create-daloy 0.35.0 → 0.35.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -53,7 +53,7 @@ pnpm create daloy@latest my-api \
53
53
  | `--template <name>` | `node-basic` (default), `vercel-edge`, `cloudflare-worker`, `bun-basic`, or `deno-basic`. |
54
54
  | `--package-manager <pm>` | `pnpm` (default), `npm`, `yarn`, or `bun`. Ignored for `deno-basic`. |
55
55
  | `--list-templates` | Print available templates with descriptions. |
56
- | `--install` / `--no-install` | Install dependencies after scaffolding. Defaults to **Y** for npm/yarn/bun and **N** for pnpm (so first-time runs are not blocked by the 24h `minimumReleaseAge` embargo and so you can review the scaffold's hardened `.npmrc` and `pnpm-workspace.yaml` before the first install). |
56
+ | `--install` / `--no-install` | Install dependencies after scaffolding. Defaults to **Y** for npm/yarn/bun and **N** for pnpm so you can review the hardened `.npmrc` / `pnpm-workspace.yaml` and aren't blocked by the 24h `minimumReleaseAge` embargo on the first run. |
57
57
  | `--git` / `--no-git` | Initialize a git repository. Defaults to interactive. |
58
58
  | `--minimal` | Strip the bookstore demo route and the built-in `/docs` + `/openapi.json` routes so only the framework bootstrap and `/healthz` ship. |
59
59
  | `--with-ci` / `--no-ci` | Add the hardened GitHub Actions, Dependabot, CODEOWNERS, SECURITY.md, and lockfile-source verification bundle. **Defaults to Y** so scaffolded projects are secure by default. |
@@ -148,49 +148,56 @@ pnpm create daloy@latest my-api \
148
148
  --code-owner @acme/security
149
149
  ```
150
150
 
151
- For Node-style templates, the bundle adds:
151
+ For Node-style templates, the bundle adds the following.
152
152
 
153
- - `.github/workflows/ci.yml` with top-level `permissions: {}`, pinned actions,
154
- `harden-runner`, `persist-credentials: false`, no package-manager cache, and
153
+ **CI and deploy**
154
+
155
+ - `.github/workflows/ci.yml` — top-level `permissions: {}`, pinned actions,
156
+ `harden-runner`, `persist-credentials: false`, no package-manager cache,
155
157
  install scripts disabled.
156
- - `.github/workflows/deploy.yml` as a manual-only deployment starter. Container
157
- templates publish a Docker image to GHCR with the repo-scoped `GITHUB_TOKEN`,
158
- while Vercel and Cloudflare templates ship concrete CLI deploy steps that
159
- read their platform credentials from GitHub Actions secrets/variables. The
160
- deploy job is gated to `main` or a tag by default, and Node-style templates
161
- re-run `verify:lockfile` before shipping.
162
- - `.github/workflows/vuln-scan.yml` — a daily scheduled SCA cron that runs the
163
- package manager's audit against the committed lockfile. Catches CVEs disclosed
158
+ - `.github/workflows/deploy.yml` a manual-only deployment starter, gated to
159
+ `main` or a tag by default. Container templates publish a Docker image to
160
+ GHCR with the repo-scoped `GITHUB_TOKEN`. Vercel and Cloudflare templates
161
+ ship concrete CLI deploy steps that read platform credentials from GitHub
162
+ Actions secrets / variables. Node-style templates re-run `verify:lockfile`
163
+ before shipping.
164
+
165
+ **Scheduled vulnerability scanning (SCA)**
166
+
167
+ - `.github/workflows/vuln-scan.yml` — daily cron that runs the package
168
+ manager's audit against the committed lockfile. Catches CVEs disclosed
164
169
  *after* the last PR or push and provides SOC 2 CC7.1
165
170
  ([continuous vulnerability management](https://www.aikido.dev/blog/a-guide-to-automating-technical-vulnerability-management-for-soc-2))
166
- evidence even when developers are not touching the repo.
167
- - `.github/workflows/osv-scan.yml` — a SECOND, independent SCA source.
