create-daloy 0.35.0 → 0.35.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +50 -39
- package/package.json +1 -1
- package/sbom.cdx.json +9 -9
- package/sbom.spdx.json +5 -5
- package/templates/bun-basic/package.json +1 -1
- package/templates/cloudflare-worker/package.json +1 -1
- package/templates/deno-basic/deno.json +2 -2
- package/templates/node-basic/package.json +1 -1
- package/templates/vercel-edge/package.json +1 -1
package/README.md
CHANGED
|
@@ -53,7 +53,7 @@ pnpm create daloy@latest my-api \
|
|
|
53
53
|
| `--template <name>` | `node-basic` (default), `vercel-edge`, `cloudflare-worker`, `bun-basic`, or `deno-basic`. |
|
|
54
54
|
| `--package-manager <pm>` | `pnpm` (default), `npm`, `yarn`, or `bun`. Ignored for `deno-basic`. |
|
|
55
55
|
| `--list-templates` | Print available templates with descriptions. |
|
|
56
|
-
| `--install` / `--no-install` | Install dependencies after scaffolding. Defaults to **Y** for npm/yarn/bun and **N** for pnpm
|
|
56
|
+
| `--install` / `--no-install` | Install dependencies after scaffolding. Defaults to **Y** for npm/yarn/bun and **N** for pnpm so you can review the hardened `.npmrc` / `pnpm-workspace.yaml` and aren't blocked by the 24h `minimumReleaseAge` embargo on the first run. |
|
|
57
57
|
| `--git` / `--no-git` | Initialize a git repository. Defaults to interactive. |
|
|
58
58
|
| `--minimal` | Strip the bookstore demo route and the built-in `/docs` + `/openapi.json` routes so only the framework bootstrap and `/healthz` ship. |
|
|
59
59
|
| `--with-ci` / `--no-ci` | Add the hardened GitHub Actions, Dependabot, CODEOWNERS, SECURITY.md, and lockfile-source verification bundle. **Defaults to Y** so scaffolded projects are secure by default. |
|
|
@@ -148,49 +148,56 @@ pnpm create daloy@latest my-api \
|
|
|
148
148
|
--code-owner @acme/security
|
|
149
149
|
```
|
|
150
150
|
|
|
151
|
-
For Node-style templates, the bundle adds
|
|
151
|
+
For Node-style templates, the bundle adds the following.
|
|
152
152
|
|
|
153
|
-
|
|
154
|
-
|
|
153
|
+
**CI and deploy**
|
|
154
|
+
|
|
155
|
+
- `.github/workflows/ci.yml` — top-level `permissions: {}`, pinned actions,
|
|
156
|
+
`harden-runner`, `persist-credentials: false`, no package-manager cache,
|
|
155
157
|
install scripts disabled.
|
|
156
|
-
- `.github/workflows/deploy.yml`
|
|
157
|
-
templates publish a Docker image to
|
|
158
|
-
|
|
159
|
-
read
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
158
|
+
- `.github/workflows/deploy.yml` — a manual-only deployment starter, gated to
|
|
159
|
+
`main` or a tag by default. Container templates publish a Docker image to
|
|
160
|
+
GHCR with the repo-scoped `GITHUB_TOKEN`. Vercel and Cloudflare templates
|
|
161
|
+
ship concrete CLI deploy steps that read platform credentials from GitHub
|
|
162
|
+
Actions secrets / variables. Node-style templates re-run `verify:lockfile`
|
|
163
|
+
before shipping.
|
|
164
|
+
|
|
165
|
+
**Scheduled vulnerability scanning (SCA)**
|
|
166
|
+
|
|
167
|
+
- `.github/workflows/vuln-scan.yml` — daily cron that runs the package
|
|
168
|
+
manager's audit against the committed lockfile. Catches CVEs disclosed
|
|
164
169
|
*after* the last PR or push and provides SOC 2 CC7.1
|
|
165
170
|
([continuous vulnerability management](https://www.aikido.dev/blog/a-guide-to-automating-technical-vulnerability-management-for-soc-2))
|
|
166
|
-
evidence even when
|
|
167
|
-
- `.github/workflows/osv-scan.yml` — a
|
|
171
|
+
evidence even when nobody is touching the repo.
|
|
172
|
+
- `.github/workflows/osv-scan.yml` — a second, independent SCA source.
