create-node-lib 2.17.3 → 2.18.0

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [2.18.0](https://github.com/lirantal/create-node-lib/compare/v2.17.4...v2.18.0) (2026-05-13)
+
+
+### Features
+
+* update secure configs for npm and pnpm ([e4f533a](https://github.com/lirantal/create-node-lib/commit/e4f533a73b3ca1c7d4373b76831b49b9d331a1dc))
+
+## [2.17.4](https://github.com/lirantal/create-node-lib/compare/v2.17.3...v2.17.4) (2026-05-13)
+
+
+### Bug Fixes
+
+* exclude pnpm-workspace.yaml when npm is selected as package manager ([#46](https://github.com/lirantal/create-node-lib/issues/46)) ([34891e1](https://github.com/lirantal/create-node-lib/commit/34891e1e9e1b5819ebea4dd36b6f42b3307d41e5))
+
 ## [2.17.3](https://github.com/lirantal/create-node-lib/compare/v2.17.2...v2.17.3) (2026-05-12)
 
 

package/__tests__/generator.test.js

@@ -79,6 +79,28 @@ describe('all the template files are accountable for', () => {
     expect(pkg.scripts['lint:lockfile']).toEqual(mockScripts['lint:lockfile'])
   })
 
+  test('Generator includes pnpm-workspace.yaml when pnpm is selected', async () => {
+    const stream = await sao.mock(
+      { generator: template },
+      {
+        npmClient: 'pnpm'
+      }
+    )
+
+    expect(stream.fileList).toContain('pnpm-workspace.yaml')
+  })
+
+  test('Generator excludes pnpm-workspace.yaml when npm is selected', async () => {
+    const stream = await sao.mock(
+      { generator: template },
+      {
+        npmClient: 'npm'
+      }
+    )
+
+    expect(stream.fileList).not.toContain('pnpm-workspace.yaml')
+  })
+
   test('Generator input creates correct package.json scripts with npm as client', async () => {
     const mockScripts = {
       'lint:lockfile': 'lockfile-lint --path package-lock.json --validate-https --allowed-hosts npm'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-node-lib",
-  "version": "2.17.3",
+  "version": "2.18.0",
   "description": "Scaffolding out a Node.js library module",
   "bin": "./bin/cli.js",
   "engines": {

package/saofile.js

@@ -115,7 +115,15 @@ module.exports = {
           gitignore: '.gitignore',
           npmrc: '.npmrc'
         }
-      }
+      },
+      ...(npmClient !== 'pnpm'
+        ? [
+            {
+              type: 'remove',
+              files: 'pnpm-workspace.yaml'
+            }
+          ]
+        : [])
     ]
   },
   async completed() {

package/template/npmrc

@@ -1,3 +1,11 @@
+# npm security best practices
+# Source: https://github.com/lirantal/npm-security-best-practices
+
+# Do not run any lifecycle hook scripts such as postinstall for packages
 ignore-scripts=true
+
+# Do not allow Git / GitHub related sources for packages
 allow-git=none
-min-release-age=30 # 30 days
+
+# Require at least 30 days since package release
+min-release-age=30

package/template/pnpm-workspace.yaml

@@ -1,19 +1,30 @@
-# Source for more information: https://github.com/lirantal/npm-security-best-practices
+# npm security best practices
+# Source: https://github.com/lirantal/npm-security-best-practices
+
+
+# Require at least 30 days since package release (specified in minutes)
+minimumReleaseAge: 43200
 
 # Fail if a package's trust level has decreased (pnpm 10.21+)
 trustPolicy: no-downgrade
 
 # Allow specific packages or versions to bypass the check when needed
 # example:
-#trustPolicyExclude:
-#  - 'chokidar@4.0.3'
-#  - 'webpack@4.47.0 || 5.102.1'
+# trustPolicyExclude:
+#   - 'chokidar@4.0.3'
+#   - 'webpack@4.47.0 || 5.102.1'
 
 # Ignore the check for packages published more than 30 days ago (pnpm 10.27+)
 # Useful for older packages that pre-date provenance support
-trustPolicyIgnoreAfter: 43200  # minutes (30 days)
+trustPolicyIgnoreAfter: 43200
+
+allowBuilds:
+  esbuild: true 
+  rolldown: true
+  unrs-resolver: true
+
+# Strictly enforce build dependencies, otherwise pnpm will error
+strictDepBuilds: true
 
-onlyBuiltDependencies:
-  - esbuild
-  - rolldown
-  - unrs-resolver
+# Block exotic subdependencies such as those pulled from  Git sources 
+blockExoticSubdeps: true