create-daloy 0.7.1 → 0.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/create-daloy.mjs +43 -3
- package/package.json +1 -1
- package/templates/bun-basic/package.json +1 -1
- package/templates/cloudflare-worker/package.json +1 -1
- package/templates/deno-basic/deno.json +2 -2
- package/templates/node-basic/package.json +1 -1
- package/templates/vercel-edge/package.json +1 -1
package/bin/create-daloy.mjs
CHANGED
|
@@ -314,10 +314,10 @@ ${heading("Options")}
|
|
|
314
314
|
${color(COLORS.green, "--template <name>")} ${TEMPLATES.join(" | ")} ${color(COLORS.dim, "(default: node-basic)")}
|
|
315
315
|
${color(COLORS.green, "--package-manager <pm>")} ${PACKAGE_MANAGERS.join(" | ")} ${color(COLORS.dim, "(default: pnpm)")}
|
|
316
316
|
${color(COLORS.green, "--list-templates")} Print available templates and exit.
|
|
317
|
-
${color(COLORS.green, "--install / --no-install")} Install dependencies after scaffolding.
|
|
317
|
+
${color(COLORS.green, "--install / --no-install")} Install dependencies after scaffolding. ${color(COLORS.dim, "(default: Y, except pnpm \u2014 N to respect minimumReleaseAge + onlyBuiltDependencies)")}
|
|
318
318
|
${color(COLORS.green, "--git / --no-git")} Initialize a git repository.
|
|
319
319
|
${color(COLORS.green, "--minimal")} Strip the bookstore + OpenAPI docs demo routes.
|
|
320
|
-
${color(COLORS.green, "--with-ci / --no-ci")} Add hardened GitHub Actions + governance files.
|
|
320
|
+
${color(COLORS.green, "--with-ci / --no-ci")} Add hardened GitHub Actions + governance files. ${color(COLORS.dim, "(default: Y)")}
|
|
321
321
|
${color(COLORS.green, "--code-owner <owner>")} CODEOWNERS owner for --with-ci, e.g. @acme/security.
|
|
322
322
|
${color(COLORS.green, "--force")} Overwrite an existing non-empty directory.
|
|
323
323
|
${color(COLORS.green, "--yes, -y")} Accept all defaults; never prompt.
|
|
@@ -1114,6 +1114,23 @@ function printSummary({ projectName, template, packageManager, installDeps, skip
|
|
|
1114
1114
|
console.log(` ${arrow} ${color(COLORS.cyan, `${packageManager} run dev`)}`);
|
|
1115
1115
|
}
|
|
1116
1116
|
|
|
1117
|
+
if (!installDeps && !skipPackageManager && packageManager === "pnpm") {
|
|
1118
|
+
console.log("");
|
|
1119
|
+
console.log(`${color(COLORS.bold, "Heads-up before \`pnpm install\`")}`);
|
|
1120
|
+
console.log(
|
|
1121
|
+
` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "pnpm-workspace.yaml sets minimumReleaseAge: 1440 \u2014 newly-published deps")}`,
|
|
1122
|
+
);
|
|
1123
|
+
console.log(
|
|
1124
|
+
` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "(including a just-released @daloyjs/core) are embargoed for 24 h.")}`,
|
|
1125
|
+
);
|
|
1126
|
+
console.log(
|
|
1127
|
+
` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "Lifecycle scripts are blocked by default; allowlist trusted builds in")}`,
|
|
1128
|
+
);
|
|
1129
|
+
console.log(
|
|
1130
|
+
` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "package.json under pnpm.onlyBuiltDependencies if install complains.")}`,
|
|
1131
|
+
);
|
|
1132
|
+
}
|
|
1133
|
+
|
|
1117
1134
|
console.log("");
|
|
1118
1135
|
console.log(`${color(COLORS.bold, "Useful commands")}`);
|
|
1119
1136
|
if (skipPackageManager) {
|
|
@@ -1228,6 +1245,27 @@ async function main() {
|
|
|
1228
1245
|
if (installDeps === undefined) {
|
|
1229
1246
|
if (skipPackageManager) {
|
|
1230
1247
|
installDeps = false;
|
|
1248
|
+
} else if (packageManager === "pnpm") {
|
|
1249
|
+
// Deny-by-default for pnpm: the scaffolded `pnpm-workspace.yaml` ships
|
|
1250
|
+
// with `minimumReleaseAge: 1440` (24 h embargo on newly-published
|
|
1251
|
+
// versions) and the `.npmrc` blocks lifecycle scripts unless they're
|
|
1252
|
+
// allowlisted in `package.json` under `pnpm.onlyBuiltDependencies`.
|
|
1253
|
+
// Both are security best practices, but they mean a fresh
|
|
1254
|
+
// `pnpm install` can fail until the user (a) waits 24 h for newly
|
|
1255
|
+
// published `@daloyjs/core` versions to clear the embargo, or (b)
|
|
1256
|
+
// allowlists any dep that needs a build script. Defaulting to N
|
|
1257
|
+
// makes that explicit instead of failing the install silently.
|
|
1258
|
+
if (rl) {
|
|
1259
|
+
console.log(
|
|
1260
|
+
color(
|
|
1261
|
+
COLORS.gray,
|
|
1262
|
+
" (pnpm install may fail until you set pnpm.onlyBuiltDependencies in package.json and wait 24h for fresh @daloyjs/core releases \u2014 see pnpm-workspace.yaml)",
|
|
1263
|
+
),
|
|
1264
|
+
);
|
|
1265
|
+
installDeps = await askYesNo(rl, `Install dependencies with ${packageManager}?`, false);
|
|
1266
|
+
} else {
|
|
1267
|
+
installDeps = false;
|
|
1268
|
+
}
|
|
1231
1269
|
} else {
|
|
1232
1270
|
installDeps = rl ? await askYesNo(rl, `Install dependencies with ${packageManager}?`, true) : false;
|
|
1233
1271
|
}
|
|
@@ -1240,7 +1278,9 @@ async function main() {
|
|
|
1240
1278
|
|
|
1241
1279
|
let withCi = opts.ci;
|
|
1242
1280
|
if (withCi === undefined) {
|
|
1243
|
-
|
|
1281
|
+
// Default to Y — the hardened GitHub Actions + Dependabot + CODEOWNERS
|
|
1282
|
+
// + SECURITY.md bundle is opt-out, not opt-in. Most users want it.
|
|
1283
|
+
withCi = rl ? await askYesNo(rl, "Add hardened GitHub Actions and security files?", true) : true;
|
|
1244
1284
|
}
|
|
1245
1285
|
|
|
1246
1286
|
rl?.close();
|
package/package.json
CHANGED
|
@@ -8,8 +8,8 @@
|
|
|
8
8
|
"gen:openapi": "deno run --allow-net --allow-env --allow-read --allow-write scripts/dump-openapi.ts"
|
|
9
9
|
},
|
|
10
10
|
"imports": {
|
|
11
|
-
"@daloyjs/core": "npm:@daloyjs/core@^0.13.
|
|
12
|
-
"@daloyjs/core/": "npm:@daloyjs/core@^0.13.
|
|
11
|
+
"@daloyjs/core": "npm:@daloyjs/core@^0.13.2",
|
|
12
|
+
"@daloyjs/core/": "npm:@daloyjs/core@^0.13.2/",
|
|
13
13
|
"zod": "npm:zod@^4.4.3"
|
|
14
14
|
},
|
|
15
15
|
"compilerOptions": {
|