get-tbd 0.1.27 → 0.1.28

package/dist/docs/guidelines/bun-monorepo-patterns.md

@@ -5,7 +5,7 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 ---
 # Bun Monorepo Patterns
 
-**Last Updated**: 2026-02-18
+**Last Updated**: 2026-05-21
 
 **Related**:
 
@@ -14,6 +14,7 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 - [Changesets Documentation](https://github.com/changesets/changesets)
 - [Biome Documentation](https://biomejs.dev/)
 - [Companion: pnpm Monorepo Patterns](./pnpm-monorepo-patterns.md)
+- [Supply-Chain Mitigation](#supply-chain-mitigation) (in this document)
 
 * * *
 
@@ -23,19 +24,19 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 
 | Tool / Package | Version | Check For Updates |
 | --- | --- | --- |
-| **Bun** | 1.3.8 | [bun.sh/blog](https://bun.sh/blog) — Runtime, bundler, package manager, test runner. Acquired by Anthropic (Dec 2025). |
-| **TypeScript** | ^5.9.3 | [github.com/microsoft/TypeScript/releases](https://github.com/microsoft/TypeScript/releases) — 5.9.3 stable. TS 6.0 is “bridge” release; TS 7.0 (Go rewrite) in VS 2026 Insiders preview. |
-| **Bunup** | ^0.16.22 | [npmjs.com/package/bunup](https://www.npmjs.com/package/bunup) — Build tool for TS libs. Rapid iteration (0.16.22 latest). |
-| **Biome** | ^2.3.14 | [biomejs.dev](https://biomejs.dev/) — Formatter + linter. v2.0 added plugins and type-aware linting; 2.3.14 is latest stable. |
-| **@changesets/cli** | ^2.29.8 | [github.com/changesets/changesets/releases](https://github.com/changesets/changesets/releases) — 2.29.8 latest. No native Bun support yet. |
-| **bun-types** | ^1.3.8 | [npmjs.com/package/bun-types](https://www.npmjs.com/package/bun-types) — Type definitions for Bun runtime APIs. |
+| **Bun** | 1.3.13 (1.3.14 too recent) | [bun.sh/blog](https://bun.sh/blog) — Runtime, bundler, package manager, test runner. Acquired by Anthropic (Dec 2025). **Pinned to 1.3.13 (2026-04-20) per the 14-day rule** — 1.3.14 (2026-05-13) is the **last Zig-based release** and the Rust rewrite merged to `main` 2026-05-14 (~960K lines, generated by Claude AI agents over ~6 days). New built-ins in 1.3.x: `Bun.Image` (Sharp replacement), experimental HTTP/3 in `Bun.serve()`, 7× faster warm installs via isolated linker global store, rewritten `fs.watch()` on Linux/macOS. Bump to 1.3.14 (or 1.4.x once it ships) once the 14-day window has elapsed. |
+| **TypeScript** | ^6.0.3 | [github.com/microsoft/TypeScript/releases](https://github.com/microsoft/TypeScript/releases) — **6.0.3 stable** (shipped 2026-03-23). TS 6.0 is the **last JavaScript-based release** and is positioned as a bridge to 7.0: `strict: true` is now the default, ESM is the default module system, and ~9 compiler settings flipped defaults. **TS 7.0 Beta** (Project Corsa, Go rewrite) shipped 2026-04-21 as `@typescript/native-preview` (binary: `tsgo`); claims ~10× type-check speed and ~3× less memory. TS 7.0 stable is expected mid-to-late 2026. Do not adopt `tsgo` for production builds yet. |
+| **Bunup** | ^0.16.31 | [npmjs.com/package/bunup](https://www.npmjs.com/package/bunup) — Build tool for TS libs. Still 0.x; 0.16.23 through 0.16.31 are bug-fix only (DTS alias fixes, workspace `onSuccess` fix, external/noExternal honoring). Pin to a specific minor version for stability. |
