create-daloy 0.38.0 → 0.38.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +14 -0
- package/package.json +1 -1
- package/sbom.cdx.json +9 -9
- package/sbom.spdx.json +5 -5
- package/templates/_ci/deno/_github/workflows/codeql.yml +2 -2
- package/templates/_ci/deno/_github/workflows/container-scan.yml +3 -3
- package/templates/_ci/deno/_github/workflows/opengrep.yml +1 -1
- package/templates/_ci/deno/_github/workflows/scorecard.yml +1 -1
- package/templates/_ci/node/_github/workflows/codeql.yml +2 -2
- package/templates/_ci/node/_github/workflows/container-scan.yml +3 -3
- package/templates/_ci/node/_github/workflows/opengrep.yml +1 -1
- package/templates/_ci/node/_github/workflows/scorecard.yml +1 -1
- package/templates/bun-basic/README.md +14 -0
- package/templates/bun-basic/package.json +1 -1
- package/templates/cloudflare-worker/README.md +16 -0
- package/templates/cloudflare-worker/package.json +1 -1
- package/templates/deno-basic/README.md +14 -0
- package/templates/deno-basic/deno.json +4 -4
- package/templates/node-basic/README.md +14 -0
- package/templates/node-basic/package.json +1 -1
- package/templates/vercel-edge/README.md +14 -0
- package/templates/vercel-edge/package.json +1 -1
package/README.md
CHANGED
|
@@ -120,6 +120,20 @@ A [Deno](https://deno.com) runtime starter using `@daloyjs/core/deno` with:
|
|
|
120
120
|
- A health route and contract-first `/books/:id` route with Zod validation.
|
|
121
121
|
- The CLI skips Node-style installs for this template (no `package.json`).
|
|
122
122
|
|
|
123
|
+
## Authentication (OAuth2 / OpenID Connect)
|
|
124
|
+
|
|
125
|
+
Scaffolded apps are **resource servers**: DaloyJS verifies and enforces access
|
|
126
|
+
tokens, it does **not** issue them. There is no built-in login UI, user
|
|
127
|
+
database, or OAuth2 authorization server (it is not an identity provider like
|
|
128
|
+
Keycloak, Auth0, or Duende IdentityServer). To add login, bring an OpenID
|
|
129
|
+
Connect provider — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS
|
|
130
|
+
Cognito) or self-hosted open source (Keycloak, Zitadel, Ory, Logto) — and have
|
|
131
|
+
DaloyJS verify its JWTs with the first-party `jwk()`, `bearerAuth()`, and
|
|
132
|
+
`requireScopes()` helpers. Don't build your own authorization server.
|
|
133
|
+
|
|
134
|
+
See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the full
|
|
135
|
+
picture and the two recommended designs (API resource server and browser BFF).
|
|
136
|
+
|
|
123
137
|
## Minimal scaffolds
|
|
124
138
|
|
|
125
139
|
Pass `--minimal` to drop the bookstore demo route and the built-in
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -1,25 +1,25 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.5",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:5874d6d1-4f7c-5889-b1dc-59abaf86bc40",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-06-
|
|
7
|
+
"timestamp": "2026-06-11T09:54:26.989Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "DaloyJS",
|
|
11
11
|
"name": "daloy-generate-sbom",
|
|
12
|
-
"version": "0.38.
|
|
12
|
+
"version": "0.38.1"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"authors": [],
|
|
16
16
|
"component": {
|
|
17
17
|
"type": "library",
|
|
18
|
-
"bom-ref": "pkg:npm/create-daloy@0.38.
|
|
18
|
+
"bom-ref": "pkg:npm/create-daloy@0.38.1",
|
|
19
19
|
"name": "create-daloy",
|
|
20
|
-
"version": "0.38.
|
|
20
|
+
"version": "0.38.1",
|
|
21
21
|
"description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
|
|
22
|
-
"purl": "pkg:npm/create-daloy@0.38.