171
+ evidence even when nobody is touching the repo.
172
+ - `.github/workflows/osv-scan.yml` — a second, independent SCA source.
168
173
  `vuln-scan.yml` queries the package manager's audit feed (GHSA); this one
169
174
  runs Google's OSV-Scanner against the committed lockfile and cross-references
170
- the OpenSSF
171
- [malicious-packages](https://github.com/ossf/malicious-packages) corpus, so
172
- a malware advisory that lands in OSV.dev before it propagates to GHSA still
173
- fails the build. The binary is downloaded from a pinned official release and
174
- verified by SHA-256 before execution no third-party action is added to the
175
- supply chain just for this scan. This is the missing layer the Aikido
176
- [SAST vs SCA](https://www.aikido.dev/blog/sast-vs-sca) and
177
- [npm-audit-guide](https://www.aikido.dev/blog/npm-audit-guide) write-ups
178
- warn about, and the Deno scaffold gets it too (Deno has no `audit` built
179
- in, so without OSV-Scanner a Deno scaffold would have no scheduled SCA at
180
- all).
175
+ the OpenSSF [malicious-packages](https://github.com/ossf/malicious-packages)
176
+ corpus, so a malware advisory that lands in OSV.dev before it propagates to
177
+ GHSA still fails the build. The binary is downloaded from a pinned official
178
+ release and verified by SHA-256 before execution no third-party action is
179
+ added to the supply chain just for this scan. This is the missing layer that
180
+ Aikido's [SAST vs SCA](https://www.aikido.dev/blog/sast-vs-sca) and
181
+ [npm-audit-guide](https://www.aikido.dev/blog/npm-audit-guide) write-ups warn
182
+ about, and the Deno scaffold gets it too (Deno has no `audit` built in, so
183
+ without OSV-Scanner a Deno scaffold would have no scheduled SCA at all).
184
+
185
+ **Secret and static analysis**
186
+
181
187
  - `.github/workflows/secret-scan.yml` — runs [gitleaks](https://github.com/gitleaks/gitleaks)
182
188
  on every PR / push (working tree) and on a daily schedule across the **full
183
189
  git history**, so a credential leaked anywhere in any commit, branch, or tag
184
- is surfaced even if GitHub-native push protection missed it. The gitleaks
185
- binary is downloaded from a pinned official release and verified by SHA-256
186
- before execution — no third-party action is added to the supply chain just
187
- for this scan. See Aikido's
190
+ is surfaced even if GitHub-native push protection missed it. Binary is
191
+ pinned-release + SHA-256-verified before execution. See Aikido's
188
192
  [Secrets Detection guide](https://www.aikido.dev/blog/secret-detection-application-security)
189
- for why history-aware scanning is the floor and not the ceiling.
193
+ for why history-aware scanning is the floor, not the ceiling.
190
194
  - `.github/workflows/opengrep.yml` — a second SAST source alongside CodeQL,
191
195
  using [Opengrep](https://github.com/opengrep/opengrep) (an open-source
192
- Semgrep fork) with the same pinned-binary + SHA-256-verified pattern as the
193
- OSV and gitleaks scans.
196
+ Semgrep fork) with the same pinned-binary + SHA-256-verified pattern.
197
+ - CodeQL (built in via the GitHub bundle).
198
+
199
+ **Container and runtime scanning**
200
+
194
201
  - `.github/workflows/container-scan.yml` — runs Trivy against the image
195
202
  produced by the template's `_Dockerfile` (filesystem scan on PR, full image
196
203
  scan on push to `main`) so a base-image CVE or a vulnerable layer is
@@ -198,9 +205,13 @@ For Node-style templates, the bundle adds:
198
205
  - `.github/workflows/dast.yml` — a manual-only dynamic-analysis workflow that
199
206
  boots the scaffolded API and runs an OWASP ZAP baseline scan against it,
200
207
  for teams that want a black-box check before promoting a release.
201
- - CodeQL, OpenSSF Scorecard, zizmor, Dependabot, CODEOWNERS, and `SECURITY.md`.
