create-node-lib 2.19.0 → 2.19.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/__tests__/generator.test.js +6 -0
  3. package/package.json +1 -1
  4. package/saofile.js +6 -4
  5. package/template/npmrc +12 -3
  6. package/template/package.json +0 -1
package/CHANGELOG.md CHANGED
@@ -1,3 +1,17 @@
1
+ ## [2.19.2](https://github.com/lirantal/create-node-lib/compare/v2.19.1...v2.19.2) (2026-05-15)
2
+
3
+
4
+ ### Bug Fixes
5
+
6
+ * descriptions for npmrc file ([dce8594](https://github.com/lirantal/create-node-lib/commit/dce8594d4d5a14b1f14e2ac39745de6d64aaf97c))
7
+
8
+ ## [2.19.1](https://github.com/lirantal/create-node-lib/compare/v2.19.0...v2.19.1) (2026-05-15)
9
+
10
+
11
+ ### Bug Fixes
12
+
13
+ * move package manager constraints to engines ([#48](https://github.com/lirantal/create-node-lib/issues/48)) ([f39e97e](https://github.com/lirantal/create-node-lib/commit/f39e97efad3b5e76babaeb7febbdd54182c4988e))
14
+
1
15
  # [2.19.0](https://github.com/lirantal/create-node-lib/compare/v2.18.0...v2.19.0) (2026-05-15)
2
16
 
3
17
 
package/__tests__/generator.test.js CHANGED
@@ -75,6 +75,9 @@ describe('all the template files are accountable for', () => {
75
75
  expect(pkg.author.email).toBe(mockUserEmail)
76
76
  expect(pkg.homepage).toBe(mockProjectRepository)
77
77
  expect(pkg.keywords).toEqual(mockProjectKeywords)
78
+ expect(pkg.engines.pnpm).toBe('>=10.26.0')
79
+ expect(pkg.engines.npm).toBeUndefined()
80
+ expect(pkg.packageManager).toBeUndefined()
78
81
  // Testing only variable scripts
79
82
  expect(pkg.scripts['lint:lockfile']).toEqual(mockScripts['lint:lockfile'])
80
83
  })
@@ -116,6 +119,9 @@ describe('all the template files are accountable for', () => {
116
119
  const pkg = JSON.parse(await stream.readFile('package.json'))
117
120
  // Testing only variable scripts
118
121
  expect(pkg.scripts['lint:lockfile']).toEqual(mockScripts['lint:lockfile'])
122
+ expect(pkg.engines.npm).toBe('>=11.10.0')
123
+ expect(pkg.engines.pnpm).toBeUndefined()
124
+ expect(pkg.packageManager).toBeUndefined()
119
125
  })
120
126
 
121
127
  test('Generator creates package.json with prepare script for husky', async () => {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-node-lib",
3
- "version": "2.19.0",
3
+ "version": "2.19.2",
4
4
  "description": "Scaffolding out a Node.js library module",
5
5
  "bin": "./bin/cli.js",
6
6
  "engines": {
package/saofile.js CHANGED
@@ -1,7 +1,11 @@
1
1
  'use strict'
2
2
  const validateNpmPackageName = require('validate-npm-package-name')
3
3
 
4
- const SUPPORTED_NPM_CLIENTS = ['pnpm', 'npm']
4
+ const PACKAGE_MANAGER_ENGINES = {
5
+ pnpm: '>=10.26.0',
6
+ npm: '>=11.10.0'
7
+ }
8
+ const SUPPORTED_NPM_CLIENTS = Object.keys(PACKAGE_MANAGER_ENGINES)
5
9
 
6
10
  module.exports = {
7
11
  description: 'Scaffolding out a node library.',
@@ -100,12 +104,10 @@ module.exports = {
100
104
  'lint:lockfile'
101
105
  ] = `lockfile-lint --path ${lockfile} --validate-https --allowed-hosts npm`
102
106
  data.scripts['lint'] = `eslint . && ${npmClient} run lint:lockfile && ${npmClient} run lint:markdown`
107
+ data.engines[npmClient] = PACKAGE_MANAGER_ENGINES[npmClient]
103
108
  data['lint-staged'] = {
104
109
  '**/*.{js,json}': [`${npmClient} run lint:fix`]
105
110
  }
106
- if (npmClient !== 'pnpm') {
107
- delete data.packageManager
108
- }
109
111
  return data
110
112
  }
111
113
  },
package/template/npmrc CHANGED
@@ -1,11 +1,20 @@
1
1
  # npm security best practices
2
2
  # Source: https://github.com/lirantal/npm-security-best-practices
3
3
 
4
- # Do not run any lifecycle hook scripts such as postinstall for packages
4
+ # SECURITY: do not run any lifecycle scripts (preinstall, install,
5
+ # postinstall, etc.) for dependencies. Postinstall scripts are the
6
+ # classic malware delivery vector — a transitive dep can execute
7
+ # arbitrary code on your machine during `npm install` without you
8
+ # ever running its code at runtime.
5
9
  ignore-scripts=true
6
10
 
7
- # Do not allow Git / GitHub related sources for packages
11
+ # SECURITY: reject git-source dependencies (git+ssh://, github:owner/repo,
12
+ # etc.). Git deps can ship their own .npmrc that overrides the path to
13
+ # the npm binary, achieving arbitrary code execution at install time —
14
+ # bypassing ignore-scripts entirely. This will be the default in npm 12.
8
15
  allow-git=none
9
16
 
10
- # Require at least 30 days since package release
17
+ # SECURITY: refuse to install package versions younger than 30 days.
18
+ # Gives the community time to spot and yank hijacked releases before
19
+ # they reach your install. Value is in days.
11
20
  min-release-age=30
package/template/package.json CHANGED
@@ -28,7 +28,6 @@
28
28
  "engines": {
29
29
  "node": ">=24.0.0"
30
30
  },
31
- "packageManager": "pnpm@10.31.0",
32
31
  "files": [
33
32
  "dist",
34
33
  "src",