prettier flag (which still takes precedence when provided).

Refactors changelog formatting to route through new src/formatters.ts helpers that dynamically import Prettier/Oxfmt and throw clearer errors when the chosen formatter isn’t installed, and updates tests and package metadata to treat prettier/oxfmt as optional peer dependencies.

^{Reviewed by Cursor Bugbot for commit b0fc35a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[Mrtenz]

@metamaskbot publish-preview

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	oxfmt@​0.45.0

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		System shell access: npm oxfmt in module child_process Module: child_process Location: Package overview From: package.json → npm/oxfmt@0.45.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.45.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Mrtenz]

@metamaskbot publish-preview

[github-actions]

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/auto-changelog@6.0.0-preview-7ee0be4

See these instructions for more information about preview builds.

[Mrtenz]

@metamaskbot publish-preview

[github-actions]

A preview build for this branch has been published.

You can configure your project to use the preview build with this identifier:

npm:@metamask-previews/auto-changelog@6.0.0-preview-b0fc35a

See these instructions for more information about preview builds.

[Mrtenz]

This is a little bit verbose, but needed for backwards compatibility with --no-prettier.

[mcmire]

Tested these changes in core and they seem to work well.

LGTM.