+| **Biome** | ^2.4.14 (2.4.15 borderline) | [biomejs.dev](https://biomejs.dev/) — Formatter + linter. **Pinned to 2.4.14 (2026-05-01) per the 14-day rule**; 2.4.15 (2026-05-09) is 13 days old today — bump on next refresh. v2.4 (Feb 2026) added experimental embedded snippet formatting (CSS/GraphQL in JS/TS template literals), 15 HTML accessibility lint rules enabled by default, and promoted 24 nursery rules to stable (Vue 3, Next.js, Qwik). |
+| **@changesets/cli** | ^2.31.0 | [github.com/changesets/changesets/releases](https://github.com/changesets/changesets/releases) — 2.31.0 latest. **Still no native Bun support**; `changeset version` does not resolve `workspace:*` references for Bun workspaces — workarounds below remain required. |
+| **bun-types** | ^1.3.13 | [npmjs.com/package/bun-types](https://www.npmjs.com/package/bun-types) — Type definitions for Bun runtime APIs. Track Bun version (pinned to 1.3.13 per the 14-day rule). |
 | **tryscript** | ^0.1.6 | [npmjs.com/package/tryscript](https://www.npmjs.com/package/tryscript) — Golden/CLI testing via Markdown test files. |
 | **flowmark** | latest | [github.com/jlevy/flowmark](https://github.com/jlevy/flowmark) — Markdown auto-formatter (via `uvx`). |
-| **publint** | ^0.3.17 | [npmjs.com/package/publint](https://www.npmjs.com/package/publint) — 0.3.17 latest |
-| **actions/checkout** | v6 | [github.com/actions/checkout/releases](https://github.com/actions/checkout/releases) |
-| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — Verified on GitHub Marketplace |
-| **lefthook** | ^2.0.15 | [github.com/evilmartians/lefthook/releases](https://github.com/evilmartians/lefthook/releases) — 2.0.15 latest |
-| **npm-check-updates** | ^19.0.0 | [npmjs.com/package/npm-check-updates](https://www.npmjs.com/package/npm-check-updates) |
+| **publint** | ^0.3.20 (0.3.21 too recent) | [npmjs.com/package/publint](https://www.npmjs.com/package/publint) — **Pinned to 0.3.20 (2026-05-08) per the 14-day rule**; 0.3.21 (2026-05-13) is 9 days old today. Incremental: re-enabled TS/TSX file existence checks; `exports["default"]` support. |
+| **actions/checkout** | v6 | [github.com/actions/checkout/releases](https://github.com/actions/checkout/releases) — v6.0.2 (2026-01-09). Credentials now stored in `$RUNNER_TEMP` rather than `.git/config`; Node 24 runtime; requires runner ≥ 2.327.1. |
+| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — v2.2.0 (2026-03-14). Migrated to Node.js 24 runtime ahead of GitHub's **2026-06-02 deadline** that forces all Node.js 20 actions to Node.js 24. |
+| **lefthook** | ^2.1.5 (2.1.7/2.1.8 too recent) | [github.com/evilmartians/lefthook/releases](https://github.com/evilmartians/lefthook/releases) — **Pinned to 2.1.5 (2026-04-06) per the 14-day rule**; 2.1.7 and 2.1.8 both shipped 2026-05-19 (3 days old). Patch-level since 2.1.1: dependency bumps and config-warning improvements. v2 still excludes regexp `exclude` and `skip_output` from v1. |
+| **npm-check-updates** | ^22.0.0 (22.2.0 too recent) | [npmjs.com/package/npm-check-updates](https://www.npmjs.com/package/npm-check-updates) — **Major version jump from 19 to 22.** **Pinned to 22.0.0 (2026-04-25) per the 14-day rule**; 22.2.0 (2026-05-12) is 10 days old today. Now pure ESM; named imports only (`import { run } from 'npm-check-updates'`); `.ncurc.js` with `module.exports` no longer works in `"type": "module"` projects (use `.ncurc.cjs`). **Critical for supply chain: now ships `--cooldown <days>` to refuse versions younger than the specified age.** See [Supply-Chain Mitigation](#supply-chain-mitigation). |
 
