devflow-kit 0.8.1 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +185 -29
- package/LICENSE +1 -1
- package/README.md +179 -308
- package/dist/cli.js +3 -1
- package/dist/commands/init.d.ts +21 -0
- package/dist/commands/init.js +311 -575
- package/dist/commands/list.d.ts +3 -0
- package/dist/commands/list.js +20 -0
- package/dist/commands/uninstall.d.ts +10 -0
- package/dist/commands/uninstall.js +351 -78
- package/dist/plugins.d.ts +46 -0
- package/dist/plugins.js +162 -0
- package/dist/utils/cli.d.ts +5 -0
- package/dist/utils/cli.js +14 -0
- package/dist/utils/installer.d.ts +41 -0
- package/dist/utils/installer.js +177 -0
- package/dist/utils/paths.d.ts +10 -0
- package/dist/utils/paths.js +23 -3
- package/dist/utils/post-install.d.ts +68 -0
- package/dist/utils/post-install.js +427 -0
- package/dist/utils/safe-delete-install.d.ts +22 -0
- package/dist/utils/safe-delete-install.js +156 -0
- package/dist/utils/safe-delete.d.ts +12 -0
- package/dist/utils/safe-delete.js +83 -0
- package/package.json +18 -8
- package/plugins/devflow-audit-claude/.claude-plugin/plugin.json +7 -0
- package/plugins/devflow-audit-claude/README.md +46 -0
- package/plugins/devflow-audit-claude/agents/claude-md-auditor.md +134 -0
- package/plugins/devflow-audit-claude/commands/audit-claude.md +85 -0
- package/plugins/devflow-code-review/.claude-plugin/plugin.json +31 -0
- package/plugins/devflow-code-review/README.md +73 -0
- package/plugins/devflow-code-review/agents/git.md +272 -0
- package/plugins/devflow-code-review/agents/reviewer.md +119 -0
- package/plugins/devflow-code-review/agents/synthesizer.md +204 -0
- package/plugins/devflow-code-review/commands/code-review-teams.md +262 -0
- package/plugins/devflow-code-review/commands/code-review.md +141 -0
- package/plugins/devflow-code-review/skills/accessibility/SKILL.md +229 -0
- package/plugins/devflow-code-review/skills/accessibility/references/detection.md +171 -0
- package/plugins/devflow-code-review/skills/accessibility/references/patterns.md +670 -0
- package/plugins/devflow-code-review/skills/accessibility/references/violations.md +419 -0
- package/plugins/devflow-code-review/skills/agent-teams/SKILL.md +124 -0
- package/plugins/devflow-code-review/skills/agent-teams/references/cleanup.md +104 -0
- package/plugins/devflow-code-review/skills/agent-teams/references/communication.md +122 -0
- package/plugins/devflow-code-review/skills/agent-teams/references/team-patterns.md +217 -0
- package/plugins/devflow-code-review/skills/architecture-patterns/SKILL.md +153 -0
- package/plugins/devflow-code-review/skills/architecture-patterns/references/detection.md +337 -0
- package/plugins/devflow-code-review/skills/architecture-patterns/references/patterns.md +873 -0
- package/plugins/devflow-code-review/skills/architecture-patterns/references/violations.md +575 -0
- package/plugins/devflow-code-review/skills/complexity-patterns/SKILL.md +143 -0
- package/plugins/devflow-code-review/skills/complexity-patterns/references/detection.md +264 -0
- package/plugins/devflow-code-review/skills/complexity-patterns/references/patterns.md +487 -0
- package/plugins/devflow-code-review/skills/complexity-patterns/references/violations.md +361 -0
- package/plugins/devflow-code-review/skills/consistency-patterns/SKILL.md +140 -0
- package/plugins/devflow-code-review/skills/consistency-patterns/references/detection.md +207 -0
- package/plugins/devflow-code-review/skills/consistency-patterns/references/patterns.md +202 -0
- package/plugins/devflow-code-review/skills/consistency-patterns/references/violations.md +213 -0
- package/plugins/devflow-code-review/skills/database-patterns/SKILL.md +134 -0
- package/plugins/devflow-code-review/skills/database-patterns/references/detection.md +208 -0
- package/plugins/devflow-code-review/skills/database-patterns/references/patterns.md +394 -0
- package/plugins/devflow-code-review/skills/database-patterns/references/violations.md +332 -0
- package/plugins/devflow-code-review/skills/dependencies-patterns/SKILL.md +141 -0
- package/plugins/devflow-code-review/skills/dependencies-patterns/references/detection.md +181 -0
- package/plugins/devflow-code-review/skills/dependencies-patterns/references/patterns.md +225 -0
- package/plugins/devflow-code-review/skills/dependencies-patterns/references/violations.md +247 -0
- package/plugins/devflow-code-review/skills/documentation-patterns/SKILL.md +125 -0
- package/plugins/devflow-code-review/skills/documentation-patterns/references/detection.md +190 -0
- package/plugins/devflow-code-review/skills/documentation-patterns/references/patterns.md +189 -0
- package/plugins/devflow-code-review/skills/documentation-patterns/references/violations.md +163 -0
- package/plugins/devflow-code-review/skills/frontend-design/SKILL.md +254 -0
- package/plugins/devflow-code-review/skills/frontend-design/references/detection.md +184 -0
- package/plugins/devflow-code-review/skills/frontend-design/references/patterns.md +511 -0
- package/plugins/devflow-code-review/skills/frontend-design/references/violations.md +453 -0
- package/plugins/devflow-code-review/skills/performance-patterns/SKILL.md +154 -0
- package/plugins/devflow-code-review/skills/performance-patterns/references/detection.md +351 -0
- package/plugins/devflow-code-review/skills/performance-patterns/references/patterns.md +503 -0
- package/plugins/devflow-code-review/skills/performance-patterns/references/violations.md +354 -0
- package/plugins/devflow-code-review/skills/react/SKILL.md +276 -0
- package/plugins/devflow-code-review/skills/react/references/patterns.md +1331 -0
- package/plugins/devflow-code-review/skills/react/references/violations.md +565 -0
- package/plugins/devflow-code-review/skills/regression-patterns/SKILL.md +146 -0
- package/plugins/devflow-code-review/skills/regression-patterns/references/detection.md +237 -0