208
+
209
+ **Governance**
210
+
211
+ - OpenSSF Scorecard, zizmor, Dependabot, CODEOWNERS, and `SECURITY.md`.
202
212
  - `scripts/verify-lockfile-sources.mjs` plus a `verify:lockfile` package script
203
- that rejects git dependencies and non-registry tarball URLs in text lockfiles.
213
+ that rejects git dependencies and non-registry tarball URLs in text
214
+ lockfiles.
204
215
 
205
216
  The bundle deliberately does **not** generate an npm publish workflow.
206
217
  `create-daloy` scaffolds REST API services, not libraries; if you later carve
@@ -224,11 +235,11 @@ required status checks in the repository settings.
224
235
  ## Container-first scaffolds
225
236
 
226
237
  Every template (Node, Bun, Vercel Edge, Cloudflare Worker, and Deno) ships a
227
- production-oriented `Dockerfile` and `.dockerignore` with the secure-by-default
228
- posture from `@daloyjs/core` `0.24.0`: a non-root user, `STOPSIGNAL SIGTERM`,
229
- `tini` as PID 1, and a `HEALTHCHECK` pointed at `/readyz`. Node-style templates
230
- also ship an `.env.example`. None of this is required — delete or replace
231
- whatever you do not need.
238
+ production-oriented `Dockerfile` and `.dockerignore` with secure-by-default
239
+ posture: a non-root user, `STOPSIGNAL SIGTERM`, `tini` as PID 1, and a
240
+ `HEALTHCHECK` pointed at `/readyz`. Node-style templates also ship an
241
+ `.env.example`. None of this is required — delete or replace whatever you do
242
+ not need.
232
243
 
233
244
  ## What the CLI guarantees
234
245
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-daloy",
3
- "version": "0.35.0",
3
+ "version": "0.35.2",
4
4
  "description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
5
5
  "type": "module",
6
6
  "license": "MIT",
package/sbom.cdx.json CHANGED
@@ -1,25 +1,25 @@
1
1
  {
2
2
  "bomFormat": "CycloneDX",
3
3
  "specVersion": "1.5",
4
- "serialNumber": "urn:uuid:94862215-9d79-5a0f-9ee1-81c52885d00f",
4
+ "serialNumber": "urn:uuid:18db0f9a-e7da-5d6d-9c89-d3f6702dcd53",
5
5
  "version": 1,
6
6
  "metadata": {
7
- "timestamp": "2026-05-24T23:40:28.395Z",
7
+ "timestamp": "2026-05-28T07:51:22.524Z",
8
8
  "tools": [
9
9
  {
10
10
  "vendor": "DaloyJS",
11
11
  "name": "daloy-generate-sbom",
12
- "version": "0.35.0"
12
+ "version": "0.35.2"
13
13
  }
14
14
  ],
15
15
  "authors": [],
16
16
  "component": {
17
17
  "type": "library",
18
- "bom-ref": "pkg:npm/create-daloy@0.35.0",
18
+ "bom-ref": "pkg:npm/create-daloy@0.35.2",
19
19
  "name": "create-daloy",
20
- "version": "0.35.0",
20
+ "version": "0.35.2",
21
21
  "description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
22
- "purl": "pkg:npm/create-daloy@0.35.0",
22
+ "purl": "pkg:npm/create-daloy@0.35.2",
23
23
  "licenses": [
24
24
  {
25
25
  "license": {
@@ -42,9 +42,9 @@
42
42
  }
43
43
  ],
44
44
  "swid": {
45
- "tagId": "swidtag-create-daloy-0.35.0",
45