 ### Reminders When Updating
 
@@ -61,6 +62,11 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 
 6. **Review “Open Research Questions”** section for any resolved items
 
+7. **Honor the 14-day package-age rule** when bumping versions in code examples. See
+   [Supply-Chain Mitigation](#supply-chain-mitigation) — versions cited here should be
+   ≥14 days old at the time the table is updated, except where a clearly-noted
+   security exception applies.
+
 * * *
 
 ## Executive Summary
@@ -140,9 +146,17 @@ research stock.
 - Missing some pnpm features: no `pnpm deploy`, less strict `node_modules` (phantom
   dependencies possible)
 
-- **Notable**: Bun was acquired by Anthropic in December 2025. Bun now powers Claude
-  Code, Claude Agent SDK, and other Anthropic AI tooling, signaling strong ongoing
-  investment and maintenance.
+- **Notable**: Bun was acquired by Anthropic on 2025-12-02 — Anthropic's first
+  acquisition. Bun powers Claude Code (which ships as a `bun build --compile`
+  executable), the Claude Agent SDK, and other Anthropic AI tooling, signaling
+  strong ongoing investment and maintenance. **Language transition**: Bun 1.3.14
+  (2026-05-13) is the last Zig-based release. A full Rust rewrite (~960K lines,
+  generated by Claude agents over ~6 days, 6,755 commits) merged to `main` on
+  2026-05-14 and passes 99.8% of the test suite. The transition was motivated by
+  Zig's no-AI-contribution policy conflicting with the Bun team's workflow. The
+  external API surface (`bun`, `bunx`, `bun install`, `bun test`, `bun build`)
+  is unchanged; consumers should expect no breakage but watch the 1.4.x release
+  notes for migration details.
 
 **Assessment**: Bun workspaces are functional and fast, but less strict than pnpm.
 The text-based `bun.lock` format (since Bun 1.2) resolves the earlier diffability
@@ -375,8 +389,8 @@ Key advantages:
 
 - **Compile support**: Can produce standalone executables via `bun --compile`
 
-- **Rapid iteration**: Bunup is under active development (0.16.x as of Jan 2026), with
-  frequent releases. Pin to a specific minor version for stability.
+- **Rapid iteration**: Bunup is under active development (0.16.31 as of May 2026,
+  bug-fix releases since 0.16.22). Pin to a specific minor version for stability.
 
 **Configuration (`bunup.config.ts`)**:
 
@@ -1085,7 +1099,7 @@ bun add -d @biomejs/biome
 
 ```json
 {
-  "$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.14/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",
@@ -1695,23 +1709,32 @@ This is a unique advantage that the pnpm ecosystem does not offer natively.
 
 **Details**:
 
-npm-check-updates (`ncu`) works with Bun.
-The main difference is using `bun install` instead of `pnpm install` after updates.
+npm-check-updates (`ncu`) works with Bun. The main difference is using `bun install`
+instead of `pnpm install` after updates. **All upgrade commands must honor the
+14-day package-age rule** — see [Supply-Chain Mitigation](#supply-chain-mitigation)
+for the rationale and exception process. `ncu` v22+ ships a native `--cooldown`
+flag that enforces this directly.
 
 **Root `package.json` scripts**:
 
