create-daloy 0.1.20 → 0.1.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/bin/create-daloy.mjs
CHANGED
|
@@ -521,9 +521,15 @@ function rewriteScriptsForPackageManager(scripts, pm) {
|
|
|
521
521
|
|
|
522
522
|
async function normalizePackageManagerFiles(dir, packageManager) {
|
|
523
523
|
if (packageManager === "pnpm") return;
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
|
|
524
|
+
// The hardened `.npmrc` and `pnpm-workspace.yaml` only make sense for pnpm.
|
|
525
|
+
// Removing them keeps npm/yarn/bun scaffolds from inheriting pnpm-specific
|
|
526
|
+
// settings the chosen package manager would either ignore or misinterpret.
|
|
527
|
+
for (const file of [".npmrc", "pnpm-workspace.yaml"]) {
|
|
528
|
+
const target = path.join(dir, file);
|
|
529
|
+
if (existsSync(target)) {
|
|
530
|
+
await rm(target, { force: true });
|
|
531
|
+
}
|
|
532
|
+
}
|
|
527
533
|
}
|
|
528
534
|
|
|
529
535
|
/**
|
package/package.json
CHANGED
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
# pnpm workspace-level supply-chain settings.
|
|
2
|
+
#
|
|
3
|
+
# This file is here even though the default package manager for this
|
|
4
|
+
# template is Bun, because users can switch to pnpm with
|
|
5
|
+
# `pnpm create daloy --package-manager pnpm`. When that happens, the
|
|
6
|
+
# scaffolder keeps this file so pnpm 11+ picks up the workspace-level
|
|
7
|
+
# supply-chain controls below. If you keep using Bun, you can delete it.
|
|
8
|
+
#
|
|
9
|
+
# pnpm 11+ reads `pnpm-workspace.yaml` as a settings file even when no
|
|
10
|
+
# `packages:` list is declared. It is the only file format that accepts
|
|
11
|
+
# the v11 keys below (`.npmrc` cannot express them).
|
|
12
|
+
#
|
|
13
|
+
# See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
|
|
14
|
+
# postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
|
|
15
|
+
# for why every setting below is on by default.
|
|
16
|
+
|
|
17
|
+
# Wait 24h (1440 minutes) before resolving a freshly published version.
|
|
18
|
+
# Most npm worm campaigns are detected and unpublished within hours.
|
|
19
|
+
# Set to 0 only for a real hotfix.
|
|
20
|
+
minimumReleaseAge: 1440
|
|
21
|
+
|
|
22
|
+
# Only direct dependencies may use exotic sources (git, tarball URLs).
|
|
23
|
+
# Transitive deps must resolve from the configured registry, which makes
|
|
24
|
+
# typosquatted-tarball and compromised-fork attacks much harder to land.
|
|
25
|
+
blockExoticSubdeps: true
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# pnpm workspace-level supply-chain settings.
|
|
2
|
+
#
|
|
3
|
+
# This file looks unusual in a single-package project, but pnpm 11+ reads
|
|
4
|
+
# `pnpm-workspace.yaml` as a settings file even when no `packages:` list
|
|
5
|
+
# is declared. It is the only file format that accepts the v11 keys
|
|
6
|
+
# below (`.npmrc` cannot express them).
|
|
7
|
+
#
|
|
8
|
+
# See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
|
|
9
|
+
# postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
|
|
10
|
+
# for why every setting below is on by default.
|
|
11
|
+
#
|
|
12
|
+
# Want a real monorepo? Add a `packages:` key listing your sub-package
|
|
13
|
+
# globs (e.g. `packages: ["apps/*", "packages/*"]`) and the keys below
|
|
14
|
+
# will continue to apply.
|
|
15
|
+
|
|
16
|
+
# Wait 24h (1440 minutes) before resolving a freshly published version.
|
|
17
|
+
# Most npm worm campaigns are detected and unpublished within hours.
|
|
18
|
+
# Set to 0 only for a real hotfix.
|
|
19
|
+
minimumReleaseAge: 1440
|
|
20
|
+
|
|
21
|
+
# Only direct dependencies may use exotic sources (git, tarball URLs).
|
|
22
|
+
# Transitive deps must resolve from the configured registry, which makes
|
|
23
|
+
# typosquatted-tarball and compromised-fork attacks much harder to land.
|
|
24
|
+
blockExoticSubdeps: true
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# pnpm workspace-level supply-chain settings.
|
|
2
|
+
#
|
|
3
|
+
# This file looks unusual in a single-package project, but pnpm 11+ reads
|
|
4
|
+
# `pnpm-workspace.yaml` as a settings file even when no `packages:` list
|
|
5
|
+
# is declared. It is the only file format that accepts the v11 keys
|
|
6
|
+
# below (`.npmrc` cannot express them).
|
|
7
|
+
#
|
|
8
|
+
# See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
|
|
9
|
+
# postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
|
|
10
|
+
# for why every setting below is on by default.
|
|
11
|
+
#
|
|
12
|
+
# Want a real monorepo? Add a `packages:` key listing your sub-package
|
|
13
|
+
# globs (e.g. `packages: ["apps/*", "packages/*"]`) and the keys below
|
|
14
|
+
# will continue to apply.
|
|
15
|
+
|
|
16
|
+
# Wait 24h (1440 minutes) before resolving a freshly published version.
|
|
17
|
+
# Most npm worm campaigns are detected and unpublished within hours.
|
|
18
|
+
# Set to 0 only for a real hotfix.
|
|
19
|
+
minimumReleaseAge: 1440
|
|
20
|
+
|
|
21
|
+
# Only direct dependencies may use exotic sources (git, tarball URLs).
|
|
22
|
+
# Transitive deps must resolve from the configured registry, which makes
|
|
23
|
+
# typosquatted-tarball and compromised-fork attacks much harder to land.
|
|
24
|
+
blockExoticSubdeps: true
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# pnpm workspace-level supply-chain settings.
|
|
2
|
+
#
|
|
3
|
+
# This file looks unusual in a single-package project, but pnpm 11+ reads
|
|
4
|
+
# `pnpm-workspace.yaml` as a settings file even when no `packages:` list
|
|
5
|
+
# is declared. It is the only file format that accepts the v11 keys
|
|
6
|
+
# below (`.npmrc` cannot express them).
|
|
7
|
+
#
|
|
8
|
+
# See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
|
|
9
|
+
# postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
|
|
10
|
+
# for why every setting below is on by default.
|
|
11
|
+
#
|
|
12
|
+
# Want a real monorepo? Add a `packages:` key listing your sub-package
|
|
13
|
+
# globs (e.g. `packages: ["apps/*", "packages/*"]`) and the keys below
|
|
14
|
+
# will continue to apply.
|
|
15
|
+
|
|
16
|
+
# Wait 24h (1440 minutes) before resolving a freshly published version.
|
|
17
|
+
# Most npm worm campaigns are detected and unpublished within hours.
|
|
18
|
+
# Set to 0 only for a real hotfix.
|
|
19
|
+
minimumReleaseAge: 1440
|
|
20
|
+
|
|
21
|
+
# Only direct dependencies may use exotic sources (git, tarball URLs).
|
|
22
|
+
# Transitive deps must resolve from the configured registry, which makes
|
|
23
|
+
# typosquatted-tarball and compromised-fork attacks much harder to land.
|
|
24
|
+
blockExoticSubdeps: true
|