create-node-lib 2.18.0 → 2.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/__tests__/generator.test.js +6 -0
  3. package/package.json +1 -1
  4. package/saofile.js +6 -4
  5. package/template/package.json +0 -1
  6. package/template/pnpm-workspace.yaml +39 -13
package/CHANGELOG.md CHANGED
@@ -1,3 +1,17 @@
1
+ ## [2.19.1](https://github.com/lirantal/create-node-lib/compare/v2.19.0...v2.19.1) (2026-05-15)
2
+
3
+
4
+ ### Bug Fixes
5
+
6
+ * move package manager constraints to engines ([#48](https://github.com/lirantal/create-node-lib/issues/48)) ([f39e97e](https://github.com/lirantal/create-node-lib/commit/f39e97efad3b5e76babaeb7febbdd54182c4988e))
7
+
8
+ # [2.19.0](https://github.com/lirantal/create-node-lib/compare/v2.18.0...v2.19.0) (2026-05-15)
9
+
10
+
11
+ ### Features
12
+
13
+ * enhance security policies in pnpm-workspace.yaml ([68df8f6](https://github.com/lirantal/create-node-lib/commit/68df8f644ef11dc789a157e3cc1c1ed72e5675c9))
14
+
1
15
  # [2.18.0](https://github.com/lirantal/create-node-lib/compare/v2.17.4...v2.18.0) (2026-05-13)
2
16
 
3
17
 
package/__tests__/generator.test.js CHANGED
@@ -75,6 +75,9 @@ describe('all the template files are accountable for', () => {
75
75
  expect(pkg.author.email).toBe(mockUserEmail)
76
76
  expect(pkg.homepage).toBe(mockProjectRepository)
77
77
  expect(pkg.keywords).toEqual(mockProjectKeywords)
78
+ expect(pkg.engines.pnpm).toBe('>=10.26.0')
79
+ expect(pkg.engines.npm).toBeUndefined()
80
+ expect(pkg.packageManager).toBeUndefined()
78
81
  // Testing only variable scripts
79
82
  expect(pkg.scripts['lint:lockfile']).toEqual(mockScripts['lint:lockfile'])
80
83
  })
@@ -116,6 +119,9 @@ describe('all the template files are accountable for', () => {
116
119
  const pkg = JSON.parse(await stream.readFile('package.json'))
117
120
  // Testing only variable scripts
118
121
  expect(pkg.scripts['lint:lockfile']).toEqual(mockScripts['lint:lockfile'])
122
+ expect(pkg.engines.npm).toBe('>=11.10.0')
123
+ expect(pkg.engines.pnpm).toBeUndefined()
124
+ expect(pkg.packageManager).toBeUndefined()
119
125
  })
120
126
 
121
127
  test('Generator creates package.json with prepare script for husky', async () => {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-node-lib",
3
- "version": "2.18.0",
3
+ "version": "2.19.1",
4
4
  "description": "Scaffolding out a Node.js library module",
5
5
  "bin": "./bin/cli.js",
6
6
  "engines": {
package/saofile.js CHANGED
@@ -1,7 +1,11 @@
1
1
  'use strict'
2
2
  const validateNpmPackageName = require('validate-npm-package-name')
3
3
 
4
- const SUPPORTED_NPM_CLIENTS = ['pnpm', 'npm']
4
+ const PACKAGE_MANAGER_ENGINES = {
5
+ pnpm: '>=10.26.0',
6
+ npm: '>=11.10.0'
7
+ }
8
+ const SUPPORTED_NPM_CLIENTS = Object.keys(PACKAGE_MANAGER_ENGINES)
5
9
 
