npm - @savvy-web/pnpm-plugin-silk - Versions diffs - 0.1.0 → 0.3.0 - Mend

@savvy-web/pnpm-plugin-silk 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -2,23 +2,24 @@
 [![npm version](https://img.shields.io/npm/v/@savvy-web/pnpm-plugin-silk)](https://www.npmjs.com/package/@savvy-web/pnpm-plugin-silk)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Node.js](https://img.shields.io/badge/node-%3E%3D22-brightgreen)](https://nodejs.org/)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D24-brightgreen)](https://nodejs.org/)
 [![pnpm](https://img.shields.io/badge/pnpm-%3E%3D10-orange)](https://pnpm.io/)
 Centralized dependency version management for the Silk ecosystem via pnpm
-config dependencies. Share curated dependency catalogs, patches, and overrides
-across multiple repositories from a single source of truth.
+config dependencies. Share curated dependency catalogs, security overrides,
+and build configurations across multiple repositories from a single source
+of truth.
 ## Features
 - **Dual catalog strategy** - Current versions for direct dependencies
   (`catalog:silk`), permissive ranges for peer dependencies (`catalog:silkPeers`)
-- **Non-destructive merging** - Plugin catalogs merge with local definitions;
-  local entries always take precedence
-- **Override warnings** - Clear console output when local versions override
-  Silk-managed defaults
-- **Zero runtime dependencies** - Self-contained CommonJS bundle that pnpm loads
-  directly
+- **Security overrides** - Centralized CVE fixes via `silkOverrides` that
+  propagate to all consuming repositories
+- **Build configuration sync** - Shared `onlyBuiltDependencies` and
+  `publicHoistPattern` settings
+- **Non-destructive merging** - Local definitions always take precedence with
+  clear warnings for divergences
 ## Installation
@@ -33,12 +34,9 @@ hash:
 ```yaml
 configDependencies:
-  "@savvy-web/pnpm-plugin-silk": "0.1.0+sha512-abc123..."
+  "@savvy-web/pnpm-plugin-silk": "0.2.0+sha512-..."
 ```
-> **Note:** Config dependencies require exact versions with SHA-512 integrity
-> checksums. The `pnpm add --config` command generates this automatically.
 ## Quick Start
 Reference Silk catalogs in your `package.json`:
@@ -55,17 +53,16 @@ Reference Silk catalogs in your `package.json`:
 }
 ```
-The `silk` catalog provides current/latest versions for your direct
-dependencies, while `silkPeers` provides permissive ranges that allow consumers
-to use older compatible versions.
-## Documentation
+The `silk` catalog provides current/latest versions for direct dependencies,
+while `silkPeers` provides permissive ranges for peer dependencies. Security
+overrides, build script allowlists, and hoist patterns are automatically
+merged during `pnpm install`.
-For catalog contents, local overrides, TypeScript API, and advanced
-configuration, see [docs/](./docs/).
+## More Information
 - [Contributing](./CONTRIBUTING.md) - Development setup and guidelines
 - [Security Policy](./SECURITY.md) - Vulnerability reporting
+- [Design Documentation](./.claude/design/pnpm-plugin-silk/catalog-management.md) - Architecture and implementation details
 ## License

package/index.cjs CHANGED Viewed

@@ -28,11 +28,19 @@ __webpack_require__.d(__webpack_exports__, {
 const silkCatalogs = {
     silk: {
         "@changesets/cli": "^2.29.8",
-        "@microsoft/api-extractor": "^7.56.0",
+        "@commitlint/cli": "^20.4.1",
+        "@commitlint/config-conventional": "^20.4.1",
+        "@microsoft/api-extractor": "^7.56.2",
         "@rslib/core": "^0.19.4",
         "@types/node": "^25.2.0",
         "@typescript/native-preview": "^7.0.0-dev.20260203.1",
         "@vitest/coverage-v8": "^4.0.18",
+        commitizen: "^4.3.1",
+        husky: "^9.1.7",
+        "lint-staged": "^16.2.7",
+        "markdownlint-cli2": "^0.20.0",
+        "markdownlint-cli2-formatter-codequality": "^0.0.7",
+        tsx: "^4.21.0",
         turbo: "^2.8.3",
         typescript: "^5.9.3",
         vitest: "^4.0.18"
@@ -41,17 +49,40 @@ const silkCatalogs = {
         "@biomejs/biome": "^2.3.12",
         "@commitlint/cli": "^20.4.1",
         "@commitlint/config-conventional": "^20.4.1",
-        "@microsoft/api-extractor": "^7.55.2",
-        "@rslib/core": "^0.19.3",
+        "@microsoft/api-extractor": "^7.56.2",
         "@types/node": "^25.0.10",
         "@typescript/native-preview": "^7.0.0-dev.20260124.1",
         commitizen: "^4.3.1",
         husky: "^9.1.7",
-        "lint-staged": "^16.2.7",
-        "markdownlint-cli2": "^0.20.0",
-        "markdownlint-cli2-formatter-codequality": "^0.0.7",
         typescript: "^5.9.3"
-    }
+    },
+    silkOverrides: {
+        "@isaacs/brace-expansion": ">=5.0.1",
+        lodash: ">=4.17.23",
+        tmp: ">=0.2.4"
+    },
+    silkOnlyBuiltDependencies: [
+        "@parcel/watcher",
+        "@savvy-web/commitlint",
+        "@savvy-web/lint-staged",
+        "core-js",
+        "esbuild",
+        "msgpackr-extract"
+    ],
+    silkPublicHoistPattern: [
+        "@commitlint/cli",
+        "@commitlint/config-conventional",
+        "@commitlint/cz-commitlint",
+        "@microsoft/api-extractor",
+        "@rslib/core",
+        "@typescript/native-preview",
+        "husky",
+        "lint-staged",
+        "markdownlint-cli2",
+        "markdownlint-cli2-formatter-codequality",
+        "turbo",
+        "typescript"
+    ]
 };
 exports.silkCatalogs = __webpack_exports__.silkCatalogs;
 for(var __rspack_i in __webpack_exports__)if (-1 === [

package/index.d.ts CHANGED Viewed

@@ -72,6 +72,21 @@ export declare interface SilkCatalogs {
      * Use with `catalog:silkPeers` in package.json.