- package/plugins/devflow-code-review/skills/regression-patterns/references/patterns.md +226 -0
- package/plugins/devflow-code-review/skills/regression-patterns/references/violations.md +225 -0
- package/plugins/devflow-code-review/skills/review-methodology/SKILL.md +119 -0
- package/plugins/devflow-code-review/skills/review-methodology/references/patterns.md +186 -0
- package/plugins/devflow-code-review/skills/review-methodology/references/report-template.md +142 -0
- package/plugins/devflow-code-review/skills/review-methodology/references/violations.md +125 -0
- package/plugins/devflow-code-review/skills/security-patterns/SKILL.md +156 -0
- package/plugins/devflow-code-review/skills/security-patterns/references/detection.md +287 -0
- package/plugins/devflow-code-review/skills/security-patterns/references/patterns.md +507 -0
- package/plugins/devflow-code-review/skills/security-patterns/references/violations.md +237 -0
- package/plugins/devflow-code-review/skills/test-patterns/SKILL.md +183 -0
- package/plugins/devflow-code-review/skills/test-patterns/references/detection.md +149 -0
- package/plugins/devflow-code-review/skills/test-patterns/references/patterns.md +220 -0
- package/plugins/devflow-code-review/skills/test-patterns/references/report-template.md +108 -0
- package/plugins/devflow-code-review/skills/test-patterns/references/violations.md +221 -0
- package/plugins/devflow-core-skills/.claude-plugin/plugin.json +27 -0
- package/plugins/devflow-core-skills/README.md +50 -0
- package/plugins/devflow-core-skills/skills/accessibility/SKILL.md +229 -0
- package/plugins/devflow-core-skills/skills/accessibility/references/detection.md +171 -0
- package/plugins/devflow-core-skills/skills/accessibility/references/patterns.md +670 -0
- package/plugins/devflow-core-skills/skills/accessibility/references/violations.md +419 -0
- package/plugins/devflow-core-skills/skills/core-patterns/SKILL.md +162 -0
- package/plugins/devflow-core-skills/skills/core-patterns/references/checklist.md +276 -0
- package/plugins/devflow-core-skills/skills/core-patterns/references/code-smell-violations.md +144 -0
- package/plugins/devflow-core-skills/skills/core-patterns/references/detection.md +303 -0
- package/plugins/devflow-core-skills/skills/core-patterns/references/patterns.md +576 -0
- package/plugins/devflow-core-skills/skills/core-patterns/references/violations.md +369 -0
- package/plugins/devflow-core-skills/skills/docs-framework/SKILL.md +134 -0
- package/plugins/devflow-core-skills/skills/docs-framework/references/patterns.md +346 -0
- package/plugins/devflow-core-skills/skills/docs-framework/references/violations.md +221 -0
- package/plugins/devflow-core-skills/skills/frontend-design/SKILL.md +254 -0
- package/plugins/devflow-core-skills/skills/frontend-design/references/detection.md +184 -0
- package/plugins/devflow-core-skills/skills/frontend-design/references/patterns.md +511 -0
- package/plugins/devflow-core-skills/skills/frontend-design/references/violations.md +453 -0
- package/plugins/devflow-core-skills/skills/git-safety/SKILL.md +122 -0
- package/plugins/devflow-core-skills/skills/git-safety/references/detection.md +290 -0
- package/plugins/devflow-core-skills/skills/git-safety/references/patterns.md +289 -0
- package/plugins/devflow-core-skills/skills/git-safety/references/violations.md +18 -0
- package/plugins/devflow-core-skills/skills/git-workflow/SKILL.md +158 -0
- package/plugins/devflow-core-skills/skills/git-workflow/references/commit-patterns.md +115 -0
- package/plugins/devflow-core-skills/skills/git-workflow/references/commit-violations.md +77 -0
- package/plugins/devflow-core-skills/skills/git-workflow/references/pr-patterns.md +127 -0
- package/plugins/devflow-core-skills/skills/git-workflow/references/pr-violations.md +96 -0
- package/plugins/devflow-core-skills/skills/github-patterns/SKILL.md +153 -0
- package/plugins/devflow-core-skills/skills/github-patterns/references/patterns.md +572 -0
- package/plugins/devflow-core-skills/skills/github-patterns/references/violations.md +298 -0
- package/plugins/devflow-core-skills/skills/input-validation/SKILL.md +148 -0
- package/plugins/devflow-core-skills/skills/input-validation/references/detection.md +283 -0
- package/plugins/devflow-core-skills/skills/input-validation/references/patterns.md +361 -0
- package/plugins/devflow-core-skills/skills/input-validation/references/violations.md +224 -0
- package/plugins/devflow-core-skills/skills/react/SKILL.md +276 -0
- package/plugins/devflow-core-skills/skills/react/references/patterns.md +1331 -0
- package/plugins/devflow-core-skills/skills/react/references/violations.md +565 -0
- package/plugins/devflow-core-skills/skills/test-patterns/SKILL.md +183 -0
- package/plugins/devflow-core-skills/skills/test-patterns/references/detection.md +149 -0
- package/plugins/devflow-core-skills/skills/test-patterns/references/patterns.md +220 -0
- package/plugins/devflow-core-skills/skills/test-patterns/references/report-template.md +108 -0
- package/plugins/devflow-core-skills/skills/test-patterns/references/violations.md +221 -0
- package/plugins/devflow-core-skills/skills/typescript/SKILL.md +176 -0
- package/plugins/devflow-core-skills/skills/typescript/references/patterns.md +1105 -0
- package/plugins/devflow-core-skills/skills/typescript/references/violations.md +433 -0
- package/plugins/devflow-debug/.claude-plugin/plugin.json +18 -0
- package/plugins/devflow-debug/README.md +65 -0
- package/plugins/devflow-debug/agents/git.md +272 -0
- package/plugins/devflow-debug/commands/debug-teams.md +231 -0
- package/plugins/devflow-debug/commands/debug.md +160 -0
- package/plugins/devflow-debug/skills/agent-teams/SKILL.md +124 -0
- package/plugins/devflow-debug/skills/agent-teams/references/cleanup.md +104 -0
- package/plugins/devflow-debug/skills/agent-teams/references/communication.md +122 -0
