@vltpkg/vsr 0.2.0

package/README.md

@@ -0,0 +1,373 @@
+# **vlt** serverless registry (`vsr`)
+
+`vsr` aims to be a minimal "npm-compatible" registry which replicates the core features found in `registry.npmjs.org` as well as adding net-new capabilities.
+
+<img src="https://github.com/user-attachments/assets/e76c6f8a-a078-4787-963c-8ec95a879731" alt="vsr api screenshot" />
+
+**Table of Contents:**
+
+- [Quick Starts](#quick-starts)
+- [Requirements](#requirements)
+- [API](#api)
+- [Compatibility](#compatibility)
+- [Comparisons](#comparisons)
+- [Roadmap](#roadmap)
+- [License](#license)
+- [Testing](#testing)
+
+### Quick Starts
+
+#### Local
+
+You can quickly get started by installing/executing `vsr` with the following command:
+
+```bash
+vlx -y @vltpkg/vsr
+```
+
+#### Production
+
+You can deploy `vsr` to [Cloudflare](https://www.cloudflare.com/) in under 5 minutes, for free, with a single click (coming soon).
+
+<img src="https://github.com/user-attachments/assets/528deda2-4c20-44c9-b057-f07c2e2e3c71" alt="Deply to Cloudflare Workers" width="200" />
+
+<!-- [![Deploy to Cloudflare Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/vltpkg/vsr) -->
+
+Alternatively, you can deploy to production using [`wrangler`](https://www.npmjs.com/package/wrangler) after following the **Development** quick start steps.
+
+#### Development
+
+```bash
+# clone the repo
+git clone https://github.com/vltpkg/vsr.git
+
+# navigate to the repository directory
+cd ./vsr
+
+# install the project's dependencies
+vlt install
+
+# run the development script
+vlr dev
+```
+
+For detailed information on development workflow, testing, and contributing to the project, please see our [CONTRIBUTING.md](CONTRIBUTING.md) guide.
+
+### Requirements
+
+#### Production
+
+- [Cloudflare (free account at minimum)](https://www.cloudflare.com/en-ca/plans/developer-platform/)
+  - Workers (free: 100k requests /day)
+  - D1 Database (free: 100k writes, 5M reads /day & 5GB Storage /mo)
+  - R2 Bucket (free: 1M writes, 10M reads & 10GB /mo)
+
+> Note: all usage numbers & pricing documented is as of **October 24th, 2024**. Plans & metering is subject to change at Cloudflare's discretion.
+
+#### Development
+
+- `git`
+- `node`
+- `vlt`
+
+### Granular Access Tokens
+
+All tokens are considered "granular access tokens" (GATs). Token entries in the database consist of 3 parts:
+
+- `token` the unique token value
+- `uuid` associative value representing a single user/scope
+- `scope` value representing the granular access/privileges
+
+#### `scope` as a JSON `Object`
+
+A `scope` contains an array of privileges that define both the type(s) of & access value(s) for a token.
+
+> [!NOTE]
+> Tokens can be associated with multiple "types" of access
+
+- `type(s)`:
+  - `pkg:read` read associated packages
+  - `pkg:read+write` write associated packages (requires read access)
+  - `user:read` read associated user
+  - `user:read+write` write associated user (requires read access)
+- `value(s)`:
+  - `*` an ANY selector for `user:` or `pkg:` access types
+  - `~<user>` user selector for the `user:` access type
+  - `@<scope>/<pkg>` package specific selector for the `pkg:` access type
+  - `@<scope>/*` glob scope selector for `pkg:` access types
+
+> [!NOTE]
+> - user/org/team management via `@<scope>` is not supported at the moment
+
+<details>
+
+  <summary><h4>Granular Access Examples</h4></summary>
+
+##### End-user/Subscriber Persona
+
+- specific package read access
+- individual user read+write access
+
+```json
+[
+  {
+    "values": ["@organization/package-name"],
+    "types": {
+      "pkg": {
+        "read": true,
+      }
+    }
+  },