+ "tagId": "swidtag-create-daloy-0.35.2",
46
46
  "name": "create-daloy",
47
- "version": "0.35.0",
47
+ "version": "0.35.2",
48
48
  "tagVersion": 0,
49
49
  "patch": false
50
50
  }
@@ -53,7 +53,7 @@
53
53
  "components": [],
54
54
  "dependencies": [
55
55
  {
56
- "ref": "pkg:npm/create-daloy@0.35.0",
56
+ "ref": "pkg:npm/create-daloy@0.35.2",
57
57
  "dependsOn": []
58
58
  }
59
59
  ]
package/sbom.spdx.json CHANGED
@@ -2,10 +2,10 @@
2
2
  "spdxVersion": "SPDX-2.3",
3
3
  "dataLicense": "CC0-1.0",
4
4
  "SPDXID": "SPDXRef-DOCUMENT",
5
- "name": "create-daloy-0.35.0",
6
- "documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.35.0-94862215-9d79-5a0f-9ee1-81c52885d00f",
5
+ "name": "create-daloy-0.35.2",
6
+ "documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.35.2-18db0f9a-e7da-5d6d-9c89-d3f6702dcd53",
7
7
  "creationInfo": {
8
- "created": "2026-05-24T23:40:28.395Z",
8
+ "created": "2026-05-28T07:51:22.524Z",
9
9
  "creators": [
10
10
  "Tool: daloy-generate-sbom",
11
11
  "Organization: DaloyJS"
@@ -16,7 +16,7 @@
16
16
  {
17
17
  "SPDXID": "SPDXRef-Package-create-daloy",
18
18
  "name": "create-daloy",
19
- "versionInfo": "0.35.0",
19
+ "versionInfo": "0.35.2",
20
20
  "downloadLocation": "https://github.com/daloyjs/daloy",
21
21
  "filesAnalyzed": false,
22
22
  "licenseConcluded": "MIT",
@@ -27,7 +27,7 @@
27
27
  {
28
28
  "referenceCategory": "PACKAGE-MANAGER",
29
29
  "referenceType": "purl",
30
- "referenceLocator": "pkg:npm/create-daloy@0.35.0"
30
+ "referenceLocator": "pkg:npm/create-daloy@0.35.2"
31
31
  }
32
32
  ]
33
33
  }
@@ -17,7 +17,7 @@
17
17
  "audit": "pnpm audit --prod"
18
18
  },
19
19
  "dependencies": {
20
- "@daloyjs/core": "^0.35.0",
20
+ "@daloyjs/core": "^0.35.2",
21
21
  "zod": "^4.4.3"
22
22
  },
23
23
  "devDependencies": {
@@ -11,7 +11,7 @@
11
11
  "audit": "pnpm audit --prod"
12
12
  },
13
13
  "dependencies": {
14
- "@daloyjs/core": "^0.35.0",
14
+ "@daloyjs/core": "^0.35.2",
15
15
  "zod": "^4.4.3"
16
16
  },
17
17
  "devDependencies": {
@@ -8,8 +8,8 @@
8
8
  "gen:openapi": "deno run --allow-net --allow-env --allow-read --allow-write scripts/dump-openapi.ts"
9
9
  },
10
10
  "imports": {
11
- "@daloyjs/core": "npm:@daloyjs/core@^0.35.0",
12
- "@daloyjs/core/": "npm:@daloyjs/core@^0.35.0/",
11
+ "@daloyjs/core": "npm:@daloyjs/core@^0.35.2",
12
+ "@daloyjs/core/": "npm:@daloyjs/core@^0.35.2/",
13
13
  "zod": "npm:zod@^4.4.3"
14
14
  },
15
15
  "compilerOptions": {
@@ -18,7 +18,7 @@
18
18
  "audit": "pnpm audit --prod"
19
19
  },
20
20
  "dependencies": {
21
- "@daloyjs/core": "^0.35.0",
21
+ "@daloyjs/core": "^0.35.2",
22
22
  "zod": "^4.4.3"
23
23
  },
24
24
  "devDependencies": {
@@ -11,7 +11,7 @@
11
11
  "audit": "pnpm audit --prod"
12
12
  },
13
13
  "dependencies": {
14
- "@daloyjs/core": "^0.35.0",
14
+ "@daloyjs/core": "^0.35.2",
15
15
  "zod": "^4.4.3"
16
16
  },
17
17
  "devDependencies": {