- package/plugins/devflow-debug/skills/agent-teams/references/team-patterns.md +217 -0
- package/plugins/devflow-debug/skills/git-safety/SKILL.md +122 -0
- package/plugins/devflow-debug/skills/git-safety/references/detection.md +290 -0
- package/plugins/devflow-debug/skills/git-safety/references/patterns.md +289 -0
- package/plugins/devflow-debug/skills/git-safety/references/violations.md +18 -0
- package/plugins/devflow-implement/.claude-plugin/plugin.json +21 -0
- package/plugins/devflow-implement/README.md +71 -0
- package/plugins/devflow-implement/agents/coder.md +122 -0
- package/plugins/devflow-implement/agents/git.md +272 -0
- package/plugins/devflow-implement/agents/scrutinizer.md +80 -0
- package/plugins/devflow-implement/agents/shepherd.md +94 -0
- package/plugins/devflow-implement/agents/simplifier.md +62 -0
- package/plugins/devflow-implement/agents/skimmer.md +88 -0
- package/plugins/devflow-implement/agents/synthesizer.md +204 -0
- package/plugins/devflow-implement/agents/validator.md +86 -0
- package/plugins/devflow-implement/commands/implement-teams.md +608 -0
- package/plugins/devflow-implement/commands/implement.md +426 -0
- package/plugins/devflow-implement/skills/accessibility/SKILL.md +229 -0
- package/plugins/devflow-implement/skills/accessibility/references/detection.md +171 -0
- package/plugins/devflow-implement/skills/accessibility/references/patterns.md +670 -0
- package/plugins/devflow-implement/skills/accessibility/references/violations.md +419 -0
- package/plugins/devflow-implement/skills/agent-teams/SKILL.md +124 -0
- package/plugins/devflow-implement/skills/agent-teams/references/cleanup.md +104 -0
- package/plugins/devflow-implement/skills/agent-teams/references/communication.md +122 -0
- package/plugins/devflow-implement/skills/agent-teams/references/team-patterns.md +217 -0
- package/plugins/devflow-implement/skills/frontend-design/SKILL.md +254 -0
- package/plugins/devflow-implement/skills/frontend-design/references/detection.md +184 -0
- package/plugins/devflow-implement/skills/frontend-design/references/patterns.md +511 -0
- package/plugins/devflow-implement/skills/frontend-design/references/violations.md +453 -0
- package/plugins/devflow-implement/skills/implementation-patterns/SKILL.md +162 -0
- package/plugins/devflow-implement/skills/implementation-patterns/references/patterns.md +1063 -0
- package/plugins/devflow-implement/skills/implementation-patterns/references/violations.md +483 -0
- package/plugins/devflow-implement/skills/self-review/SKILL.md +149 -0
- package/plugins/devflow-implement/skills/self-review/references/patterns.md +405 -0
- package/plugins/devflow-implement/skills/self-review/references/report-template.md +253 -0
- package/plugins/devflow-implement/skills/self-review/references/violations.md +308 -0
- package/plugins/devflow-resolve/.claude-plugin/plugin.json +19 -0
- package/plugins/devflow-resolve/README.md +65 -0
- package/plugins/devflow-resolve/agents/git.md +272 -0
- package/plugins/devflow-resolve/agents/resolver.md +131 -0
- package/plugins/devflow-resolve/agents/simplifier.md +62 -0
- package/plugins/devflow-resolve/commands/resolve-teams.md +298 -0
- package/plugins/devflow-resolve/commands/resolve.md +237 -0
- package/plugins/devflow-resolve/skills/agent-teams/SKILL.md +124 -0
- package/plugins/devflow-resolve/skills/agent-teams/references/cleanup.md +104 -0
- package/plugins/devflow-resolve/skills/agent-teams/references/communication.md +122 -0
- package/plugins/devflow-resolve/skills/agent-teams/references/team-patterns.md +217 -0
- package/plugins/devflow-resolve/skills/implementation-patterns/SKILL.md +162 -0
- package/plugins/devflow-resolve/skills/implementation-patterns/references/patterns.md +1063 -0
- package/plugins/devflow-resolve/skills/implementation-patterns/references/violations.md +483 -0
- package/plugins/devflow-resolve/skills/security-patterns/SKILL.md +156 -0
- package/plugins/devflow-resolve/skills/security-patterns/references/detection.md +287 -0
- package/plugins/devflow-resolve/skills/security-patterns/references/patterns.md +507 -0
- package/plugins/devflow-resolve/skills/security-patterns/references/violations.md +237 -0
- package/plugins/devflow-self-review/.claude-plugin/plugin.json +7 -0
- package/plugins/devflow-self-review/README.md +38 -0
- package/plugins/devflow-self-review/agents/scrutinizer.md +80 -0
- package/plugins/devflow-self-review/agents/simplifier.md +62 -0
- package/plugins/devflow-self-review/agents/validator.md +86 -0
- package/plugins/devflow-self-review/commands/self-review.md +126 -0
- package/plugins/devflow-self-review/skills/core-patterns/SKILL.md +162 -0
- package/plugins/devflow-self-review/skills/core-patterns/references/checklist.md +276 -0
- package/plugins/devflow-self-review/skills/core-patterns/references/code-smell-violations.md +144 -0
- package/plugins/devflow-self-review/skills/core-patterns/references/detection.md +303 -0
- package/plugins/devflow-self-review/skills/core-patterns/references/patterns.md +576 -0
- package/plugins/devflow-self-review/skills/core-patterns/references/violations.md +369 -0
- package/plugins/devflow-self-review/skills/self-review/SKILL.md +149 -0
- package/plugins/devflow-self-review/skills/self-review/references/patterns.md +405 -0
- package/plugins/devflow-self-review/skills/self-review/references/report-template.md +253 -0
- package/plugins/devflow-self-review/skills/self-review/references/violations.md +308 -0
- package/plugins/devflow-specify/.claude-plugin/plugin.json +15 -0
- package/plugins/devflow-specify/README.md +46 -0
- package/plugins/devflow-specify/agents/skimmer.md +88 -0
- package/plugins/devflow-specify/agents/synthesizer.md +204 -0
- package/plugins/devflow-specify/commands/specify-teams.md +314 -0