+  {
+    "values": ["~johnsmith"],
+    "types": {
+      "user": {
+        "read": true,
+        "write": true,
+      }
+    }
+  }
+]
+```
+
+##### Team Member/Maintainer Persona
+
+- scoped package read+write access
+- individual user read+write access
+
+```json
+[
+  {
+    "values": ["@organization/*"],
+    "types": {
+      "pkg": {
+        "read": true
+      }
+    }
+  },
+  {
+    "values": ["~johnsmith"],
+    "types": {
+      "user": {
+        "read": true,
+        "write": true,
+      }
+    }
+  }
+]
+```
+
+##### Package Publish CI Persona
+
+- organization scoped packages read+write access
+- individual user read+write access
+
+```json
+[
+  {
+    "values": ["@organization/package-name"],
+    "types": {
+      "pkg": {
+        "read": true
+      }
+    }
+  },
+  {
+    "values": ["~johnsmith"],
+    "types": {
+      "user": {
+        "read": true,
+        "write": true,
+      }
+    }
+  }
+]
+```
+
+##### Organization Admin Persona
+
+- organization scoped package read+write access
+- organization users read+write access
+
+```json
+[
+  {
+    "values": ["@company/*"],
+    "types": {
+      "pkg": {
+        "read": true,
+        "write": true
+      },
+      "user": {
+        "read": true,
+        "write": true
+      }
+    }
+  }
+]
+```
+
+##### Registry Owner/Admin Persona
+
+```json
+[
+  {
+    "values": ["*"],
+    "types": {
+      "pkg": {
+        "read": true,
+        "write": true
+      },
+      {
+        "user": {
+          "read": true,
+          "write": true
+        }
+      }
+    }
+  }
+]
+```
+
+</details>
+
+### API
+
+We have rich, interactive API docs out-of-the-box with the help of our friends [Scalar](https://scalar.com/). The docs can be found at the registry root when running `vsr` locally (ex. run `vlx -y @vltpkg/vsr` &/or check out this repo & run `vlr dev`)
+
+Notable API features include:
+- Complete npm-compatible registry API
+- Semver range resolution for package version requests
+- Support for URL-encoded complex semver ranges (e.g., `%3E%3D1.0.0%20%3C2.0.0` for `>=1.0.0 <2.0.0`)
+- Background refresh of stale package data
+- Minimal JSON responses for faster installs
+
+### `npm` Client Compatibility
+
+The following commands should work out-of-the-box with `npm` & any other `npm` "compatible" clients although their specific commands & arguments may vary (ex. `vlt`, `yarn`, `pnpm` & `bun`)
+
+#### Configuration
+
+##### For `vlt`:
+
+...
+
+
+##### For `npm`, `pnpm`, `yarn` & `bun`:
+
+To use `vsr` as your registry you must either pass a registry config through a client-specific flag (ex. `--registry=...` for `npm`) or define client-specific configuration which stores the reference to your registry (ex. `.npmrc` for `npm`). Access to the registry & packages is private by default although an `"admin"` user is created during setup locally (for development purposes) with a default auth token of `"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`.
+
+```ini
+; .npmrc
+registry=http://localhost:1337
+//localhost:1337/:_authToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```
+
+<h4>Supported `npm` Client Commands</h4>
+
+| Support | Commannd |
+| :--: | :-- |
+| ✅ | `access` |
+| ✅ | `access list packages` |
+| ✅ | `access get status` |
+| ✅ | `access set status` |
+| 🕤 | `access set mfa` |
+| ✅ | `access grant` |
+| ✅ | `access revoke` |
+| 🕤 | `adduser` - `PUT /-/org/@<org>/<user>`: Adds/updates a user (requires admin privileges) |
+| ⏳ | `audit` |
+| ✅ | `bugs` |
+| ✅ | `dist-tag add` |
+| ✅ | `dist-tag rm` |
+| ✅ | `dist-tag ls` |
+| ✅ | `deprecate` |
+| ✅ | `docs` |
+| ✅ | `exec` |
+| ✅ | `install` |
