@dpuse/dpuse-development 0.3.559 → 0.3.563

package/README.md

@@ -2,7 +2,8 @@
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](./LICENSE)
 [![npm version](https://img.shields.io/npm/v/@dpuse/dpuse-development.svg)](https://www.npmjs.com/package/@dpuse/dpuse-development)
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=dpuse_dpuse-development&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=dpuse_dpuse-development)
+[![CodeQL](https://github.com/dpuse/dpuse-development/actions/workflows/codeql.yml/badge.svg)](https://github.com/dpuse/dpuse-development/actions/workflows/codeql.yml)[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=dpuse_dpuse-development&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=dpuse_dpuse-development)
+[![CI](https://github.com/dpuse/dpuse-development/actions/workflows/ci.yml/badge.svg)](https://github.com/dpuse/dpuse-development/actions/workflows/ci.yml)
 
 <!-- SUMMARY_START -->
 
@@ -105,25 +106,9 @@ Common resources (files) used across Data Positioning projects.
 | Markdown lint rules                           | [.markdownlint.json](.markdownlint.json)                             |
 | VS Code key bindings                          | [resources/vsCodeKeyBindings.json](resources/vsCodeKeyBindings.json) |
 
-## Bundle Analysis Reports
-
-The Bundle Analysis Report provides a detailed breakdown of the bundle’s composition and module sizes, helping identify which modules contribute most to the final build. It is generated automatically on each release using the `npm` package [rollup-plugin-visualizer](https://www.npmjs.com/package/rollup-plugin-visualizer).
-
-[View the Bundle Analysis Report](https://dpuse.github.io/dpuse-development/bundle-analysis-reports/rollup-visualiser/index.html) created by the **rollup visualiser** plugin.
-
-[View the Bundle Analysis Report](https://dpuse.github.io/dpuse-development/bundle-analysis-reports/sonda/index.html) created by the **sonda** plugin.
-
-## Dependency Check Report
-
-The OWASP Dependency Check Report identifies known vulnerabilities in project dependencies. It is generated automatically on each release using the `npm` package [owasp-dependency-check](https://dependency-check.github.io/DependencyCheck/index.html).
-
-[View the OWASP Dependency Check Report](https://dpuse.github.io/dpuse-development/dependency-check-reports/dependency-check-report.html)
-
 ## Dependency Licenses
 
-The following table lists the top-level production and peer dependencies. All of these dependencies—along with their transitive dependencies—have been recursively verified to use one of the following commercially friendly licenses: **BSD-2-Clause**, **CC0-1.0**, or **MIT**. Developers cloning this repository should independently verify all **development** and **optional** dependencies. This project supports development activities only. It is not used in production or distributed in any other form.
-
-We use the `npm` packages [license-report](https://www.npmjs.com/package/license-report), [license-report-check](https://www.npmjs.com/package/license-report-check), [license-report-recursive](https://www.npmjs.com/package/license-report-recursive) and [license-downloader](https://www.npmjs.com/package/license-downloader) to identify all dependency licenses and include copies of them. We do not use any unlicensed dependencies in either production or development.
+License data is collected automatically on each release using [license-checker](https://github.com/RSeidelsohn/license-checker-rseidelsohn). The following table lists all production dependencies. These dependencies (including transitive ones) have been checked and confirmed to use Apache-2.0, BSD-3-Clause, CC0-1.0, or MIT — all permissive, commercially-friendly licenses. Developers cloning this repository should independently verify development dependencies; users of the uploaded library are covered by these checks.
 
 <!-- DEPENDENCY_LICENSES_START -->
 
@@ -139,6 +124,8 @@ We use the `npm` packages [license-report](https://www.npmjs.com/package/license
 
 <!-- DEPENDENCY_LICENSES_END -->
 
+The dependency tree below lists every package in this project — direct and transitive — along with its installed version, release date, and update status. Packages flagged ❗ have a newer version available; ⚠️ indicates a package that hasn't been updated in the last 6 months or longer. Neither flag necessarily indicates a problem: we let new releases stabilise before upgrading, and some packages are simply mature and stable, requiring no active development.
+
 <!-- DEPENDENCY_TREE_START -->
 