|
|
168
173
|
`vuln-scan.yml` queries the package manager's audit feed (GHSA); this one
|
|
169
174
|
runs Google's OSV-Scanner against the committed lockfile and cross-references
|
|
170
|
-
the OpenSSF
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
[
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
175
|
+
the OpenSSF [malicious-packages](https://github.com/ossf/malicious-packages)
|
|
176
|
+
corpus, so a malware advisory that lands in OSV.dev before it propagates to
|
|
177
|
+
GHSA still fails the build. The binary is downloaded from a pinned official
|
|
178
|
+
release and verified by SHA-256 before execution — no third-party action is
|
|
179
|
+
added to the supply chain just for this scan. This is the missing layer that
|
|
180
|
+
Aikido's [SAST vs SCA](https://www.aikido.dev/blog/sast-vs-sca) and
|
|
181
|
+
[npm-audit-guide](https://www.aikido.dev/blog/npm-audit-guide) write-ups warn
|
|
182
|
+
about, and the Deno scaffold gets it too (Deno has no `audit` built in, so
|
|
183
|
+
without OSV-Scanner a Deno scaffold would have no scheduled SCA at all).
|
|
184
|
+
|
|
185
|
+
**Secret and static analysis**
|
|
186
|
+
|
|
181
187
|
- `.github/workflows/secret-scan.yml` — runs [gitleaks](https://github.com/gitleaks/gitleaks)
|
|
182
188
|
on every PR / push (working tree) and on a daily schedule across the **full
|
|
183
189
|
git history**, so a credential leaked anywhere in any commit, branch, or tag
|
|
184
|
-
is surfaced even if GitHub-native push protection missed it.
|
|
185
|
-
|
|
186
|
-
before execution — no third-party action is added to the supply chain just
|
|
187
|
-
for this scan. See Aikido's
|
|
190
|
+
is surfaced even if GitHub-native push protection missed it. Binary is
|
|
191
|
+
pinned-release + SHA-256-verified before execution. See Aikido's
|
|
188
192
|
[Secrets Detection guide](https://www.aikido.dev/blog/secret-detection-application-security)
|
|
189
|
-
for why history-aware scanning is the floor
|
|
193
|
+
for why history-aware scanning is the floor, not the ceiling.
|
|
190
194
|
- `.github/workflows/opengrep.yml` — a second SAST source alongside CodeQL,
|
|
191
195
|
using [Opengrep](https://github.com/opengrep/opengrep) (an open-source
|
|
192
|
-
Semgrep fork) with the same pinned-binary + SHA-256-verified pattern
|
|
193
|
-
|
|
196
|
+
Semgrep fork) with the same pinned-binary + SHA-256-verified pattern.
|
|
197
|
+
- CodeQL (built in via the GitHub bundle).
|
|
198
|
+
|
|
199
|
+
**Container and runtime scanning**
|
|
200
|
+
|
|
194
201
|
- `.github/workflows/container-scan.yml` — runs Trivy against the image
|
|
195
202
|
produced by the template's `_Dockerfile` (filesystem scan on PR, full image
|
|
196
203
|
scan on push to `main`) so a base-image CVE or a vulnerable layer is
|
|
@@ -198,9 +205,13 @@ For Node-style templates, the bundle adds:
|
|
|
198
205
|
- `.github/workflows/dast.yml` — a manual-only dynamic-analysis workflow that
|
|
199
206
|
boots the scaffolded API and runs an OWASP ZAP baseline scan against it,
|
|
200
207
|
for teams that want a black-box check before promoting a release.
|
|
201
|
-
|
|
208
|
+
|
|
209
|
+
**Governance**
|
|
210
|
+
|
|
211
|
+
- OpenSSF Scorecard, zizmor, Dependabot, CODEOWNERS, and `SECURITY.md`.
|
|
202
212
|
- `scripts/verify-lockfile-sources.mjs` plus a `verify:lockfile` package script
|
|
203
|
-
that rejects git dependencies and non-registry tarball URLs in text
|
|
213
|
+
that rejects git dependencies and non-registry tarball URLs in text
|
|
214
|
+
lockfiles.
|
|
204
215
|
|
|
205
216
|
The bundle deliberately does **not** generate an npm publish workflow.
|
|
206
217
|
`create-daloy` scaffolds REST API services, not libraries; if you later carve
|
|
@@ -224,11 +235,11 @@ required status checks in the repository settings.
|
|
|
224
235
|
## Container-first scaffolds
|
|
225
236
|
|
|
226
237
|
Every template (Node, Bun, Vercel Edge, Cloudflare Worker, and Deno) ships a
|
|
227
|
-
production-oriented `Dockerfile` and `.dockerignore` with
|
|
228
|
-
posture
|
|
229
|
-
`
|
|
230
|
-
|
|
231
|
-
|
|
238
|
+
production-oriented `Dockerfile` and `.dockerignore` with secure-by-default
|
|
239
|
+
posture: a non-root user, `STOPSIGNAL SIGTERM`, `tini` as PID 1, and a
|
|
240
|
+
`HEALTHCHECK` pointed at `/readyz`. Node-style templates also ship an
|
|
241
|
+
`.env.example`. None of this is required — delete or replace whatever you do
|
|
242
|
+
not need.