|
|
22
|
+
"purl": "pkg:npm/create-daloy@0.38.1",
|
|
23
23
|
"licenses": [
|
|
24
24
|
{
|
|
25
25
|
"license": {
|
|
@@ -42,9 +42,9 @@
|
|
|
42
42
|
}
|
|
43
43
|
],
|
|
44
44
|
"swid": {
|
|
45
|
-
"tagId": "swidtag-create-daloy-0.38.
|
|
45
|
+
"tagId": "swidtag-create-daloy-0.38.1",
|
|
46
46
|
"name": "create-daloy",
|
|
47
|
-
"version": "0.38.
|
|
47
|
+
"version": "0.38.1",
|
|
48
48
|
"tagVersion": 0,
|
|
49
49
|
"patch": false
|
|
50
50
|
}
|
|
@@ -53,7 +53,7 @@
|
|
|
53
53
|
"components": [],
|
|
54
54
|
"dependencies": [
|
|
55
55
|
{
|
|
56
|
-
"ref": "pkg:npm/create-daloy@0.38.
|
|
56
|
+
"ref": "pkg:npm/create-daloy@0.38.1",
|
|
57
57
|
"dependsOn": []
|
|
58
58
|
}
|
|
59
59
|
]
|
package/sbom.spdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"spdxVersion": "SPDX-2.3",
|
|
3
3
|
"dataLicense": "CC0-1.0",
|
|
4
4
|
"SPDXID": "SPDXRef-DOCUMENT",
|
|
5
|
-
"name": "create-daloy-0.38.
|
|
6
|
-
"documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.38.
|
|
5
|
+
"name": "create-daloy-0.38.1",
|
|
6
|
+
"documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.38.1-5874d6d1-4f7c-5889-b1dc-59abaf86bc40",
|
|
7
7
|
"creationInfo": {
|
|
8
|
-
"created": "2026-06-
|
|
8
|
+
"created": "2026-06-11T09:54:26.989Z",
|
|
9
9
|
"creators": [
|
|
10
10
|
"Tool: daloy-generate-sbom",
|
|
11
11
|
"Organization: DaloyJS"
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
{
|
|
17
17
|
"SPDXID": "SPDXRef-Package-create-daloy",
|
|
18
18
|
"name": "create-daloy",
|
|
19
|
-
"versionInfo": "0.38.
|
|
19
|
+
"versionInfo": "0.38.1",
|
|
20
20
|
"downloadLocation": "https://github.com/daloyjs/daloy",
|
|
21
21
|
"filesAnalyzed": false,
|
|
22
22
|
"licenseConcluded": "MIT",
|
|
@@ -27,7 +27,7 @@
|
|
|
27
27
|
{
|
|
28
28
|
"referenceCategory": "PACKAGE-MANAGER",
|
|
29
29
|
"referenceType": "purl",
|
|
30
|
-
"referenceLocator": "pkg:npm/create-daloy@0.38.
