@meadown/logger 1.8.5 → 1.8.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SECURITY.md +8 -0
- package/package.json +1 -1
package/SECURITY.md
CHANGED
|
@@ -21,6 +21,14 @@ Only the latest published `@meadown/logger` release receives security fixes.
|
|
|
21
21
|
|
|
22
22
|
- **Zero runtime dependencies.** Installing the package pulls in no transitive
|
|
23
23
|
packages, so there is no third-party supply-chain surface to inherit.
|
|
24
|
+
- **Build script never reaches a consumer's machine.** There is a small script,
|
|
25
|
+
`scripts/write-cjs-pkg.mjs`, that runs on the maintainer's machine as part of
|
|
26
|
+
`pnpm build`. Its only job is to drop a `{ "type": "commonjs" }` marker into
|
|
27
|
+
`dist/cjs/` so Node loads the CommonJS build correctly. It never goes further
|
|
28
|
+
than that — `scripts/` is listed in `.npmignore`, so npm removes it before
|
|
29
|
+
creating the tarball. By the time the package hits the registry, the script is
|
|
30
|
+
already gone. What does ship is the two-field JSON file it produced, which
|
|
31
|
+
contains no code and executes nothing.
|
|
24
32
|
- **No I/O or dynamic execution.** It does not read or write files, open network
|
|
25
33
|
connections, spawn processes, or use `eval`/`Function`. It only writes to the
|
|
26
34
|
console and reads `process.env.NODE_ENV` (to stay quiet in production). (The
|
package/package.json
CHANGED