+| ⏳ | `login` |
+| ⏳ | `logout` |
+| 🕤 | `org` |
+| ✅ | `outdated` |
+| 🕤 | `owner add` |
+| 🕤 | `owner rm` |
+| 🕤 | `owner ls` |
+| ✅ | `ping` |
+| 🕤 | `profile enable-2fa` |
+| 🕤 | `profile disable-2fa` |
+| ✅ | `profile get` |
+| 🕤 | `profile set` - `PUT /-/npm/v1/user`: Updates a user (requires auth) |
+| ✅ | `publish` |
+| ✅ | `repo` |
+| ✅ | `search` |
+| 🕤 | `team` |
+| ✅ | `view` |
+| ✅ | `whoami` |
+
+### Registry Comparisons
+
+| Feature | **vsr** | **npm** | **GitHub** | **Verdaccio** | **JSR** | **jFrog** | **Sonatype** | **Cloudsmith** | **Buildkite** | **Bit** |
+| -- | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |  :-: | :-: |
+| License | `FSL-1.1-MIT` | `Closed Source` | `Closed Source` | `MIT` | `MIT` | `Closed Source` | `Closed Source`  | `Closed Source` | `Closed Source` | `Closed Source` |
+| Authored Language | `JavaScript` | `JavaScript` | `Ruby`/`Go` | `TypeScript` | `Rust` | `-` |  `-` |  `-` |  `-` |   `-` |
+| Publishing | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Installation | ✅ | ✅ | ✅ | ✅ | ✴️ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Search | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Scoped Packages | ✅ | ✅  | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Unscoped Packages | ✅ | ✅  | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
+| Proxying Upstream Sources | ✅ | ❌ | ✴️ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
+| Hosted Instance | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Hosted Instance Cost | `$` | `-` | `$$$$` | `-` | `-` | `$$$$` | `$$$$` | `$$$$` |  `$$$` | `$$$` |
+| Self-Hosted Instance | ✅ | ❌ | ✴️ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
+| Self-Hosted Instance Cost | 🆓 | `-` | `$$$$$` | `$` | `$` | `$$$$$` | `$$$$$` |  `-` | `-` |  `-` |
+| Hosted Public Packages | ⏳ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Hosted Private Packages | 🕤 | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Hosted Private Package Cost | `-` | `$$` | 🆓 | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 🆓 |
+| Granular Access/Permissions | ✅ | ✴️ | ❌ | ✅ | ❌ | ✴️ | ✴️ | ✴️ | ✴️ | ❌ |
+| Manifest Validation | ✅ | ✴️ | ❌ | ❌ | ✴️ | ✴️ | ✴️ | ❌ | ❌ | ❌ |
+| Audit | 🕤 | ✴️ | ❌ | ✴️ | ✴️ | ✴️ | ✴️ | ✴️ | ❌ | ❌ |
+| Events/Hooks | 🕤 | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
+| Plugins | 🕤 | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
+| Multi-Cloud | 🕤 | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
+| Documentation Generation | 🕤 | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✴️ |
+| Unpackaged Files/ESM Imports | 🕤 | ❌ | ❌ | ❌ | ✴️ | ❌ | ❌ | ❌ | ❌ | ❌ |
+| Variant Support | 🕤 | ❌ | ❌ | ❌ | ✴️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
+
+#### Legend:
+- ✅ implemented
+- ✴️ supported with caveats
+- ⏳ in-progress
+- 🕤 planned
+- ❌ unsupported
+- `$` expense estimation (0-5)
+
+### Roadmap
+
+#### v1.0.0
+
+| Status | Feature |
+| :--: | :-- |
+| ⏳ | web: user login (ex. `npm login` / `--auth-type=web`) |
+| ⏳ | web: user account management (`hosted`) |
+| ⏳ | web: user registration (`hosted`) |
+| ⏳ | web: admin user management (`hosted`) |
+| ⏳ | web: package pages |
+| ⏳ | web: search |
+| ⏳ | api: rate-limiting |
+
+#### v1.x
+
+| Status | Feature |
+| :--: | :-- |
+| 🕤 | api: package insights (powered by socket) |
+| 🕤 | api: audit (powered by socket) |
+| 🕤 | mfa access provisioning |
+| 🕤 | orgs |
+| 🕤 | teams |
+| 🕤 | staging |
+| 🕤 | events/hooks |
+| 🕤 | plugins/middleware |
+| 🕤 | variants/distributions |
+
+### License
+
+This project is licensed under the [Functional Source License](https://fsl.software) ([**FSL-1.1-MIT**](LICENSE.md)).