|
|
30
|
+
"referenceLocator": "pkg:npm/create-daloy@0.38.1"
|
|
31
31
|
}
|
|
32
32
|
]
|
|
33
33
|
}
|
|
@@ -44,13 +44,13 @@ jobs:
|
|
|
44
44
|
show-progress: false
|
|
45
45
|
|
|
46
46
|
- name: Initialize CodeQL
|
|
47
|
-
uses: github/codeql-action/init@
|
|
47
|
+
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
48
48
|
with:
|
|
49
49
|
languages: ${{ matrix.language }}
|
|
50
50
|
build-mode: ${{ matrix.build-mode }}
|
|
51
51
|
queries: security-extended,security-and-quality
|
|
52
52
|
|
|
53
53
|
- name: Perform CodeQL Analysis
|
|
54
|
-
uses: github/codeql-action/analyze@
|
|
54
|
+
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
55
55
|
with:
|
|
56
56
|
category: "/language:${{ matrix.language }}"
|
|
@@ -139,7 +139,7 @@ jobs:
|
|
|
139
139
|
|
|
140
140
|
- name: Upload hadolint SARIF
|
|
141
141
|
if: steps.detect.outputs.present == 'true'
|
|
142
|
-
uses: github/codeql-action/upload-sarif@
|
|
142
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
143
143
|
with:
|
|
144
144
|
sarif_file: hadolint.sarif
|
|
145
145
|
category: hadolint
|
|
@@ -162,7 +162,7 @@ jobs:
|
|
|
162
162
|
exit-code: "0"
|
|
163
163
|
|
|
164
164
|
- name: Upload Trivy filesystem SARIF
|
|
165
|
-
uses: github/codeql-action/upload-sarif@
|
|
165
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
166
166
|
with:
|
|
167
167
|
sarif_file: trivy-fs.sarif
|
|
168
168
|
category: trivy-fs
|
|
@@ -186,7 +186,7 @@ jobs:
|
|
|
186
186
|
|
|
187
187
|
- name: Upload Trivy image SARIF
|
|
188
188
|
if: always() && steps.detect.outputs.present == 'true'
|
|
189
|
-
uses: github/codeql-action/upload-sarif@
|
|
189
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
190
190
|
with:
|
|
191
191
|
sarif_file: trivy-image.sarif
|
|
192
192
|
category: trivy-image
|
|
@@ -131,7 +131,7 @@ jobs:
|
|
|
131
131
|
|
|
132
132
|
- name: Upload SARIF to GitHub code scanning
|
|
133
133
|
if: always()
|
|
134
|
-
uses: github/codeql-action/upload-sarif@
|
|
134
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
135
135
|
with:
|
|
136
136
|
sarif_file: opengrep.sarif
|
|
137
137
|
category: opengrep
|
|
@@ -41,6 +41,6 @@ jobs:
|
|
|
41
41
|
publish_results: true
|
|
42
42
|
|
|
43
43
|
- name: Upload to code-scanning
|
|
44
|
-
uses: github/codeql-action/upload-sarif@
|
|
44
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
45
45
|
with:
|
|
46
46
|
sarif_file: results.sarif
|
|
@@ -44,13 +44,13 @@ jobs:
|
|
|
44
44
|
show-progress: false
|
|
45
45
|
|
|
46
46
|
- name: Initialize CodeQL
|
|
47
|
-
uses: github/codeql-action/init@
|
|
47
|
+
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
48
48
|
with:
|
|
49
49
|
languages: ${{ matrix.language }}
|
|
50
50
|
build-mode: ${{ matrix.build-mode }}
|
|
51
51
|
queries: security-extended,security-and-quality
|
|
52
52
|
|
|
53
53
|
- name: Perform CodeQL Analysis
|
|
54
|
-
uses: github/codeql-action/analyze@
|
|
54
|
+
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
55
55
|
with:
|
|
56
56
|
category: "/language:${{ matrix.language }}"
|
|
@@ -157,7 +157,7 @@ jobs:
|
|
|
157
157
|
|
|
158
158
|
- name: Upload hadolint SARIF
|
|
159
159
|
if: steps.detect.outputs.present == 'true'
|
|
160
|
-
uses: github/codeql-action/upload-sarif@
|
|
160
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
161
161
|
with:
|
|
162
162
|
sarif_file: hadolint.sarif
|
|
163
163
|
category: hadolint
|
|
@@ -180,7 +180,7 @@ jobs:
|
|
|
180
180
|
exit-code: "0"
|
|
181
181
|
|
|
182
182
|
- name: Upload Trivy filesystem SARIF
|
|
183
|
-
uses: github/codeql-action/upload-sarif@
|
|
183
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
184
184
|
with:
|
|
185
185
|
sarif_file: trivy-fs.sarif
|
|
186
186
|
category: trivy-fs
|
|
@@ -207,7 +207,7 @@ jobs:
|
|
|
207
207
|
|
|
208
208
|
- name: Upload Trivy image SARIF
|
|
209
209
|
if: always() && steps.detect.outputs.present == 'true'
|
|
210
|
-
uses: github/codeql-action/upload-sarif@
|
|
210
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
211
211
|
with:
|
|
212
212
|
sarif_file: trivy-image.sarif
|
|
213
213
|
category: trivy-image
|
|
@@ -163,7 +163,7 @@ jobs:
|
|
|
163
163
|
|
|
164
164
|
- name: Upload SARIF to GitHub code scanning
|
|
165
165
|
if: always()
|
|
166
|
-
uses: github/codeql-action/upload-sarif@
|
|
166
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
167
167
|
with:
|
|
168
168
|
sarif_file: opengrep.sarif
|
|
169
169
|
category: opengrep
|
|
@@ -41,6 +41,6 @@ jobs:
|
|
|
41
41
|
publish_results: true
|
|
42
42
|
|
|
43
43
|
- name: Upload to code-scanning
|
|
44
|
-
uses: github/codeql-action/upload-sarif@
|
|
44
|
+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
45
45
|
with:
|
|
46
46
|
sarif_file: results.sarif
|
|
@@ -63,4 +63,18 @@ Do not use `.js` here — that's the Node NodeNext convention and will not resol
|
|
|
63
63
|
- Hot reload via `bun --hot`.