- package/plugins/devflow-specify/commands/specify.md +179 -0
- package/plugins/devflow-specify/skills/agent-teams/SKILL.md +124 -0
- package/plugins/devflow-specify/skills/agent-teams/references/cleanup.md +104 -0
- package/plugins/devflow-specify/skills/agent-teams/references/communication.md +122 -0
- package/plugins/devflow-specify/skills/agent-teams/references/team-patterns.md +217 -0
- package/scripts/hooks/background-memory-update.sh +167 -0
- package/scripts/hooks/pre-compact-memory.sh +81 -0
- package/scripts/hooks/session-start-memory.sh +84 -0
- package/scripts/hooks/stop-update-memory.sh +81 -0
- package/shared/agents/coder.md +122 -0
- package/shared/agents/git.md +272 -0
- package/shared/agents/resolver.md +131 -0
- package/shared/agents/reviewer.md +119 -0
- package/shared/agents/scrutinizer.md +80 -0
- package/shared/agents/shepherd.md +94 -0
- package/shared/agents/simplifier.md +62 -0
- package/shared/agents/skimmer.md +88 -0
- package/shared/agents/synthesizer.md +204 -0
- package/shared/agents/validator.md +86 -0
- package/shared/skills/accessibility/SKILL.md +229 -0
- package/shared/skills/accessibility/references/detection.md +171 -0
- package/shared/skills/accessibility/references/patterns.md +670 -0
- package/shared/skills/accessibility/references/violations.md +419 -0
- package/shared/skills/agent-teams/SKILL.md +124 -0
- package/shared/skills/agent-teams/references/cleanup.md +104 -0
- package/shared/skills/agent-teams/references/communication.md +122 -0
- package/shared/skills/agent-teams/references/team-patterns.md +217 -0
- package/shared/skills/architecture-patterns/SKILL.md +153 -0
- package/shared/skills/architecture-patterns/references/detection.md +337 -0
- package/shared/skills/architecture-patterns/references/patterns.md +873 -0
- package/shared/skills/architecture-patterns/references/violations.md +575 -0
- package/shared/skills/complexity-patterns/SKILL.md +143 -0
- package/shared/skills/complexity-patterns/references/detection.md +264 -0
- package/shared/skills/complexity-patterns/references/patterns.md +487 -0
- package/shared/skills/complexity-patterns/references/violations.md +361 -0
- package/shared/skills/consistency-patterns/SKILL.md +140 -0
- package/shared/skills/consistency-patterns/references/detection.md +207 -0
- package/shared/skills/consistency-patterns/references/patterns.md +202 -0
- package/shared/skills/consistency-patterns/references/violations.md +213 -0
- package/shared/skills/core-patterns/SKILL.md +162 -0
- package/shared/skills/core-patterns/references/checklist.md +276 -0
- package/shared/skills/core-patterns/references/code-smell-violations.md +144 -0
- package/shared/skills/core-patterns/references/detection.md +303 -0
- package/shared/skills/core-patterns/references/patterns.md +576 -0
- package/shared/skills/core-patterns/references/violations.md +369 -0
- package/shared/skills/database-patterns/SKILL.md +134 -0
- package/shared/skills/database-patterns/references/detection.md +208 -0
- package/shared/skills/database-patterns/references/patterns.md +394 -0
- package/shared/skills/database-patterns/references/violations.md +332 -0
- package/shared/skills/dependencies-patterns/SKILL.md +141 -0
- package/shared/skills/dependencies-patterns/references/detection.md +181 -0
- package/shared/skills/dependencies-patterns/references/patterns.md +225 -0
- package/shared/skills/dependencies-patterns/references/violations.md +247 -0
- package/shared/skills/docs-framework/SKILL.md +134 -0
- package/shared/skills/docs-framework/references/patterns.md +346 -0
- package/shared/skills/docs-framework/references/violations.md +221 -0
- package/shared/skills/documentation-patterns/SKILL.md +125 -0
- package/shared/skills/documentation-patterns/references/detection.md +190 -0
- package/shared/skills/documentation-patterns/references/patterns.md +189 -0
- package/shared/skills/documentation-patterns/references/violations.md +163 -0
- package/shared/skills/frontend-design/SKILL.md +254 -0
- package/shared/skills/frontend-design/references/detection.md +184 -0
- package/shared/skills/frontend-design/references/patterns.md +511 -0
- package/shared/skills/frontend-design/references/violations.md +453 -0
- package/shared/skills/git-safety/SKILL.md +122 -0
- package/shared/skills/git-safety/references/detection.md +290 -0
- package/shared/skills/git-safety/references/patterns.md +289 -0
- package/shared/skills/git-safety/references/violations.md +18 -0
- package/shared/skills/git-workflow/SKILL.md +158 -0
- package/shared/skills/git-workflow/references/commit-patterns.md +115 -0
- package/shared/skills/git-workflow/references/commit-violations.md +77 -0
- package/shared/skills/git-workflow/references/pr-patterns.md +127 -0
- package/shared/skills/git-workflow/references/pr-violations.md +96 -0
- package/shared/skills/github-patterns/SKILL.md +153 -0
- package/shared/skills/github-patterns/references/patterns.md +572 -0
- package/shared/skills/github-patterns/references/violations.md +298 -0
- package/shared/skills/implementation-patterns/SKILL.md +162 -0
- package/shared/skills/implementation-patterns/references/patterns.md +1063 -0
- package/shared/skills/implementation-patterns/references/violations.md +483 -0
- package/shared/skills/input-validation/SKILL.md +148 -0
- package/shared/skills/input-validation/references/detection.md +283 -0
- package/shared/skills/input-validation/references/patterns.md +361 -0
- package/shared/skills/input-validation/references/violations.md +224 -0
- package/shared/skills/performance-patterns/SKILL.md +154 -0
- package/shared/skills/performance-patterns/references/detection.md +351 -0
- package/shared/skills/performance-patterns/references/patterns.md +503 -0
- package/shared/skills/performance-patterns/references/violations.md +354 -0
- package/shared/skills/react/SKILL.md +276 -0
