create-node-lib 2.17.4 → 2.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/package.json +1 -1
  3. package/template/npmrc +9 -1
  4. package/template/pnpm-workspace.yaml +51 -14
package/CHANGELOG.md CHANGED
@@ -1,3 +1,17 @@
1
+ # [2.19.0](https://github.com/lirantal/create-node-lib/compare/v2.18.0...v2.19.0) (2026-05-15)
2
+
3
+
4
+ ### Features
5
+
6
+ * enhance security policies in pnpm-workspace.yaml ([68df8f6](https://github.com/lirantal/create-node-lib/commit/68df8f644ef11dc789a157e3cc1c1ed72e5675c9))
7
+
8
+ # [2.18.0](https://github.com/lirantal/create-node-lib/compare/v2.17.4...v2.18.0) (2026-05-13)
9
+
10
+
11
+ ### Features
12
+
13
+ * update secure configs for npm and pnpm ([e4f533a](https://github.com/lirantal/create-node-lib/commit/e4f533a73b3ca1c7d4373b76831b49b9d331a1dc))
14
+
1
15
  ## [2.17.4](https://github.com/lirantal/create-node-lib/compare/v2.17.3...v2.17.4) (2026-05-13)
2
16
 
3
17
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-node-lib",
3
- "version": "2.17.4",
3
+ "version": "2.19.0",
4
4
  "description": "Scaffolding out a Node.js library module",
5
5
  "bin": "./bin/cli.js",
6
6
  "engines": {
package/template/npmrc CHANGED
@@ -1,3 +1,11 @@
1
+ # npm security best practices
2
+ # Source: https://github.com/lirantal/npm-security-best-practices
3
+
4
+ # Do not run any lifecycle hook scripts such as postinstall for packages
1
5
  ignore-scripts=true
6
+
7
+ # Do not allow Git / GitHub related sources for packages
2
8
  allow-git=none
3
- min-release-age=30 # 30 days
9
+
10
+ # Require at least 30 days since package release
11
+ min-release-age=30
package/template/pnpm-workspace.yaml CHANGED
@@ -1,19 +1,56 @@
1
- # Source for more information: https://github.com/lirantal/npm-security-best-practices
1
+ # npm security best practices
2
+ # Source: https://github.com/lirantal/npm-security-best-practices
2
3
 
3
- # Fail if a package's trust level has decreased (pnpm 10.21+)
4
+ # SECURITY: block packages newer than 30 days (43200 minutes).
5
+ # Gives the community time to spot and yank hijacked releases
6
+ # before they reach your install.
7
+ minimumReleaseAge: 43200
8
+
9
+ # SECURITY: reject a version whose publishing trust signals
10
+ # (npm provenance, trusted-publisher status, registry signatures)
11
+ # have regressed from prior releases. Catches account-takeover
12
+ # attacks where the attacker can't reproduce the legitimate CI
13
+ # pipeline that produced earlier provenance.
4
14
  trustPolicy: no-downgrade
5
15
 
6
- # Allow specific packages or versions to bypass the check when needed
7
- # example:
8
- #trustPolicyExclude:
9
- # - 'chokidar@4.0.3'
10
- # - 'webpack@4.47.0 || 5.102.1'
16
+ # Per-package or per-version exemptions for legitimate trust
17
+ # regressions (e.g. a maintainer who genuinely switched CI providers).
18
+ # Keep empty; add entries only with a written justification, and
19
+ # prefer a specific version range over allowing an entire package.
20
+ # Example:
21
+ # trustPolicyExclude:
22
+ # - 'chokidar@4.0.3'
23
+ # - 'webpack@4.47.0 || 5.102.1'
24
+
25
+ # Disabled intentionally. Skipping the trust check for older
26
+ # versions sounds useful for genuinely pre-provenance packages
27
+ # (npm provenance launched April 2023), but any value near
28
+ # minimumReleaseAge nullifies trustPolicy entirely — every
29
+ # installable version becomes exempt. Use trustPolicyExclude
30
+ # above for legitimate legacy cases instead.
31
+ # trustPolicyIgnoreAfter: 43200
32
+
33
+ # SECURITY: block install scripts by default.
34
+ # Explicit allow-list only. Postinstall scripts are a primary
35
+ # malware delivery vector for transitive dependencies.
36
+ # Keep this list small and only enable packages whose postinstall
37
+ # is genuinely required.
38
+ allowBuilds:
39
+ # Native bundler; postinstall fetches the platform-specific binary.
40
+ esbuild: true
41
+ # Native bundler; postinstall fetches the platform-specific binary.
42
+ rolldown: true
43
+ # Native module resolver used by some toolchains.
44
+ unrs-resolver: true
11
45
 
12
- # Ignore the check for packages published more than 30 days ago (pnpm 10.27+)
13
- # Useful for older packages that pre-date provenance support
14
- trustPolicyIgnoreAfter: 43200 # minutes (30 days)
46
+ # SECURITY: fail the install if a dependency wants to run a build
47
+ # script that isn't in the allow-list above. Without this, new
48
+ # postinstall scripts get silently skipped — you'd never know to
49
+ # audit them.
50
+ strictDepBuilds: true
15
51
 
16
- onlyBuiltDependencies:
17
- - esbuild
18
- - rolldown
19
- - unrs-resolver
52
+ # SECURITY: reject dependencies sourced from git URLs, tarball
53
+ # URLs, or local paths. These bypass registry signing, provenance,
54
+ # and yanking, and have been weaponized to deliver malware through
55
+ # innocent-looking transitive deps.
56
+ blockExoticSubdeps: true