|
|
64
64
|
- Hey API codegen wired to `bun run gen:openapi` + `bun run gen:client`.
|
|
65
65
|
|
|
66
|
+
## Authentication (OAuth2 / OpenID Connect)
|
|
67
|
+
|
|
68
|
+
This app is a **resource server**: DaloyJS verifies and enforces access tokens,
|
|
69
|
+
it does **not** issue them. There is no built-in login UI, user database, or
|
|
70
|
+
OAuth2 authorization server (it is not an identity provider like Keycloak,
|
|
71
|
+
Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
|
|
72
|
+
— managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
|
|
73
|
+
open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
|
|
74
|
+
first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
|
|
75
|
+
your own authorization server.
|
|
76
|
+
|
|
77
|
+
See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
|
|
78
|
+
recommended designs (API resource server and browser BFF).
|
|
79
|
+
|
|
66
80
|
Read the docs at <https://daloyjs.dev/docs>.
|
|
@@ -22,3 +22,19 @@ pnpm deploy
|
|
|
22
22
|
- `@daloyjs/core/cloudflare` with starter security middleware: `secureHeaders` and `requestId`.
|
|
23
23
|
- Smaller edge-friendly body and timeout limits in the generated app.
|
|
24
24
|
- `wrangler.toml` ready for local development and deploys.
|
|
25
|
+
|
|
26
|
+
## Authentication (OAuth2 / OpenID Connect)
|
|
27
|
+
|
|
28
|
+
This app is a **resource server**: DaloyJS verifies and enforces access tokens,
|
|
29
|
+
it does **not** issue them. There is no built-in login UI, user database, or
|
|
30
|
+
OAuth2 authorization server (it is not an identity provider like Keycloak,
|
|
31
|
+
Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
|
|
32
|
+
— managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
|
|
33
|
+
open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
|
|
34
|
+
first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
|
|
35
|
+
your own authorization server.
|
|
36
|
+
|
|
37
|
+
See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
|
|
38
|
+
recommended designs (API resource server and browser BFF).
|
|
39
|
+
|
|
40
|
+
Read the docs at <https://daloyjs.dev/docs>.
|
|
@@ -56,4 +56,18 @@ deno task test
|
|
|
56
56
|
<!-- daloy-minimal:strip-end books -->
|
|
57
57
|
- Minimal permissions: `--allow-net --allow-env --allow-read` for `dev`.
|
|
58
58
|
|
|
59
|
+
## Authentication (OAuth2 / OpenID Connect)
|
|
60
|
+
|
|
61
|
+
This app is a **resource server**: DaloyJS verifies and enforces access tokens,
|
|
62
|
+
it does **not** issue them. There is no built-in login UI, user database, or
|
|
63
|
+
OAuth2 authorization server (it is not an identity provider like Keycloak,
|
|
64
|
+
Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
|
|
65
|
+
— managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
|
|
66
|
+
open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
|
|
67
|
+
first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
|
|
68
|
+
your own authorization server.