- package/shared/skills/react/references/patterns.md +1331 -0
- package/shared/skills/react/references/violations.md +565 -0
- package/shared/skills/regression-patterns/SKILL.md +146 -0
- package/shared/skills/regression-patterns/references/detection.md +237 -0
- package/shared/skills/regression-patterns/references/patterns.md +226 -0
- package/shared/skills/regression-patterns/references/violations.md +225 -0
- package/shared/skills/review-methodology/SKILL.md +119 -0
- package/shared/skills/review-methodology/references/patterns.md +186 -0
- package/shared/skills/review-methodology/references/report-template.md +142 -0
- package/shared/skills/review-methodology/references/violations.md +125 -0
- package/shared/skills/security-patterns/SKILL.md +156 -0
- package/shared/skills/security-patterns/references/detection.md +287 -0
- package/shared/skills/security-patterns/references/patterns.md +507 -0
- package/shared/skills/security-patterns/references/violations.md +237 -0
- package/shared/skills/self-review/SKILL.md +149 -0
- package/shared/skills/self-review/references/patterns.md +405 -0
- package/shared/skills/self-review/references/report-template.md +253 -0
- package/shared/skills/self-review/references/violations.md +308 -0
- package/shared/skills/test-patterns/SKILL.md +183 -0
- package/shared/skills/test-patterns/references/detection.md +149 -0
- package/shared/skills/test-patterns/references/patterns.md +220 -0
- package/shared/skills/test-patterns/references/report-template.md +108 -0
- package/shared/skills/test-patterns/references/violations.md +221 -0
- package/shared/skills/typescript/SKILL.md +176 -0
- package/shared/skills/typescript/references/patterns.md +1105 -0
- package/shared/skills/typescript/references/violations.md +433 -0
- package/src/templates/claudeignore.template +188 -0
- package/src/templates/managed-settings.json +146 -0
- package/src/templates/settings.json +59 -0
- package/dist/cli.d.ts.map +0 -1
- package/dist/cli.js.map +0 -1
- package/dist/commands/init.d.ts.map +0 -1
- package/dist/commands/init.js.map +0 -1
- package/dist/commands/uninstall.d.ts.map +0 -1
- package/dist/commands/uninstall.js.map +0 -1
- package/dist/utils/git.d.ts.map +0 -1
- package/dist/utils/git.js.map +0 -1
- package/dist/utils/paths.d.ts.map +0 -1
- package/dist/utils/paths.js.map +0 -1
- package/src/claude/CLAUDE.md +0 -400
- package/src/claude/agents/devflow/audit-architecture.md +0 -132
- package/src/claude/agents/devflow/audit-complexity.md +0 -132
- package/src/claude/agents/devflow/audit-database.md +0 -132
- package/src/claude/agents/devflow/audit-dependencies.md +0 -132
- package/src/claude/agents/devflow/audit-documentation.md +0 -132
- package/src/claude/agents/devflow/audit-performance.md +0 -256
- package/src/claude/agents/devflow/audit-security.md +0 -259
- package/src/claude/agents/devflow/audit-tests.md +0 -132
- package/src/claude/agents/devflow/audit-typescript.md +0 -132
- package/src/claude/agents/devflow/brainstorm.md +0 -279
- package/src/claude/agents/devflow/catch-up.md +0 -345
- package/src/claude/agents/devflow/code-review.md +0 -307
- package/src/claude/agents/devflow/commit.md +0 -380
- package/src/claude/agents/devflow/debug.md +0 -476
- package/src/claude/agents/devflow/design.md +0 -491
- package/src/claude/agents/devflow/pr-comments.md +0 -285
- package/src/claude/agents/devflow/project-state.md +0 -419
- package/src/claude/agents/devflow/pull-request.md +0 -423
- package/src/claude/agents/devflow/release.md +0 -1137
- package/src/claude/agents/devflow/tech-debt.md +0 -338
- package/src/claude/commands/devflow/brainstorm.md +0 -68
- package/src/claude/commands/devflow/breakdown.md +0 -125
- package/src/claude/commands/devflow/catch-up.md +0 -29
- package/src/claude/commands/devflow/code-review.md +0 -237
- package/src/claude/commands/devflow/commit.md +0 -17
- package/src/claude/commands/devflow/debug.md +0 -56
- package/src/claude/commands/devflow/design.md +0 -82
- package/src/claude/commands/devflow/devlog.md +0 -408
- package/src/claude/commands/devflow/implement.md +0 -100
- package/src/claude/commands/devflow/plan.md +0 -223
- package/src/claude/commands/devflow/pull-request.md +0 -269
- package/src/claude/commands/devflow/release.md +0 -251
- package/src/claude/commands/devflow/resolve-comments.md +0 -583
- package/src/claude/scripts/statusline.sh +0 -47
- package/src/claude/settings.json +0 -6
- package/src/claude/skills/devflow/code-smell/SKILL.md +0 -428
- package/src/claude/skills/devflow/debug/SKILL.md +0 -119
- package/src/claude/skills/devflow/error-handling/SKILL.md +0 -597
- package/src/claude/skills/devflow/input-validation/SKILL.md +0 -514
- package/src/claude/skills/devflow/pattern-check/SKILL.md +0 -238
- package/src/claude/skills/devflow/research/SKILL.md +0 -138
- package/src/claude/skills/devflow/test-design/SKILL.md +0 -384
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dependencies-patterns
|
|
3
|
+
description: Dependency analysis patterns for code review. Detects known CVEs, outdated packages, license incompatibilities, and unnecessary transitive dependencies. Loaded by Reviewer agent when focus=dependencies.
|
|
4
|
+
user-invocable: false
|
|
5
|
+
allowed-tools: Read, Grep, Glob
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Dependencies Patterns
|
|
9
|
+
|
|
10
|
+
Domain expertise for dependency management and security analysis. Use alongside `review-methodology` for complete dependency reviews.
|
|
11
|
+
|
|
12
|
+
## Iron Law
|
|
13
|
+
|
|
14
|
+
> **EVERY DEPENDENCY IS AN ATTACK SURFACE**
|
|
15
|
+
>
|
|
16
|
+
> Each package you add is code you didn't write but must trust. Minimize dependencies.
|
|
17
|
+
> Pin versions. Audit regularly. A single compromised transitive dependency can compromise
|
|
18
|
+
> your entire application. "It's a popular package" is not a security review.