 - **[@dpuse/dpuse-shared](https://github.com/data-positioning/dpuse-shared)** 0.3.675 — this month: 2026-06-23
@@ -148,27 +135,57 @@ We use the `npm` packages [license-report](https://www.npmjs.com/package/license
     - **[acorn](https://github.com/acornjs/acorn)** 8.17.0 — this month: 2026-06-11
 - **[acorn](https://github.com/acornjs/acorn)** 8.17.0 — this month: 2026-06-11
 - **[nanoid](https://github.com/ai/nanoid)** 5.1.15 — this month: 2026-06-20
-- **[valibot](https://github.com/open-circle/valibot)** 1.4.1 — 1 month ago: 2026-05-24
-    - **[typescript](https://github.com/microsoft/TypeScript)** 6.0.3 — 2 months ago: 2026-04-16
-      <!-- DEPENDENCY_TREE_END -->
+- **[valibot](https://github.com/open-circle/valibot)** 1.4.1 — 1 month ago: 2026-05-24 - **[typescript](https://github.com/microsoft/TypeScript)** 6.0.3 — 2 months ago: 2026-04-16
+
+<!-- DEPENDENCY_TREE_END -->
+
+## Bundle Analysis
+
+The Bundle Analysis Reports provide detailed breakdowns of the bundle's composition and module sizes, helping to identify which modules contribute most to the final build. Two complementary reports are generated automatically on each release:
+
+- **[rollup-plugin-visualizer](https://github.com/btd/rollup-plugin-visualizer/tree/master)** — generates a static treemap/sunburst view based on pre-build module estimates, useful for a quick visual scan of overall bundle composition, including CSS assets.
+- **[Sonda](https://sonda.dev/)** — analyses final source maps to capture the effects of tree-shaking and minification, rather than relying on pre-build estimates. This gives a more accurate picture of what's actually shipped, traces module-level dependencies, and shows the size of each module after tree-shaking and minification for more precise insight into what's driving bundle size. Note: Sonda's Vite reports currently exclude CSS files, since Vite does not generate source maps for CSS.
+
+[View the rollup-plugin-visualizer Report](https://dpuse.github.io/dpuse-connector-file-store-emulator/bundle-analysis-reports/rollup-visualiser/index.html).
+
+[View the Sonda Report](https://dpuse.github.io/dpuse-connector-file-store-emulator/bundle-analysis-reports/sonda/index.html).
+
+## Security & Quality
+
+### CodeQL
+
+[CodeQL](https://github.com/dpuse/dpuse-development/security/code-scanning) static analysis runs on every push to `main` and on a weekly schedule, scanning TypeScript, JavaScript, Rust, and GitHub Actions workflow files for security vulnerabilities and coding errors.
+
+### SonarCloud
+
+[SonarCloud](https://sonarcloud.io/summary/new_code?id=dpuse_dpuse_development) performs continuous code quality and security analysis on every push, detecting bugs, code smells, and security vulnerabilities in the TypeScript source.
+
+### Vulnerability Scanning
+
+Two complementary tools continuously monitor dependencies for known vulnerabilities:
+
+- **[GitHub Dependabot](https://docs.github.com/en/code-security/dependabot)** automatically raises pull requests to update vulnerable dependencies, drawing on the GitHub Advisory Database which combines NVD and npm-specific advisories.
+- **npm audit** runs on every push to `main` via the CI workflow, failing the build if any high or critical severity vulnerabilities are detected.
+
+### Supply Chain Security
 
-Insert link to other document for detailed explanation. Only show messages if issues arise.
+[Socket.dev](https://socket.dev) monitors all dependencies for supply chain risk — detecting malicious packages, dependency confusion, typosquatting, and suspicious behaviour that may not yet have a CVE.
 
-1. **Installed** column:
+### Reporting Vulnerabilities
 
-    The ⚠️ symbol indicates that the installed version does not match the latest available version.”.
+Please do not open public GitHub issues for security vulnerabilities. Use [GitHub private vulnerability reporting](https://github.com/dpuse/dpuse-development/security/advisories/new) instead. See [SECURITY.md](./SECURITY.md) for the full disclosure policy, contact details, and expected response times.
 
-1. **Latest Release** column:
+### OpenSSF 🚧
 
-    The ⚠️ symbol indicates that the dependency has gone **more than 6 months** without an update but **no more than 12 months**.
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/dpuse/dpuse-development/badge)](https://scorecard.dev/viewer/?uri=github.com/dpuse/dpuse-development)
 
-    The ❗ symbol indicates a dependency that has gone **more than 12 months** without an update.
+This project is working towards the [OpenSSF Best Practices](https://www.bestpractices.dev) Passing badge, a self-certification covering security policy, vulnerability reporting, build processes, code quality, and more. The [OpenSSF Scorecard](https://scorecard.dev/viewer/?uri=github.com/dpuse/dpuse-shared) provides an independent automated assessment of the project's security practices and is an ongoing area of improvement.
 
-    If a dependency has no, or only a small number of, transitive dependencies, then it may not require frequent updates. The **Deps** column shows the number of transitive dependencies. Full details for these dependencies can be found in [licenses/licenseTree.json](licenses/licenseTree.json).
+## Contributing
 
-1. **Document** column:
+This repository is maintained solely by its owner and does not accept external contributions. It is part of a larger closed application suite and is published for informational and cloning purposes only.
 
-    The “⚠️ No license file” message indicates a dependency that does not include a license file.
+If you find a security vulnerability, see [Reporting Vulnerabilities](#reporting-vulnerabilities). For bugs, inconsistencies, or other feedback, you are welcome to [open a GitHub issue](https://github.com/dpuse/dpuse-development/issues) — feedback is read, but responses and fixes are at the maintainer's discretion.
 
 ## License
 

package/dist/dpuse-development.es.js

@@ -5907,7 +5907,7 @@ var Jn = "<!-- DEPENDENCY_LICENSES_START -->", Yn = "<!-- DEPENDENCY_LICENSES_EN
 async function Qn(e = "MIT") {
 	try {
 		G("Document Dependencies"), await An("1️⃣  Clear downloaded licenses", "licenses/downloads");
-		let t = await W("package.json"), n = `${t.name ?? ""}@${t.version ?? ""}`;
+		let t = await W("package.json");
 		await Mn("2️⃣  Identify production licenses", "license-checker-rseidelsohn", [
 			"--production",
 			"--json",
@@ -5918,7 +5918,7 @@ async function Qn(e = "MIT") {
 			"--onlyAllow",
 			`"${e}"`,
 			"--excludePackages",
-			`"${n}"`,
+			`"${t.name ?? ""}"`,
 			"--out",
 			"licenses/licenses.json"
 		]), await Pn("3️⃣  Identify transitive dependencies", "npm", [