package/bin/vsr.ts

@@ -0,0 +1,29 @@
+#!/usr/bin/env node --no-warnings --experimental-strip-types
+import { fileURLToPath } from 'node:url'
+import path from 'node:path'
+import { execSync } from 'node:child_process'
+import { PathScurry } from 'path-scurry'
+import { PackageJson } from '@vltpkg/package-json'
+import { createServer } from '@vltpkg/server'
+import { SecurityArchive } from '@vltpkg/security-archive'
+import { DAEMON_PORT } from '../config.ts'
+import packageJson from '../package.json' with { type: 'json' }
+
+const __filename: string = fileURLToPath(import.meta.url)
+const __dirname: string = path.dirname(__filename)
+const cwd: string = path.resolve(__dirname, '../')
+
+const server = createServer({
+  scurry: new PathScurry(cwd),
+  projectRoot: cwd,
+  packageJson: new PackageJson(),
+  securityArchive: new SecurityArchive(),
+  port: DAEMON_PORT
+} as any)
+
+await server.start({
+  port: DAEMON_PORT
+})
+
+console.log(`Listening on ${server.address()}`)
+execSync(packageJson.scripts['serve:dev'], { cwd, stdio: 'inherit' })

package/config.ts

@@ -0,0 +1,124 @@
+// get openapi schema
+import { API } from './src/api.ts'
+import wranglerJson from './wrangler.json' with { type: 'json' }
+import packageJson from './package.json' with { type: 'json' }
+import type { OriginConfig, CookieOptions, ApiDocsConfig } from './types.ts'
+
+export const DEV_CONFIG = wranglerJson.dev
+
+export const DAEMON_PORT: number = 3000
+
+export const VERSION: string = packageJson.version
+
+// how to handle packages requests
+export const ORIGIN_CONFIG: OriginConfig = {
+  default: 'local',
+  upstreams: {
+    local: {
+      type: 'local',
+      url: 'http://localhost:8787',
+      allowPublish: true
+    },
+    vsr: {
+      type: 'vsr',
+      url: 'https://vsr.io'
+    },
+    npm: {
+      type: 'npm',
+      url: 'https://registry.npmjs.org'
+    },
+    jsr: {
+      type: 'jsr',
+      url: 'https://jsr.io'
+    }
+  }
+}
+
+// Reserved route prefixes that cannot be used as upstream names
+export const RESERVED_ROUTES: string[] = [
+  '-',
+  'user',
+  'docs',
+  'search',
+  'tokens',
+  'auth',
+  'ping',
+  'package',
+  'v1',
+  'api',
+  'admin',
+  '*'  // Reserved for hash-based routes
+]
+
+// Backward compatibility - maintain old PROXY behavior
+export const PROXY: boolean = Object.keys(ORIGIN_CONFIG.upstreams).length > 1
+export const PROXY_URL: string | undefined = ORIGIN_CONFIG.upstreams[ORIGIN_CONFIG.default]?.url
+
+// exposes a publically accessible docs endpoint
+export const EXPOSE_DOCS: boolean = true
+
+// the domain the registry is hosted on
+export const DOMAIN: string = `http://localhost:${DEV_CONFIG.port}`
+export const REDIRECT_URI: string = `${DOMAIN}/-/auth/callback`
+
+// the time in seconds to cache the registry
+export const REQUEST_TIMEOUT: number = 60 * 1000
+
+// cookie options
+export const COOKIE_OPTIONS: CookieOptions = {
+  path: '/',
+  httpOnly: true,
+  secure: true,
+  sameSite: 'strict',
+}
+
+// the docs configuration for the API reference
+export const API_DOCS: ApiDocsConfig = {
+  metaData: {
+    title: 'vlt serverless registry'
+  },
+  hideModels: false,
+  hideDownloadButton: false,
+  darkMode: false,
+  favicon: '/public/images/favicon/favicon.svg',
+  defaultHttpClient: {
+    targetKey: 'curl',
+    clientKey: 'fetch',
+  },
+  authentication: {
+    http: {
+      bearer: {
+        token: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+      },
+      basic: {
+        username: 'user',
+        password: 'pass'
+      }
+    }
+  },
+  hiddenClients: {
+    python: true,
+    c: true,
+    go: true,
+    java: true,
+    ruby: true,
+    shell: ['httpie', 'wget', 'fetch'],
+    clojure: true,
+    csharp: true,
+    kotlin: true,
+    objc: true,
+    swift: true,
+    r: true,
+    powershell: false,
+    ocaml: true,
+    curl: false,
+    http: true,
+    php: true,
+    node: ['request', 'unirest'],
+    javascript: ['xhr', 'jquery']
+  },
+  spec: {
+    content: API
+  },
+  customCss: `@import '${DOMAIN}/public/styles/styles.css';`
+}