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
## Dependency Categories
|
|
23
|
+
|
|
24
|
+
### 1. Security Vulnerabilities
|
|
25
|
+
|
|
26
|
+
Known CVEs, vulnerable version ranges, malicious packages.
|
|
27
|
+
|
|
28
|
+
**Violation**: Wide version range includes vulnerable versions
|
|
29
|
+
```json
|
|
30
|
+
{ "lodash": "^4.0.0" } // Includes vulnerable 4.17.0-4.17.20
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
**Correct**: Pin to safe version
|
|
34
|
+
```json
|
|
35
|
+
{ "lodash": "^4.17.21" } // First safe version
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
### 2. Version Management
|
|
39
|
+
|
|
40
|
+
Unpinned versions, missing lockfiles, dependency conflicts.
|
|
41
|
+
|
|
42
|
+
**Violation**: Unpinned allows any version
|
|
43
|
+
```json
|
|
44
|
+
{ "express": "*", "lodash": "latest" }
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
**Correct**: Pin with lockfile
|
|
48
|
+
```json
|
|
49
|
+
{ "express": "^4.18.2" } // + committed lockfile
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
### 3. Dependency Health
|
|
53
|
+
|
|
54
|
+
Outdated packages, unused dependencies, unnecessary heavy packages.
|
|
55
|
+
|
|
56
|
+
**Violation**: Heavy dependency for simple task
|
|
57
|
+
```json
|
|
58
|
+
{ "moment": "^2.29.4" } // 300KB for date formatting
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
**Correct**: Use native or lighter alternative
|
|
62
|
+
```typescript
|
|
63
|
+
new Date().toLocaleDateString(); // Native
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
### 4. License Issues
|
|
67
|
+
|
|
68
|
+
Incompatible licenses (GPL in MIT project), missing licenses.
|
|
69
|
+
|
|
70
|
+
**Violation**: GPL in proprietary code
|
|
71
|
+
```bash
|
|
72
|
+
# GPL-3.0: some-package # Requires your code to be GPL too!
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
**Correct**: Use permissive licenses only
|
|
76
|
+
```bash
|
|
77
|
+
npx license-checker --failOn "GPL-3.0;AGPL-3.0"
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
### 5. Supply Chain Risks
|
|
81
|
+
|
|
82
|
+
Deep transitive dependencies, unmaintained packages, typosquatting.
|
|
83
|
+
|
|
84
|
+
**Violation**: Typosquatted package
|
|
85
|
+
```json
|
|
86
|
+
{ "loadsh": "1.0.0" } // Typosquat of "lodash"
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
**Correct**: Verify package authenticity
|
|
90
|
+
```bash
|
|
91
|
+
npm view loadsh # Check downloads, repo, maintainers
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
---
|
|
95
|
+
|
|
96
|
+
## Extended References
|
|
97
|
+
|
|
98
|
+
For extended examples and detection commands, see:
|
|
99
|
+
- `references/violations.md` - Extended violation examples by category
|
|
100
|
+
- `references/patterns.md` - Correct dependency management patterns
|
|
101
|
+
- `references/detection.md` - Detection commands and CI integration
|
|
102
|
+
|
|
103
|
+
---
|
|
104
|
+
|
|
105
|
+
## Severity Guidelines
|
|
106
|
+
|
|
107
|
+
| Severity | Indicators |
|
|
108
|
+
|----------|------------|
|
|
109
|
+
| **CRITICAL** | Known exploited CVEs (CISA KEV), confirmed malicious packages, typosquats |
|
|
110
|
+
| **HIGH** | High severity CVEs, unmaintained packages, GPL in proprietary code |
|
|
111
|
+
| **MEDIUM** | Medium CVEs, significantly outdated, wide version ranges, missing lockfile |
|
|
112
|
+
| **LOW** | Unused dependencies, lighter alternatives available, minor version behind |
|
|
113
|
+
|
|
114
|
+
---
|
|
115
|
+
|
|
116
|
+
## Dependency Review Checklist
|
|
117
|
+
|
|
118
|
+
Before approving dependency changes:
|
|
119
|
+
|
|
120
|
+
- [ ] No known CVEs in added packages
|
|
121
|
+
- [ ] Version ranges appropriate (not too wide)
|
|
122
|
+
- [ ] Lockfile updated and committed
|
|
123
|
+
- [ ] Package actively maintained
|
|
124
|
+
- [ ] License compatible
|
|
125
|
+
- [ ] Package from verified publisher
|
|
126
|
+
- [ ] Transitive dependencies reviewed
|
|
127
|
+
- [ ] Package name verified (not typosquat)
|
|
128
|
+
- [ ] Bundle size impact considered
|
|
129
|
+
- [ ] Native alternatives considered
|
|
130
|
+
|
|
131
|
+
---
|
|
132
|
+
|
|
133
|
+
## Common Vulnerability Sources
|
|
134
|
+
|
|
135
|
+
| Registry | URL |
|
|
136
|
+
|----------|-----|
|
|
137
|
+
| npm Advisory | https://www.npmjs.com/advisories |
|
|
138
|
+
| Snyk Vuln DB | https://snyk.io/vuln |
|
|
139
|
+
| GitHub Advisory | https://github.com/advisories |
|
|
140
|
+
| NVD | https://nvd.nist.gov/ |
|
|
141
|
+
| CISA KEV | https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
|
|
@@ -0,0 +1,181 @@
|
|
|
1
|
+
# Detection Patterns
|
|
2
|
+
|
|
3
|
+
Commands and patterns for detecting dependency issues.