|
|
232
243
|
|
|
233
244
|
## What the CLI guarantees
|
|
234
245
|
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -1,25 +1,25 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.5",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:18db0f9a-e7da-5d6d-9c89-d3f6702dcd53",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-05-
|
|
7
|
+
"timestamp": "2026-05-28T07:51:22.524Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "DaloyJS",
|
|
11
11
|
"name": "daloy-generate-sbom",
|
|
12
|
-
"version": "0.35.
|
|
12
|
+
"version": "0.35.2"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"authors": [],
|
|
16
16
|
"component": {
|
|
17
17
|
"type": "library",
|
|
18
|
-
"bom-ref": "pkg:npm/create-daloy@0.35.
|
|
18
|
+
"bom-ref": "pkg:npm/create-daloy@0.35.2",
|
|
19
19
|
"name": "create-daloy",
|
|
20
|
-
"version": "0.35.
|
|
20
|
+
"version": "0.35.2",
|
|
21
21
|
"description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
|
|
22
|
-
"purl": "pkg:npm/create-daloy@0.35.
|
|
22
|
+
"purl": "pkg:npm/create-daloy@0.35.2",
|
|
23
23
|
"licenses": [
|
|
24
24
|
{
|
|
25
25
|
"license": {
|
|
@@ -42,9 +42,9 @@
|
|
|
42
42
|
}
|
|
43
43
|
],
|
|
44
44
|
"swid": {
|
|
45
|
-
"tagId": "swidtag-create-daloy-0.35.
|
|
45
|
+
"tagId": "swidtag-create-daloy-0.35.2",
|
|
46
46
|
"name": "create-daloy",
|
|
47
|
-
"version": "0.35.
|
|
47
|
+
"version": "0.35.2",
|
|
48
48
|
"tagVersion": 0,
|
|
49
49
|
"patch": false
|
|
50
50
|
}
|
|
@@ -53,7 +53,7 @@
|
|
|
53
53
|
"components": [],
|
|
54
54
|
"dependencies": [
|
|
55
55
|
{
|
|
56
|
-
"ref": "pkg:npm/create-daloy@0.35.
|
|
56
|
+
"ref": "pkg:npm/create-daloy@0.35.2",
|
|
57
57
|
"dependsOn": []
|
|
58
58
|
}
|
|
59
59
|
]
|
package/sbom.spdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"spdxVersion": "SPDX-2.3",
|
|
3
3
|
"dataLicense": "CC0-1.0",
|
|
4
4
|
"SPDXID": "SPDXRef-DOCUMENT",
|
|
5
|
-
"name": "create-daloy-0.35.
|
|
6
|
-
"documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.35.
|
|
5
|
+
"name": "create-daloy-0.35.2",
|
|
6
|
+
"documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.35.2-18db0f9a-e7da-5d6d-9c89-d3f6702dcd53",
|
|
7
7
|
"creationInfo": {
|
|
8
|
-
"created": "2026-05-
|
|
8
|
+
"created": "2026-05-28T07:51:22.524Z",
|
|
9
9
|
"creators": [
|
|
10
10
|
"Tool: daloy-generate-sbom",
|
|
11
11
|
"Organization: DaloyJS"
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
{
|
|
17
17
|
"SPDXID": "SPDXRef-Package-create-daloy",
|
|
18
18
|
"name": "create-daloy",
|
|
19
|
-
"versionInfo": "0.35.
|
|
19
|
+
"versionInfo": "0.35.2",
|
|
20
20
|
"downloadLocation": "https://github.com/daloyjs/daloy",
|
|
21
21
|
"filesAnalyzed": false,
|
|
22
22
|
"licenseConcluded": "MIT",
|
|
@@ -27,7 +27,7 @@
|
|
|
27
27
|
{
|
|
28
28
|
"referenceCategory": "PACKAGE-MANAGER",
|
|
29
29
|
"referenceType": "purl",
|
|
30
|
-
"referenceLocator": "pkg:npm/create-daloy@0.35.
|
|
30
|
+
"referenceLocator": "pkg:npm/create-daloy@0.35.2"
|
|
31
31
|
}
|
|
32
32
|
]
|
|
33
33
|
}
|
|
@@ -8,8 +8,8 @@
|
|
|
8
8
|
"gen:openapi": "deno run --allow-net --allow-env --allow-read --allow-write scripts/dump-openapi.ts"
|
|
9
9
|
},
|
|
10
10
|
"imports": {
|
|
11
|
-
"@daloyjs/core": "npm:@daloyjs/core@^0.35.
|
|
12
|
-
"@daloyjs/core/": "npm:@daloyjs/core@^0.35.
|
|
11
|
+
"@daloyjs/core": "npm:@daloyjs/core@^0.35.2",
|
|
12
|
+
"@daloyjs/core/": "npm:@daloyjs/core@^0.35.2/",
|
|
13
13
|
"zod": "npm:zod@^4.4.3"
|
|
14
14
|
},
|
|
15
15
|
"compilerOptions": {
|