create-daloy 0.1.20 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -521,9 +521,15 @@ function rewriteScriptsForPackageManager(scripts, pm) {
521
521
 
522
522
  async function normalizePackageManagerFiles(dir, packageManager) {
523
523
  if (packageManager === "pnpm") return;
524
- const npmrcPath = path.join(dir, ".npmrc");
525
- if (!existsSync(npmrcPath)) return;
526
- await rm(npmrcPath, { force: true });
524
+ // The hardened `.npmrc` and `pnpm-workspace.yaml` only make sense for pnpm.
525
+ // Removing them keeps npm/yarn/bun scaffolds from inheriting pnpm-specific
526
+ // settings the chosen package manager would either ignore or misinterpret.
527
+ for (const file of [".npmrc", "pnpm-workspace.yaml"]) {
528
+ const target = path.join(dir, file);
529
+ if (existsSync(target)) {
530
+ await rm(target, { force: true });
531
+ }
532
+ }
527
533
  }
528
534
 
529
535
  /**
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-daloy",
3
- "version": "0.1.20",
3
+ "version": "0.1.21",
4
4
  "description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -0,0 +1,25 @@
1
+ # pnpm workspace-level supply-chain settings.
2
+ #
3
+ # This file is here even though the default package manager for this
4
+ # template is Bun, because users can switch to pnpm with
5
+ # `pnpm create daloy --package-manager pnpm`. When that happens, the
6
+ # scaffolder keeps this file so pnpm 11+ picks up the workspace-level
7
+ # supply-chain controls below. If you keep using Bun, you can delete it.
8
+ #
9
+ # pnpm 11+ reads `pnpm-workspace.yaml` as a settings file even when no
10
+ # `packages:` list is declared. It is the only file format that accepts
11
+ # the v11 keys below (`.npmrc` cannot express them).
12
+ #
13
+ # See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
14
+ # postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
15
+ # for why every setting below is on by default.
16
+
17
+ # Wait 24h (1440 minutes) before resolving a freshly published version.
18
+ # Most npm worm campaigns are detected and unpublished within hours.
19
+ # Set to 0 only for a real hotfix.
20
+ minimumReleaseAge: 1440
21
+
22
+ # Only direct dependencies may use exotic sources (git, tarball URLs).
23
+ # Transitive deps must resolve from the configured registry, which makes
24
+ # typosquatted-tarball and compromised-fork attacks much harder to land.
25
+ blockExoticSubdeps: true
@@ -0,0 +1,24 @@
1
+ # pnpm workspace-level supply-chain settings.
2
+ #
3
+ # This file looks unusual in a single-package project, but pnpm 11+ reads
4
+ # `pnpm-workspace.yaml` as a settings file even when no `packages:` list
5
+ # is declared. It is the only file format that accepts the v11 keys
6
+ # below (`.npmrc` cannot express them).
7
+ #
8
+ # See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
9
+ # postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
10
+ # for why every setting below is on by default.
11
+ #
12
+ # Want a real monorepo? Add a `packages:` key listing your sub-package
13
+ # globs (e.g. `packages: ["apps/*", "packages/*"]`) and the keys below
14
+ # will continue to apply.
15
+
16
+ # Wait 24h (1440 minutes) before resolving a freshly published version.
17
+ # Most npm worm campaigns are detected and unpublished within hours.
18
+ # Set to 0 only for a real hotfix.
19
+ minimumReleaseAge: 1440
20
+
21
+ # Only direct dependencies may use exotic sources (git, tarball URLs).
22
+ # Transitive deps must resolve from the configured registry, which makes
23
+ # typosquatted-tarball and compromised-fork attacks much harder to land.
24
+ blockExoticSubdeps: true
@@ -0,0 +1,24 @@
1
+ # pnpm workspace-level supply-chain settings.
2
+ #
3
+ # This file looks unusual in a single-package project, but pnpm 11+ reads
4
+ # `pnpm-workspace.yaml` as a settings file even when no `packages:` list
5
+ # is declared. It is the only file format that accepts the v11 keys
6
+ # below (`.npmrc` cannot express them).
7
+ #
8
+ # See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
9
+ # postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
10
+ # for why every setting below is on by default.
11
+ #
12
+ # Want a real monorepo? Add a `packages:` key listing your sub-package
13
+ # globs (e.g. `packages: ["apps/*", "packages/*"]`) and the keys below
14
+ # will continue to apply.
15
+
16
+ # Wait 24h (1440 minutes) before resolving a freshly published version.
17
+ # Most npm worm campaigns are detected and unpublished within hours.
18
+ # Set to 0 only for a real hotfix.
19
+ minimumReleaseAge: 1440
20
+
21
+ # Only direct dependencies may use exotic sources (git, tarball URLs).
22
+ # Transitive deps must resolve from the configured registry, which makes
23
+ # typosquatted-tarball and compromised-fork attacks much harder to land.
24
+ blockExoticSubdeps: true
@@ -0,0 +1,24 @@
1
+ # pnpm workspace-level supply-chain settings.
2
+ #
3
+ # This file looks unusual in a single-package project, but pnpm 11+ reads
4
+ # `pnpm-workspace.yaml` as a settings file even when no `packages:` list
5
+ # is declared. It is the only file format that accepts the v11 keys
6
+ # below (`.npmrc` cannot express them).
7
+ #
8
+ # See the DaloyJS supply-chain notes and the 2026-05-11 TanStack
9
+ # postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
10
+ # for why every setting below is on by default.
11
+ #
12
+ # Want a real monorepo? Add a `packages:` key listing your sub-package
13
+ # globs (e.g. `packages: ["apps/*", "packages/*"]`) and the keys below
14
+ # will continue to apply.
15
+
16
+ # Wait 24h (1440 minutes) before resolving a freshly published version.
17
+ # Most npm worm campaigns are detected and unpublished within hours.
18
+ # Set to 0 only for a real hotfix.
19
+ minimumReleaseAge: 1440
20
+
21
+ # Only direct dependencies may use exotic sources (git, tarball URLs).
22
+ # Transitive deps must resolve from the configured registry, which makes
23
+ # typosquatted-tarball and compromised-fork attacks much harder to land.
24
+ blockExoticSubdeps: true