create-node-lib 2.17.4 → 2.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/package.json +1 -1
- package/template/npmrc +9 -1
- package/template/pnpm-workspace.yaml +20 -9
package/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
# [2.18.0](https://github.com/lirantal/create-node-lib/compare/v2.17.4...v2.18.0) (2026-05-13)
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
### Features
|
|
5
|
+
|
|
6
|
+
* update secure configs for npm and pnpm ([e4f533a](https://github.com/lirantal/create-node-lib/commit/e4f533a73b3ca1c7d4373b76831b49b9d331a1dc))
|
|
7
|
+
|
|
1
8
|
## [2.17.4](https://github.com/lirantal/create-node-lib/compare/v2.17.3...v2.17.4) (2026-05-13)
|
|
2
9
|
|
|
3
10
|
|
package/package.json
CHANGED
package/template/npmrc
CHANGED
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
# npm security best practices
|
|
2
|
+
# Source: https://github.com/lirantal/npm-security-best-practices
|
|
3
|
+
|
|
4
|
+
# Do not run any lifecycle hook scripts such as postinstall for packages
|
|
1
5
|
ignore-scripts=true
|
|
6
|
+
|
|
7
|
+
# Do not allow Git / GitHub related sources for packages
|
|
2
8
|
allow-git=none
|
|
3
|
-
|
|
9
|
+
|
|
10
|
+
# Require at least 30 days since package release
|
|
11
|
+
min-release-age=30
|
|
@@ -1,19 +1,30 @@
|
|
|
1
|
-
#
|
|
1
|
+
# npm security best practices
|
|
2
|
+
# Source: https://github.com/lirantal/npm-security-best-practices
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
# Require at least 30 days since package release (specified in minutes)
|
|
6
|
+
minimumReleaseAge: 43200
|
|
2
7
|
|
|
3
8
|
# Fail if a package's trust level has decreased (pnpm 10.21+)
|
|
4
9
|
trustPolicy: no-downgrade
|
|
5
10
|
|
|
6
11
|
# Allow specific packages or versions to bypass the check when needed
|
|
7
12
|
# example:
|
|
8
|
-
#trustPolicyExclude:
|
|
9
|
-
#
|
|
10
|
-
#
|
|
13
|
+
# trustPolicyExclude:
|
|
14
|
+
# - 'chokidar@4.0.3'
|
|
15
|
+
# - 'webpack@4.47.0 || 5.102.1'
|
|
11
16
|
|
|
12
17
|
# Ignore the check for packages published more than 30 days ago (pnpm 10.27+)
|
|
13
18
|
# Useful for older packages that pre-date provenance support
|
|
14
|
-
trustPolicyIgnoreAfter: 43200
|
|
19
|
+
trustPolicyIgnoreAfter: 43200
|
|
20
|
+
|
|
21
|
+
allowBuilds:
|
|
22
|
+
esbuild: true
|
|
23
|
+
rolldown: true
|
|
24
|
+
unrs-resolver: true
|
|
25
|
+
|
|
26
|
+
# Strictly enforce build dependencies, otherwise pnpm will error
|
|
27
|
+
strictDepBuilds: true
|
|
15
28
|
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
- rolldown
|
|
19
|
-
- unrs-resolver
|
|
29
|
+
# Block exotic subdependencies such as those pulled from Git sources
|
|
30
|
+
blockExoticSubdeps: true
|