 ```json
 {
   "scripts": {
-    "upgrade:check": "bunx npm-check-updates --format group",
-    "upgrade": "bunx npm-check-updates --target minor -u && bun install && bun test",
-    "upgrade:major": "bunx npm-check-updates --target latest --interactive --format group"
+    "upgrade:check": "bunx npm-check-updates --cooldown 14 --format group",
+    "upgrade": "bunx npm-check-updates --cooldown 14 --target minor -u && bun install && bun test",
+    "upgrade:major": "bunx npm-check-updates --cooldown 14 --target latest --interactive --format group"
   }
 }
 ```
 
-**Assessment**: Identical workflow.
-`bunx` replaces `npx`.
+**Note on npm-check-updates v22**: v22 is pure ESM, named imports only
+(`import { run } from 'npm-check-updates'`), and config files must be
+`.ncurc.cjs` (not `.ncurc.js`) in projects with `"type": "module"`. The
+`--cooldown <days>` flag is the recommended enforcement point for the 14-day
+package-age rule.
+
+**Assessment**: Identical workflow to pnpm. `bunx` replaces `npx`. Always
+include `--cooldown 14`.
 
 * * *
 
@@ -1741,7 +1764,7 @@ Bun natively executes TypeScript, eliminating the need for `tsx` entirely.
 | Aspect | pnpm (tsx) | Bun |
 | --- | --- | --- |
 | Dev command | `tsx packages/pkg/src/cli/bin.ts` | `bun packages/pkg/src/cli/bin.ts` |
-| Extra dependency | `tsx` (~4.21.0) | None (built-in) |
+| Extra dependency | `tsx` (~4.22.3) | None (built-in) |
 | TypeScript support | Via esbuild transform | Native |
 | Startup time | ~50ms | ~5ms |
 
@@ -1785,6 +1808,221 @@ in core library code if the library needs to work in Node.js environments.
 
 * * *
 
+## Supply-Chain Mitigation
+
+> **Sync note**: this section is normative and is duplicated **verbatim** in both
+> `bun-monorepo-patterns.md` and `pnpm-monorepo-patterns.md`. When you change one,
+> change the other in the same commit. Tooling-specific commands (e.g.
+> `bun audit` vs. `pnpm audit`) are called out inline.
+
+Modern TypeScript supply-chain attacks land through fresh package versions — a
+maintainer's npm token is compromised, malware is published as a patch release, and
+the registry yanks it 1–10 days later once detection catches up. The
+**Shai-Hulud 2.0** campaign of May 2026 compromised 170+ npm packages this way, and
+similar campaigns ran through 2025 (`debug`, `chalk`, `ansi-styles` lookalikes;
+`expr-eval` post-install RCE). pnpm shipped `minimumReleaseAge` as a default in
+v11.0 (1 day). Bun ships a built-in trusted-dependency allowlist and `bun audit`.
+The settings below are stricter than the ecosystem defaults and intentionally so.
+
+### The 14-day package-age rule
+
+**Never install or upgrade to a package version less than 14 days old.**
+
+Why 14 days specifically:
+
+- **Detection window**: most malicious publishes are reported and yanked within
+  3–7 days; 14 days gives a generous buffer past that median.
+- **Patch-level releases ship dangerous code more often**: many compromises arrive
+  as `1.2.3 → 1.2.4` patch bumps. A trailing window neutralizes the entire class
+  of "fresh patch is malicious" attacks regardless of which dependency moved.
+- **Cheap to enforce, cheap to wait**: there is essentially no business cost to
+  waiting 14 days on a routine upgrade, and the upside is large.
+
+Scope:
+
+- Applies to **`dependencies`, `devDependencies`, `peerDependencies`, and
+  `optionalDependencies`** alike. devDependencies (bundlers, linters, test
+  runners) have historically been *more* dangerous than runtime deps because
+  they execute with full developer privileges on every install.
+- Applies to **transitive dependencies** to the extent the package manager
+  enforces it (see below). Direct deps are the primary control point.
+- Applies to **upgrades and new installs**. Existing pins resolved before this
+  policy was adopted are grandfathered until their next planned upgrade.
+
+Exception process: if a security patch within the 14-day window is needed —
+e.g., a CVE patch published yesterday that fixes a vulnerability you are
+exposed to — the exception **must** be documented in the upgrade commit message
+or PR description, including:
+
+- The CVE ID (or vulnerability description if no CVE yet).
+- A link to the upstream release notes.
+- A reviewer sign-off line (`Reviewed-by: …`).
+
+No exception is "trivial" — even a `prettier` patch is in scope. The whole
+point of the rule is that we don't trust ourselves to spot-judge which fresh
+versions are safe.
+
+### Enforcement: Bun
+
+Bun blocks arbitrary lifecycle scripts by default via an internal allowlist of
+trusted packages. To extend that allowlist for your repo, declare the packages
+explicitly in `package.json`:
+
+```json
+{
+  "trustedDependencies": [
+    "esbuild",
+    "sharp"
+  ]
+}
+```
+
+Anything not in the allowlist runs without `postinstall`/`preinstall`/`install`
+scripts. This is the most important single mitigation Bun gives you out of the
+box.
+
+`bun audit` (documented at [bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit))
+checks the installed tree against the npm advisory database:
+
+```bash
+# Run as part of CI; non-zero exit on findings
+bun audit --audit-level=moderate
+
+# JSON output for parsing in scripts
+bun audit --json