      */
     readonly silkPeers: Catalog;
+    /**
+     * Security overrides for known CVEs.
+     * Synced to pnpm `overrides` configuration.
+     */
+    readonly silkOverrides: Catalog;
+    /**
+     * Packages allowed to run build scripts during install.
+     * Synced to pnpm `onlyBuiltDependencies` configuration.
+     */
+    readonly silkOnlyBuiltDependencies: readonly string[];
+    /**
+     * Packages to hoist to the virtual store root.
+     * Synced to pnpm `publicHoistPattern` configuration.
+     */
+    readonly silkPublicHoistPattern: readonly string[];
 }
 /**
@@ -79,6 +94,9 @@ export declare interface SilkCatalogs {
  *
  * - `silk`: Current/latest versions for direct dependencies
  * - `silkPeers`: Permissive ranges for peerDependencies
+ * - `silkOverrides`: Security overrides for known CVEs
+ * - `silkOnlyBuiltDependencies`: Packages allowed to run build scripts
+ * - `silkPublicHoistPattern`: Packages to hoist to virtual store root
  */
 export declare const silkCatalogs: SilkCatalogs;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@savvy-web/pnpm-plugin-silk",
-	"version": "0.1.0",
+	"version": "0.3.0",
 	"private": false,
 	"description": "pnpm config dependency for centralized catalog management across the Silk ecosystem.",
 	"keywords": [
@@ -32,14 +32,21 @@
 			"import": "./index.js"
 		}
 	},
-	"optionalDependencies": {
-		"@commitlint/cli": "^20.4.1",
-		"@commitlint/config-conventional": "^20.4.1",
-		"commitizen": "^4.3.1",
-		"husky": "^9.1.7",
-		"lint-staged": "^16.2.7",
-		"markdownlint-cli2": "^0.20.0",
-		"markdownlint-cli2-formatter-codequality": "^0.0.7"
+	"peerDependencies": {
+		"@types/node": "^25.2.0",
+		"@typescript/native-preview": "^7.0.0-dev.20260203.1",
+		"typescript": "^5.9.3"
+	},
+	"peerDependenciesMeta": {
+		"@types/node": {
+			"optional": false
+		},
+		"@typescript/native-preview": {
+			"optional": false
+		},
+		"typescript": {
+			"optional": false
+		}
 	},
 	"files": [
 		"!pnpm-plugin-silk.api.json",

package/pnpmfile.cjs CHANGED Viewed

@@ -3,11 +3,19 @@ var __webpack_exports__ = {};
 const silkCatalogs = {
     silk: {
         "@changesets/cli": "^2.29.8",
-        "@microsoft/api-extractor": "^7.56.0",
+        "@commitlint/cli": "^20.4.1",
+        "@commitlint/config-conventional": "^20.4.1",
+        "@microsoft/api-extractor": "^7.56.2",
         "@rslib/core": "^0.19.4",
         "@types/node": "^25.2.0",
         "@typescript/native-preview": "^7.0.0-dev.20260203.1",
         "@vitest/coverage-v8": "^4.0.18",
+        commitizen: "^4.3.1",
+        husky: "^9.1.7",
+        "lint-staged": "^16.2.7",
+        "markdownlint-cli2": "^0.20.0",
+        "markdownlint-cli2-formatter-codequality": "^0.0.7",
+        tsx: "^4.21.0",
         turbo: "^2.8.3",
         typescript: "^5.9.3",
         vitest: "^4.0.18"
@@ -16,17 +24,40 @@ const silkCatalogs = {
         "@biomejs/biome": "^2.3.12",
         "@commitlint/cli": "^20.4.1",
         "@commitlint/config-conventional": "^20.4.1",
-        "@microsoft/api-extractor": "^7.55.2",
-        "@rslib/core": "^0.19.3",
+        "@microsoft/api-extractor": "^7.56.2",
         "@types/node": "^25.0.10",
         "@typescript/native-preview": "^7.0.0-dev.20260124.1",
         commitizen: "^4.3.1",
         husky: "^9.1.7",
-        "lint-staged": "^16.2.7",
-        "markdownlint-cli2": "^0.20.0",
-        "markdownlint-cli2-formatter-codequality": "^0.0.7",
         typescript: "^5.9.3"
-    }
+    },
+    silkOverrides: {
+        "@isaacs/brace-expansion": ">=5.0.1",