package/debug-npm.js

@@ -0,0 +1,19 @@
+const { execSync } = require('child_process');
+const fs = require('fs');
+
+console.log('Starting wrangler dev in background...');
+const child = execSync('npx wrangler dev --port 1337 &', { stdio: 'pipe' });
+
+// Wait for server to start
+setTimeout(() => {
+  console.log('Testing npm proxy...');
+  try {
+    const result = execSync('curl -v http://localhost:1337/npm/sleepover', { encoding: 'utf8' });
+    console.log('Result:', result);
+  } catch (error) {
+    console.log('Error:', error.stdout);
+  }
+
+  // Kill wrangler
+  execSync('pkill -f wrangler');
+}, 5000);

package/drizzle.config.js

@@ -0,0 +1,33 @@
+import { defineConfig } from 'drizzle-kit'
+import { join } from 'path'
+import { existsSync, readdirSync } from 'fs'
+
+// Find the actual SQLite database file in the miniflare-D1DatabaseObject directory
+let dbPath = './local.db' // Fallback
+const miniflareDir = join('./local-store', 'v3', 'd1', 'miniflare-D1DatabaseObject')
+
+if (existsSync(miniflareDir)) {
+  // Look for the most recently modified SQLite file
+  const files = readdirSync(miniflareDir)
+    .filter(file => file.endsWith('.sqlite'))
+    .map(file => {
+      const fullPath = join(miniflareDir, file);
+      return { file, fullPath };
+    });
+
+  if (files.length > 0) {
+    // Just use the first file if there's only one
+    dbPath = files[0].fullPath;
+    console.log('Using D1 database at:', dbPath);
+  }
+}
+
+// For Drizzle Kit
+export default defineConfig({
+  schema: './src/db/schema.ts',
+  out: './src/db/migrations',
+  dialect: 'sqlite',
+  dbCredentials: {
+    url: dbPath
+  }
+})