|
|
69
|
+
|
|
70
|
+
See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
|
|
71
|
+
recommended designs (API resource server and browser BFF).
|
|
72
|
+
|
|
59
73
|
Read the docs at <https://daloyjs.dev/docs>.
|
|
@@ -8,10 +8,10 @@
|
|
|
8
8
|
"gen:openapi": "deno run --allow-net --allow-env --allow-read --allow-write scripts/dump-openapi.ts"
|
|
9
9
|
},
|
|
10
10
|
"imports": {
|
|
11
|
-
"@daloyjs/core": "jsr:@daloyjs/daloy@^0.38.
|
|
12
|
-
"@daloyjs/core/banner": "jsr:@daloyjs/daloy@^0.38.
|
|
13
|
-
"@daloyjs/core/deno": "jsr:@daloyjs/daloy@^0.38.
|
|
14
|
-
"@daloyjs/core/openapi": "jsr:@daloyjs/daloy@^0.38.
|
|
11
|
+
"@daloyjs/core": "jsr:@daloyjs/daloy@^0.38.1",
|
|
12
|
+
"@daloyjs/core/banner": "jsr:@daloyjs/daloy@^0.38.1/banner",
|
|
13
|
+
"@daloyjs/core/deno": "jsr:@daloyjs/daloy@^0.38.1/deno",
|
|
14
|
+
"@daloyjs/core/openapi": "jsr:@daloyjs/daloy@^0.38.1/openapi",
|
|
15
15
|
"zod": "npm:zod@^4.4.3"
|
|
16
16
|
},
|
|
17
17
|
"compilerOptions": {
|
|
@@ -65,4 +65,18 @@ On `pnpm build`, TypeScript rewrites the `.ts` specifier to `.js` in the compile
|
|
|
65
65
|
- Hardened `.npmrc` for safer installs.
|
|
66
66
|
- Hey API codegen wired to `pnpm gen`.
|
|
67
67
|
|
|
68
|
+
## Authentication (OAuth2 / OpenID Connect)
|
|
69
|
+
|
|
70
|
+
This app is a **resource server**: DaloyJS verifies and enforces access tokens,
|
|
71
|
+
it does **not** issue them. There is no built-in login UI, user database, or
|
|
72
|
+
OAuth2 authorization server (it is not an identity provider like Keycloak,
|
|
73
|
+
Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
|
|
74
|
+
— managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
|
|
75
|
+
open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
|
|
76
|
+
first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
|
|
77
|
+
your own authorization server.
|
|
78
|
+
|
|
79
|
+
See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
|
|
80
|
+
recommended designs (API resource server and browser BFF).
|
|
81
|
+
|
|
68
82
|
Read the docs at <https://daloyjs.dev/docs>.
|
|
@@ -77,3 +77,17 @@ Vercel bundles the `api/` functions at deploy time and resolves `.ts` directly,
|
|
|
77
77
|
<!-- daloy-minimal:strip-start docs -->
|
|
78
78
|
- A Scalar API reference UI at `/docs`, plus live OpenAPI 3.1 specs at `/openapi.json` and `/openapi.yaml`.
|
|
79
79
|
<!-- daloy-minimal:strip-end docs -->
|
|
80
|
+
|
|
81
|
+
## Authentication (OAuth2 / OpenID Connect)
|
|
82
|
+
|
|
83
|
+
This app is a **resource server**: DaloyJS verifies and enforces access tokens,
|
|
84
|
+
it does **not** issue them. There is no built-in login UI, user database, or
|
|
85
|
+
OAuth2 authorization server (it is not an identity provider like Keycloak,
|
|
86
|
+
Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
|
|
87
|
+
— managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
|
|
88
|
+
open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
|
|
89
|
+
first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
|
|
90
|
+
your own authorization server.
|
|
91
|
+
|
|
92
|
+
See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
|
|
93
|
+
recommended designs (API resource server and browser BFF).
|