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Vulnerability Detection
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
# npm audit (detailed)
|
|
11
|
+
npm audit
|
|
12
|
+
npm audit --json | jq '.vulnerabilities | keys'
|
|
13
|
+
|
|
14
|
+
# Yarn audit
|
|
15
|
+
yarn audit
|
|
16
|
+
yarn audit --json
|
|
17
|
+
|
|
18
|
+
# pnpm audit
|
|
19
|
+
pnpm audit
|
|
20
|
+
pnpm audit --json
|
|
21
|
+
|
|
22
|
+
# Snyk (more comprehensive)
|
|
23
|
+
npx snyk test
|
|
24
|
+
npx snyk monitor # Continuous monitoring
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## Outdated Package Detection
|
|
30
|
+
|
|
31
|
+
```bash
|
|
32
|
+
# List outdated packages
|
|
33
|
+
npm outdated
|
|
34
|
+
npm outdated --json
|
|
35
|
+
|
|
36
|
+
# Yarn
|
|
37
|
+
yarn outdated
|
|
38
|
+
|
|
39
|
+
# pnpm
|
|
40
|
+
pnpm outdated
|
|
41
|
+
|
|
42
|
+
# Interactive update
|
|
43
|
+
npx npm-check -u
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
## Unused Dependency Detection
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
# depcheck (most comprehensive)
|
|
52
|
+
npx depcheck
|
|
53
|
+
npx depcheck --json
|
|
54
|
+
|
|
55
|
+
# Alternatives
|
|
56
|
+
npx unimported
|
|
57
|
+
npx knip
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
---
|
|
61
|
+
|
|
62
|
+
## Lockfile Verification
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
# Check lockfile exists
|
|
66
|
+
[ -f package-lock.json ] && echo "npm lockfile found"
|
|
67
|
+
[ -f yarn.lock ] && echo "yarn lockfile found"
|
|
68
|
+
[ -f pnpm-lock.yaml ] && echo "pnpm lockfile found"
|
|
69
|
+
|
|
70
|
+
# Check if lockfile is committed
|
|
71
|
+
git ls-files package-lock.json yarn.lock pnpm-lock.yaml
|
|
72
|
+
|
|
73
|
+
# Verify lockfile integrity
|
|
74
|
+
npm ci --dry-run
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
## Version Range Detection
|
|
80
|
+
|
|
81
|
+
```bash
|
|
82
|
+
# Find problematic version ranges
|
|
83
|
+
grep -E '"[*~^]|": "latest|": ""' package.json
|
|
84
|
+
|
|
85
|
+
# Find exact pins
|
|
86
|
+
grep -E '": "[0-9]+\.[0-9]+\.[0-9]+"' package.json
|
|
87
|
+
|
|
88
|
+
# Count dependencies
|
|
89
|
+
jq '.dependencies | length' package.json
|
|
90
|
+
jq '.devDependencies | length' package.json
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## License Detection
|
|
96
|
+
|
|
97
|
+
```bash
|
|
98
|
+
# List all licenses
|
|
99
|
+
npx license-checker --summary
|
|
100
|
+
|
|
101
|
+
# Find specific license types
|
|
102
|
+
npx license-checker --onlyAllow "MIT;ISC;BSD-2-Clause;BSD-3-Clause;Apache-2.0"
|
|
103
|
+
|
|
104
|
+
# Find unknown licenses
|
|
105
|
+
npx license-checker --onlyunknown
|
|
106
|
+
|
|
107
|
+
# Fail on problematic licenses
|
|
108
|
+
npx license-checker --failOn "GPL-3.0;AGPL-3.0"
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
---
|
|
112
|
+
|
|
113
|
+
## Supply Chain Analysis
|
|
114
|
+
|
|
115
|
+
```bash
|
|
116
|
+
# Dependency tree depth
|
|
117
|
+
npm ls --all | wc -l
|
|
118
|
+
|
|
119
|
+
# Flat dependency list
|
|
120
|
+
npm ls --all --json | jq '.dependencies | keys | length'
|
|
121
|
+
|
|
122
|
+
# Find duplicate packages
|
|
123
|
+
npm dedupe --dry-run
|
|
124
|
+
|
|
125
|
+
# Package metadata
|
|
126
|
+
npm view <package-name>
|
|
127
|
+
npm view <package-name> maintainers
|
|
128
|
+
npm view <package-name> time
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
---
|
|
132
|
+
|
|
133
|
+
## Typosquat Detection
|
|
134
|
+
|
|
135
|
+
```bash
|
|
136
|
+
# Common typosquats to check
|
|
137
|
+
# lodash vs loadsh, lodasg
|
|
138
|
+
# express vs exress, expres
|
|
139
|
+
# react vs reakt, reactt
|
|
140
|
+
|
|
141
|
+
# Manual check
|
|
142
|
+
npm view <suspicious-package>
|
|
143
|
+
# Look for:
|
|
144
|
+
# - Low weekly downloads
|
|
145
|
+
# - No or suspicious repository
|
|
146
|
+
# - Recent creation date
|
|
147
|
+
# - Unknown maintainer
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
---
|
|
151
|
+
|
|
152
|
+
## CI Integration Commands
|
|
153
|
+
|
|
154
|
+
```bash
|
|
155
|
+
# Combined audit script
|
|
156
|
+
audit_deps() {
|
|
157
|
+
echo "=== Checking vulnerabilities ==="
|
|
158
|
+
npm audit --audit-level=high || exit 1
|
|
159
|
+
|
|
160
|
+
echo "=== Checking lockfile ==="
|
|
161
|
+
[ -f package-lock.json ] || [ -f yarn.lock ] || exit 1
|
|
162
|
+
|
|
163
|
+
echo "=== Checking licenses ==="
|
|
164
|
+
npx license-checker --failOn "GPL-3.0;AGPL-3.0" || exit 1
|
|
165
|
+
|
|
166
|
+
echo "=== All checks passed ==="
|
|
167
|
+
}
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
---
|
|
171
|
+
|
|
172
|
+
## Quick Reference
|
|
173
|
+
|
|
174
|
+
| Check | Command |
|
|
175
|
+
|-------|---------|
|
|
176
|
+
| Vulnerabilities | `npm audit` |
|
|
177
|
+
| Outdated | `npm outdated` |
|
|
178
|
+
| Unused | `npx depcheck` |
|
|
179
|
+
| Licenses | `npx license-checker` |
|
|
180
|
+
| Tree depth | `npm ls --all \| wc -l` |
|
|
181
|
+
| Lockfile | `ls package-lock.json yarn.lock 2>/dev/null` |
|
|
@@ -0,0 +1,225 @@
|
|
|
1
|
+
# Correct Dependency Patterns
|
|
2
|
+
|
|
3
|
+
Best practices for dependency management.