+        lodash: ">=4.17.23",
+        tmp: ">=0.2.4"
+    },
+    silkOnlyBuiltDependencies: [
+        "@parcel/watcher",
+        "@savvy-web/commitlint",
+        "@savvy-web/lint-staged",
+        "core-js",
+        "esbuild",
+        "msgpackr-extract"
+    ],
+    silkPublicHoistPattern: [
+        "@commitlint/cli",
+        "@commitlint/config-conventional",
+        "@commitlint/cz-commitlint",
+        "@microsoft/api-extractor",
+        "@rslib/core",
+        "@typescript/native-preview",
+        "husky",
+        "lint-staged",
+        "markdownlint-cli2",
+        "markdownlint-cli2-formatter-codequality",
+        "turbo",
+        "typescript"
+    ]
 };
 const WARNING_BOX_WIDTH = 75;
 function formatOverrideWarning(overrides) {
@@ -72,20 +103,50 @@ function mergeSingleCatalog(catalogName, silkCatalog, localCatalog, overrides) {
     }
     return merged;
 }
+function mergeOverrides(silkOverrides, localOverrides, overrideWarnings) {
+    const merged = {
+        ...silkOverrides
+    };
+    if (!localOverrides) return merged;
+    for (const [pkg, localVersion] of Object.entries(localOverrides)){
+        const silkVersion = silkOverrides[pkg];
+        if (void 0 !== silkVersion && silkVersion !== localVersion) overrideWarnings.push({
+            catalog: "overrides",
+            package: pkg,
+            silkVersion,
+            localVersion
+        });
+        merged[pkg] = localVersion;
+    }
+    return merged;
+}
+function mergeStringArrays(silkArray, localArray) {
+    const merged = new Set(silkArray);
+    if (localArray) for (const item of localArray)merged.add(item);
+    return [
+        ...merged
+    ].sort((a, b)=>a.localeCompare(b));
+}
 function updateConfig(config) {
     try {
-        const overrides = [];
+        const warnings = [];
         const existingCatalogs = config.catalogs ?? {};
-        const mergedSilk = mergeSingleCatalog("silk", silkCatalogs.silk, existingCatalogs.silk, overrides);
-        const mergedSilkPeers = mergeSingleCatalog("silkPeers", silkCatalogs.silkPeers, existingCatalogs.silkPeers, overrides);
-        warnOverrides(overrides);
+        const mergedSilk = mergeSingleCatalog("silk", silkCatalogs.silk, existingCatalogs.silk, warnings);
+        const mergedSilkPeers = mergeSingleCatalog("silkPeers", silkCatalogs.silkPeers, existingCatalogs.silkPeers, warnings);
+        const mergedOverrides = mergeOverrides(silkCatalogs.silkOverrides, config.overrides, warnings);
+        const mergedOnlyBuiltDependencies = mergeStringArrays(silkCatalogs.silkOnlyBuiltDependencies, config.onlyBuiltDependencies);
+        const mergedPublicHoistPattern = mergeStringArrays(silkCatalogs.silkPublicHoistPattern, config.publicHoistPattern);
+        warnOverrides(warnings);
         return {
             ...config,
             catalogs: {
                 ...existingCatalogs,
                 silk: mergedSilk,
                 silkPeers: mergedSilkPeers
-            }
+            },
+            overrides: mergedOverrides,
+            onlyBuiltDependencies: mergedOnlyBuiltDependencies,
+            publicHoistPattern: mergedPublicHoistPattern
         };
     } catch (error) {
         console.warn("[pnpm-plugin-silk] Error merging catalogs, using local config only:", error instanceof Error ? error.message : String(error));

package/tsdoc-metadata.json CHANGED Viewed

@@ -5,7 +5,7 @@
   "toolPackages": [
     {
       "packageName": "@microsoft/api-extractor",
-      "packageVersion": "7.56.0"
+      "packageVersion": "7.56.2"
     }
   ]
 }