create-daloy 0.7.1 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -314,10 +314,10 @@ ${heading("Options")}
314
314
  ${color(COLORS.green, "--template <name>")} ${TEMPLATES.join(" | ")} ${color(COLORS.dim, "(default: node-basic)")}
315
315
  ${color(COLORS.green, "--package-manager <pm>")} ${PACKAGE_MANAGERS.join(" | ")} ${color(COLORS.dim, "(default: pnpm)")}
316
316
  ${color(COLORS.green, "--list-templates")} Print available templates and exit.
317
- ${color(COLORS.green, "--install / --no-install")} Install dependencies after scaffolding.
317
+ ${color(COLORS.green, "--install / --no-install")} Install dependencies after scaffolding. ${color(COLORS.dim, "(default: Y, except pnpm \u2014 N to respect minimumReleaseAge + onlyBuiltDependencies)")}
318
318
  ${color(COLORS.green, "--git / --no-git")} Initialize a git repository.
319
319
  ${color(COLORS.green, "--minimal")} Strip the bookstore + OpenAPI docs demo routes.
320
- ${color(COLORS.green, "--with-ci / --no-ci")} Add hardened GitHub Actions + governance files.
320
+ ${color(COLORS.green, "--with-ci / --no-ci")} Add hardened GitHub Actions + governance files. ${color(COLORS.dim, "(default: Y)")}
321
321
  ${color(COLORS.green, "--code-owner <owner>")} CODEOWNERS owner for --with-ci, e.g. @acme/security.
322
322
  ${color(COLORS.green, "--force")} Overwrite an existing non-empty directory.
323
323
  ${color(COLORS.green, "--yes, -y")} Accept all defaults; never prompt.
@@ -1114,6 +1114,23 @@ function printSummary({ projectName, template, packageManager, installDeps, skip
1114
1114
  console.log(` ${arrow} ${color(COLORS.cyan, `${packageManager} run dev`)}`);
1115
1115
  }
1116
1116
 
1117
+ if (!installDeps && !skipPackageManager && packageManager === "pnpm") {
1118
+ console.log("");
1119
+ console.log(`${color(COLORS.bold, "Heads-up before \`pnpm install\`")}`);
1120
+ console.log(
1121
+ ` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "pnpm-workspace.yaml sets minimumReleaseAge: 1440 \u2014 newly-published deps")}`,
1122
+ );
1123
+ console.log(
1124
+ ` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "(including a just-released @daloyjs/core) are embargoed for 24 h.")}`,
1125
+ );
1126
+ console.log(
1127
+ ` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "Lifecycle scripts are blocked by default; allowlist trusted builds in")}`,
1128
+ );
1129
+ console.log(
1130
+ ` ${color(COLORS.gray, SYMBOLS.pointer)} ${color(COLORS.dim, "package.json under pnpm.onlyBuiltDependencies if install complains.")}`,
1131
+ );
1132
+ }
1133
+
1117
1134
  console.log("");
1118
1135
  console.log(`${color(COLORS.bold, "Useful commands")}`);
1119
1136
  if (skipPackageManager) {
@@ -1228,6 +1245,27 @@ async function main() {
1228
1245
  if (installDeps === undefined) {
1229
1246
  if (skipPackageManager) {
1230
1247
  installDeps = false;
1248
+ } else if (packageManager === "pnpm") {
1249
+ // Deny-by-default for pnpm: the scaffolded `pnpm-workspace.yaml` ships
1250
+ // with `minimumReleaseAge: 1440` (24 h embargo on newly-published
1251
+ // versions) and the `.npmrc` blocks lifecycle scripts unless they're
1252
+ // allowlisted in `package.json` under `pnpm.onlyBuiltDependencies`.
1253
+ // Both are security best practices, but they mean a fresh
1254
+ // `pnpm install` can fail until the user (a) waits 24 h for newly
1255
+ // published `@daloyjs/core` versions to clear the embargo, or (b)
1256
+ // allowlists any dep that needs a build script. Defaulting to N
1257
+ // makes that explicit instead of failing the install silently.
1258
+ if (rl) {
1259
+ console.log(
1260
+ color(
1261
+ COLORS.gray,
1262
+ " (pnpm install may fail until you set pnpm.onlyBuiltDependencies in package.json and wait 24h for fresh @daloyjs/core releases \u2014 see pnpm-workspace.yaml)",
1263
+ ),
1264
+ );
1265
+ installDeps = await askYesNo(rl, `Install dependencies with ${packageManager}?`, false);
1266
+ } else {
1267
+ installDeps = false;
1268
+ }
1231
1269
  } else {
1232
1270
  installDeps = rl ? await askYesNo(rl, `Install dependencies with ${packageManager}?`, true) : false;
1233
1271
  }
@@ -1240,7 +1278,9 @@ async function main() {
1240
1278
 
1241
1279
  let withCi = opts.ci;
1242
1280
  if (withCi === undefined) {
1243
- withCi = rl ? await askYesNo(rl, "Add hardened GitHub Actions and security files?", false) : false;
1281
+ // Default to Y the hardened GitHub Actions + Dependabot + CODEOWNERS
1282
+ // + SECURITY.md bundle is opt-out, not opt-in. Most users want it.
1283
+ withCi = rl ? await askYesNo(rl, "Add hardened GitHub Actions and security files?", true) : true;
1244
1284
  }
1245
1285
 
1246
1286
  rl?.close();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-daloy",
3
- "version": "0.7.1",
3
+ "version": "0.7.3",
4
4
  "description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -16,7 +16,7 @@
16
16
  "gen": "pnpm gen:openapi && pnpm gen:client"
17
17
  },
18
18
  "dependencies": {
19
- "@daloyjs/core": "^0.13.1",
19
+ "@daloyjs/core": "^0.13.2",
20
20
  "zod": "^4.4.3"
21
21
  },
22
22
  "devDependencies": {
@@ -10,7 +10,7 @@
10
10
  "test": "node --import tsx/esm --test tests/**/*.test.ts"
11
11
  },
12
12
  "dependencies": {
13
- "@daloyjs/core": "^0.13.1",
13
+ "@daloyjs/core": "^0.13.2",
14
14
  "zod": "^4.4.3"
15
15
  },
16
16
  "devDependencies": {
@@ -8,8 +8,8 @@
8
8
  "gen:openapi": "deno run --allow-net --allow-env --allow-read --allow-write scripts/dump-openapi.ts"
9
9
  },
10
10
  "imports": {
11
- "@daloyjs/core": "npm:@daloyjs/core@^0.13.1",
12
- "@daloyjs/core/": "npm:@daloyjs/core@^0.13.1/",
11
+ "@daloyjs/core": "npm:@daloyjs/core@^0.13.2",
12
+ "@daloyjs/core/": "npm:@daloyjs/core@^0.13.2/",
13
13
  "zod": "npm:zod@^4.4.3"
14
14
  },
15
15
  "compilerOptions": {
@@ -18,7 +18,7 @@
18
18
  "audit": "pnpm audit --prod"
19
19
  },
20
20
  "dependencies": {
21
- "@daloyjs/core": "^0.13.1",
21
+ "@daloyjs/core": "^0.13.2",
22
22
  "zod": "^4.4.3"
23
23
  },
24
24
  "devDependencies": {
@@ -10,7 +10,7 @@
10
10
  "test": "node --import tsx/esm --test tests/**/*.test.ts"
11
11
  },
12
12
  "dependencies": {
13
- "@daloyjs/core": "^0.13.1",
13
+ "@daloyjs/core": "^0.13.2",
14
14
  "zod": "^4.4.3"
15
15
  },
16
16
  "devDependencies": {