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Secure Version Pinning
|
|
8
|
+
|
|
9
|
+
### Exact Pinning (Most Secure)
|
|
10
|
+
|
|
11
|
+
```json
|
|
12
|
+
{
|
|
13
|
+
"dependencies": {
|
|
14
|
+
"express": "4.18.2",
|
|
15
|
+
"lodash": "4.17.21"
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
**When to use**: Production apps, security-critical dependencies
|
|
21
|
+
|
|
22
|
+
### Caret with Lockfile (Balanced)
|
|
23
|
+
|
|
24
|
+
```json
|
|
25
|
+
{
|
|
26
|
+
"dependencies": {
|
|
27
|
+
"express": "^4.18.2",
|
|
28
|
+
"typescript": "^5.3.0"
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
**When to use**: Most projects, allows patch updates
|
|
34
|
+
|
|
35
|
+
### Tilde for Patch-Only (Conservative)
|
|
36
|
+
|
|
37
|
+
```json
|
|
38
|
+
{
|
|
39
|
+
"dependencies": {
|
|
40
|
+
"critical-lib": "~1.2.3"
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
**When to use**: When you need bug fixes but not new features
|
|
46
|
+
|
|
47
|
+
---
|
|
48
|
+
|
|
49
|
+
## Lockfile Management
|
|
50
|
+
|
|
51
|
+
### Commit Lockfile
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
# Always commit your lockfile
|
|
55
|
+
git add package-lock.json
|
|
56
|
+
git add yarn.lock
|
|
57
|
+
git add pnpm-lock.yaml
|
|
58
|
+
|
|
59
|
+
# CI should use frozen installs
|
|
60
|
+
npm ci # Not npm install
|
|
61
|
+
yarn --frozen-lockfile
|
|
62
|
+
pnpm install --frozen-lockfile
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
### Renovate/Dependabot Config
|
|
66
|
+
|
|
67
|
+
```json
|
|
68
|
+
// renovate.json
|
|
69
|
+
{
|
|
70
|
+
"extends": ["config:base"],
|
|
71
|
+
"schedule": ["before 9am on Monday"],
|
|
72
|
+
"packageRules": [
|
|
73
|
+
{
|
|
74
|
+
"matchPackagePatterns": ["*"],
|
|
75
|
+
"groupName": "all dependencies",
|
|
76
|
+
"groupSlug": "all"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"matchUpdateTypes": ["patch", "minor"],
|
|
80
|
+
"automerge": true
|
|
81
|
+
}
|
|
82
|
+
]
|
|
83
|
+
}
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
---
|
|
87
|
+
|
|
88
|
+
## Dependency Auditing
|
|
89
|
+
|
|
90
|
+
### Regular Audit Workflow
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
# Weekly audit
|
|
94
|
+
npm audit
|
|
95
|
+
|
|
96
|
+
# Fix automatically what's safe
|
|
97
|
+
npm audit fix
|
|
98
|
+
|
|
99
|
+
# Manual review for breaking changes
|
|
100
|
+
npm audit fix --dry-run
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
### Pre-commit Hook
|
|
104
|
+
|
|
105
|
+
```json
|
|
106
|
+
// package.json
|
|
107
|
+
{
|
|
108
|
+
"scripts": {
|
|
109
|
+
"preinstall": "npm audit --audit-level=high"
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
### CI Pipeline Check
|
|
115
|
+
|
|
116
|
+
```yaml
|
|
117
|
+
# GitHub Actions
|
|
118
|
+
- name: Security audit
|
|
119
|
+
run: npm audit --audit-level=high
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
---
|
|
123
|
+
|
|
124
|
+
## Minimal Dependencies
|
|
125
|
+
|
|
126
|
+
### Native Alternatives
|
|
127
|
+
|
|
128
|
+
| Instead of | Use Native |
|
|
129
|
+
|------------|------------|
|
|
130
|
+
| `moment` | `Intl.DateTimeFormat`, `date-fns` |
|
|
131
|
+
| `lodash` (full) | Native methods, `lodash-es` (tree-shake) |
|
|
132
|
+
| `left-pad` | `String.prototype.padStart()` |
|
|
133
|
+
| `is-array` | `Array.isArray()` |
|
|
134
|
+
| `is-number` | `typeof x === 'number'` |
|
|
135
|
+
|
|
136
|
+
### Tree-Shaking Imports
|
|
137
|
+
|
|
138
|
+
```typescript
|
|
139
|
+
// AVOID: Imports entire library
|
|
140
|
+
import _ from 'lodash';
|
|
141
|
+
_.debounce(fn, 100);
|
|
142
|
+
|
|
143
|
+
// BETTER: Import only what you need
|
|
144
|
+
import debounce from 'lodash/debounce';
|
|
145
|
+
debounce(fn, 100);
|
|
146
|
+
|
|
147
|
+
// BEST: Use ESM for tree-shaking
|
|
148
|
+
import { debounce } from 'lodash-es';
|
|
149
|
+
debounce(fn, 100);
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
## License Compliance
|
|
155
|
+
|
|
156
|
+
### License Whitelist
|
|
157
|
+
|
|
158
|
+
```json
|
|
159
|
+
// .licensrc.json
|
|
160
|
+
{
|
|
161
|
+
"whitelist": [
|
|
162
|
+
"MIT",
|
|
163
|
+
"ISC",
|
|
164
|
+
"BSD-2-Clause",
|
|
165
|
+
"BSD-3-Clause",
|
|
166
|
+
"Apache-2.0"
|
|
167
|
+
],
|
|
168
|
+
"blacklist": [
|
|
169
|
+
"GPL-3.0",
|
|
170
|
+
"AGPL-3.0"
|
|
171
|
+
]
|
|
172
|
+
}
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
### CI License Check
|
|
176
|
+
|
|
177
|
+
```bash
|
|
178
|
+
# Check licenses in CI
|
|
179
|
+
npx license-checker --failOn "GPL-3.0;AGPL-3.0"
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
---
|
|
183
|
+
|
|
184
|
+
## Supply Chain Security
|
|
185
|
+
|
|
186
|
+
### Package Verification
|
|
187
|
+
|
|
188
|
+
```bash
|
|
189
|
+
# Verify package integrity
|
|
190
|
+
npm pack <package-name> --dry-run
|
|
191
|
+
|
|
192
|
+
# Check package signatures (npm v8.12+)
|
|
193
|
+
npm audit signatures
|
|
194
|
+
|
|
195
|
+
# Review before install
|
|
196
|
+
npm view <package-name>
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
### Minimal Attack Surface
|
|
200
|
+
|
|
201
|
+
```json
|
|
202
|
+
// Use optional dependencies wisely
|
|
203
|
+
{
|
|
204
|
+
"dependencies": {
|
|
205
|
+
"core-lib": "^1.0.0"
|
|
206
|
+
},
|
|
207
|
+
"optionalDependencies": {
|
|
208
|
+
"platform-specific": "^1.0.0"
|
|
209
|
+
},
|
|
210
|
+
"devDependencies": {
|
|
211
|
+
"test-utils": "^1.0.0"
|
|
212
|
+
}
|
|
213
|
+
}
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
### Dependency Review for PRs
|
|
217
|
+
|
|
218
|
+
```yaml
|
|
219
|
+
# GitHub Actions - dependency review
|
|
220
|
+
- name: Dependency Review
|
|
221
|
+
uses: actions/dependency-review-action@v3
|
|
222
|
+
with:
|
|
223
|
+
fail-on-severity: high
|
|
224
|
+
deny-licenses: GPL-3.0, AGPL-3.0
|
|
225
|
+
```
|