6
10
  module.exports = {
7
11
  description: 'Scaffolding out a node library.',
@@ -100,12 +104,10 @@ module.exports = {
100
104
  'lint:lockfile'
101
105
  ] = `lockfile-lint --path ${lockfile} --validate-https --allowed-hosts npm`
102
106
  data.scripts['lint'] = `eslint . && ${npmClient} run lint:lockfile && ${npmClient} run lint:markdown`
107
+ data.engines[npmClient] = PACKAGE_MANAGER_ENGINES[npmClient]
103
108
  data['lint-staged'] = {
104
109
  '**/*.{js,json}': [`${npmClient} run lint:fix`]
105
110
  }
106
- if (npmClient !== 'pnpm') {
107
- delete data.packageManager
108
- }
109
111
  return data
110
112
  }
111
113
  },
package/template/package.json CHANGED
@@ -28,7 +28,6 @@
28
28
  "engines": {
29
29
  "node": ">=24.0.0"
30
30
  },
31
- "packageManager": "pnpm@10.31.0",
32
31
  "files": [
33
32
  "dist",
34
33
  "src",
package/template/pnpm-workspace.yaml CHANGED
@@ -1,30 +1,56 @@
1
1
  # npm security best practices
2
2
  # Source: https://github.com/lirantal/npm-security-best-practices
3
3
 
4
-
5
- # Require at least 30 days since package release (specified in minutes)
4
+ # SECURITY: block packages newer than 30 days (43200 minutes).
5
+ # Gives the community time to spot and yank hijacked releases
6
+ # before they reach your install.
6
7
  minimumReleaseAge: 43200
7
8
 
8
- # Fail if a package's trust level has decreased (pnpm 10.21+)
9
+ # SECURITY: reject a version whose publishing trust signals
10
+ # (npm provenance, trusted-publisher status, registry signatures)
11
+ # have regressed from prior releases. Catches account-takeover
12
+ # attacks where the attacker can't reproduce the legitimate CI
13
+ # pipeline that produced earlier provenance.
9
14
  trustPolicy: no-downgrade
10
15
 
11
- # Allow specific packages or versions to bypass the check when needed
12
- # example:
16
+ # Per-package or per-version exemptions for legitimate trust
17
+ # regressions (e.g. a maintainer who genuinely switched CI providers).
18
+ # Keep empty; add entries only with a written justification, and
19
+ # prefer a specific version range over allowing an entire package.
20
+ # Example:
13
21
  # trustPolicyExclude:
14
22
  # - 'chokidar@4.0.3'
15
23
  # - 'webpack@4.47.0 || 5.102.1'
16
24
 
17
- # Ignore the check for packages published more than 30 days ago (pnpm 10.27+)
18
- # Useful for older packages that pre-date provenance support
19
- trustPolicyIgnoreAfter: 43200
20
-
25
+ # Disabled intentionally. Skipping the trust check for older
26
+ # versions sounds useful for genuinely pre-provenance packages
27
+ # (npm provenance launched April 2023), but any value near
28
+ # minimumReleaseAge nullifies trustPolicy entirely — every
29
+ # installable version becomes exempt. Use trustPolicyExclude
30
+ # above for legitimate legacy cases instead.
31
+ # trustPolicyIgnoreAfter: 43200
32
+
33
+ # SECURITY: block install scripts by default.
34
+ # Explicit allow-list only. Postinstall scripts are a primary
35
+ # malware delivery vector for transitive dependencies.
36
+ # Keep this list small and only enable packages whose postinstall
37
+ # is genuinely required.
21
38
  allowBuilds:
22
- esbuild: true
39
+ # Native bundler; postinstall fetches the platform-specific binary.
40
+ esbuild: true
41
+ # Native bundler; postinstall fetches the platform-specific binary.
23
42
  rolldown: true
43
+ # Native module resolver used by some toolchains.
24
44
  unrs-resolver: true
25
45
 
26
- # Strictly enforce build dependencies, otherwise pnpm will error
46
+ # SECURITY: fail the install if a dependency wants to run a build
47
+ # script that isn't in the allow-list above. Without this, new
48
+ # postinstall scripts get silently skipped — you'd never know to
49
+ # audit them.
27
50
  strictDepBuilds: true
28
51
 
29
- # Block exotic subdependencies such as those pulled from Git sources
30
- blockExoticSubdeps: true
52
+ # SECURITY: reject dependencies sourced from git URLs, tarball
53
+ # URLs, or local paths. These bypass registry signing, provenance,
54
+ # and yanking, and have been weaponized to deliver malware through
55
+ # innocent-looking transitive deps.
56
+ blockExoticSubdeps: true