package/package.json

@@ -0,0 +1,80 @@
+{
+  "name": "@vltpkg/vsr",
+  "version": "0.2.0",
+  "license": "FSL-1.1-MIT",
+  "author": "vlt technology inc. <support@vlt.sh> (http://vlt.sh)",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vltpkg/vltpkg.git",
+    "directory": "src/vsr"
+  },
+  "bin": "./bin/vsr.ts",
+  "scripts": {
+    "db:push": "drizzle-kit push",
+    "db:generate": "drizzle-kit generate",
+    "db:migrate": "drizzle-kit migrate",
+    "db:studio": "drizzle-kit studio --port 4985",
+    "db:setup": "wrangler d1 execute vsr-local-database --file=src/db/migrations/0000_initial.sql --local --persist-to=local-store --no-remote",
+    "db:drop": "wrangler d1 execute vsr-local-database --file=src/db/migrations/drop.sql --local --persist-to=local-store --no-remote && rm -rf local-store && rm -rf .wrangler",
+    "serve:build": "npm run build:assets && wrangler dev ./dist/index.js --local --persist-to=local-store --no-remote",
+    "serve:dev": "pnpm run build:assets && wrangler dev --local --persist-to=local-store --no-remote",
+    "serve:death": "echo \"Killing wrangler dev processes...\" && (pkill -f 'wrangler.*dev' || true) && sleep 1 && (pids=$(lsof -ti :1337 2>/dev/null; lsof -ti :3000 2>/dev/null) && [ -n \"$pids\" ] && echo \"Force killing remaining processes: $pids\" && kill -9 $pids || echo \"No remaining processes found\") && echo \"Done.\"",
+    "build:assets": "pnpm install && cp -r ./node_modules/@vltpkg/gui/dist ./src/assets/public",
+    "build": "pnpm run build:assets && wrangler deploy --dry-run --outdir dist",
+    "deploy": "pnpm run build && wrangler deploy",
+    "lint": "prettier .",
+    "test": "pnpm run test:cleanup && pnpm run test:setup && pnpm run test:run",
+    "test:run": "vitest run",
+    "test:setup": "pnpm run db:setup",
+    "test:cleanup": "pkill -f wrangler || true",
+    "pretest:run": "wrangler dev --local --persist-to=local-store --no-remote",
+    "posttest:run": "pkill -f wrangler || true",
+    "test:cache:clean": "rm -f test/cache-refresh.test.js test/background-refresh.test.js"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20240320.0",
+    "@hono-rate-limiter/cloudflare": "^0.2.1",
+    "@libsql/client": "^0.15.1",
+    "@scalar/hono-api-reference": "^0.5.158",
+    "@twind/core": "^1.1.3",
+    "@twind/preset-autoprefix": "^1.0.7",
+    "@twind/preset-tailwind": "^1.1.4",
+    "@vltpkg/gui": "^0.0.0-13",
+    "@vltpkg/server": "^0.0.0-13",
+    "@workos-inc/node": "^7.48.0",
+    "autoprefixer": "^10.4.21",
+    "better-sqlite3": "^11.9.1",
+    "crypto": "npm:webcrypto-core@^1.8.1",
+    "drizzle-kit": "^0.30.5",
+    "drizzle-orm": "^0.41.0",
+    "get-npm-tarball-url": "^2.1.0",
+    "hono": "^4.5.5",
+    "hono-rate-limiter": "^0.4.0",
+    "htmx.org": "^1.9.12",
+    "hyperscript.org": "^0.9.14",
+    "js-yaml": "^4.1.0",
+    "libnpmpack": "^7.0.4",
+    "npm-registry-fetch": "^17.1.0",
+    "open": "^10.1.0",
+    "prettier": "^3.3.3",
+    "schemes": "^1.4.0",
+    "semver": "^7.6.3",
+    "ssri": "^10.0.6",
+    "streaming-tarball": "^1.0.3",
+    "tailwindcss": "^4.1.4",
+    "tsx": "^4.19.3",
+    "undici": "^7.5.0",
+    "uuid": "^10.0.0",
+    "validate-npm-package-name": "5.0.0",
+    "vitest": "^1.3.1"
+  },
+  "dependencies": {
+    "@vltpkg/package-json": "0.0.0-15",
+    "@vltpkg/security-archive": "0.0.0-15",
+    "path-scurry": "^2.0.0"
+  },
+  "peerDependencies": {
+    "wrangler": "^4.20.3"
+  }
+}

package/pnpm-workspace.yaml

@@ -0,0 +1,5 @@
+ignoredBuiltDependencies:
+  - better-sqlite3
+  - esbuild
+  - sharp
+  - workerd