+```
+
+Bun does **not yet** ship a built-in equivalent of pnpm's `minimumReleaseAge`,
+so age enforcement is handled at the upgrade-tool layer (see below).
+
+### Enforcement: cross-tool tooling
+
+**`npm-check-updates --cooldown`** is the primary upgrade-time check. Use it
+even on Bun-managed projects (via `bunx`):
+
+```bash
+# Refuse any candidate version younger than 14 days
+bunx npm-check-updates --cooldown 14
+
+# Interactive upgrade with the 14-day filter applied
+bunx npm-check-updates --cooldown 14 --target minor --interactive
+
+# CI-style check: exits non-zero if upgrades are available
+bunx npm-check-updates --cooldown 14 --errorLevel 2
+```
+
+**Direct registry query** (when in doubt about a specific version):
+
+```bash
+# Show all publish times for a package
+npm view typescript time
+
+# Show the time of a specific version
+npm view typescript time.6.0.3
+```
+
+If `npm view <pkg> time.<version>` reports less than 14 days ago, **wait**.
+
+### Enforcement: lockfile discipline
+
+- **Always commit `bun.lock`** (the text JSONC lockfile, default since Bun 1.2).
+- **Use `bun install --frozen-lockfile` in CI** so any drift between
+  `package.json` and `bun.lock` fails the build instead of silently resolving
+  to fresh versions.
+- **Never run `bun update` (or `bun install` on a fresh `node_modules` with an
+  unpinned `package.json`) without lockfile review.** Treat lockfile diffs the
+  same as code diffs.
+- In a monorepo, **a single root `bun.lock`** is the source of truth; per-package
+  lockfiles are an anti-pattern.
+
+### Enforcement: provenance and signatures
+
+- Prefer dependencies that publish with [npm provenance attestations](https://docs.npmjs.com/generating-provenance-statements).
+  Major projects (TypeScript, Vitest, Prettier, ESLint, etc.) ship these.
+- Run `npm audit signatures` (or the upcoming `bun audit signatures` once it
+  ships) in CI on a periodic basis to catch tampered packages.
+
+### Sample CI gate
+
+Add this job to the CI workflow alongside lint/test:
+
+```yaml
+audit:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v6
+    - uses: oven-sh/setup-bun@v2
+      with:
+        bun-version: latest
+    - run: bun install --frozen-lockfile
+    - name: Vulnerability audit
+      run: bun audit --audit-level=moderate
+    - name: Package-age check
+      run: bunx npm-check-updates --cooldown 14 --errorLevel 0
+      # errorLevel 0 logs but doesn't fail — flip to 2 once you've cleared
+      # the existing backlog.
+```
+
+### Recommended local script
+
+Drop a `scripts/check-package-age.mjs` (or `.ts`) one-liner in the repo that a
+pre-push hook can call:
+
+```ts
+#!/usr/bin/env bun
+// Refuses to commit if any direct dependency in package.json was published
+// less than COOLDOWN_DAYS ago. Intended for the pre-push hook.
+import pkg from '../package.json' with { type: 'json' };
+
+const COOLDOWN_MS = 14 * 24 * 60 * 60 * 1000;
+const now = Date.now();
+const all = { ...pkg.dependencies, ...pkg.devDependencies };
+
+let violations = 0;
+for (const [name, spec] of Object.entries(all)) {
+  const version = String(spec).replace(/^[\^~=<>]+/, '');
+  const meta = await (await fetch(`https://registry.npmjs.org/${name}`)).json();
+  const publishedAt = meta.time?.[version];
+  if (!publishedAt) continue;
+  const ageMs = now - new Date(publishedAt).getTime();
+  if (ageMs < COOLDOWN_MS) {
+    const days = (ageMs / 86_400_000).toFixed(1);
+    console.error(`✗ ${name}@${version} is only ${days} days old (< 14)`);
+    violations++;
+  }
+}
+process.exit(violations > 0 ? 1 : 0);
+```
+
+Wire it into lefthook (see Appendix E):
+
+```yaml
+pre-push:
+  commands:
+    package-age:
+      glob: "package.json"
+      run: bun scripts/check-package-age.ts
+```
+
+### Exception bookkeeping
+
+When you take an exception, leave a one-line marker in `package.json` adjacent
+to the pin:
+
+```jsonc
+{
+  "devDependencies": {
+    // Exception: CVE-2026-XXXX patch within 14d window. Reviewed 2026-05-21.
+    "vitest": "4.1.7"
+  }
+}
+```
+
+(JSON strict-parsers will reject `//` comments — use a JSONC-aware tool or
+move the note to a `README.md` / `CHANGELOG.md` entry instead.)
+
+* * *
+
 ## Comparative Analysis
 
 ### Full-Stack Tooling Comparison
@@ -1834,10 +2072,16 @@ in core library code if the library needs to work in Node.js environments.
 
 ## Best Practices
 
-1. **Use Bun workspaces** with `"workspaces"` in root `package.json`. Use `--cwd` to
+1. **Follow the 14-day package-age rule** for every dependency install and upgrade.
+   See [Supply-Chain Mitigation](#supply-chain-mitigation). Use
+   `bunx npm-check-updates --cooldown 14` and `bun audit` in CI; declare
+   `trustedDependencies` explicitly; commit `bun.lock`; use
+   `bun install --frozen-lockfile` in CI.
+
+2. **Use Bun workspaces** with `"workspaces"` in root `package.json`. Use `--cwd` to
    target specific workspaces when adding dependencies.
 
-2. **Enable `isolatedDeclarations`** in `tsconfig.base.json` for dramatically faster DTS
+3. **Enable `isolatedDeclarations`** in `tsconfig.base.json` for dramatically faster DTS
    generation with Bunup.
 
 3. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
@@ -1913,12 +2157,12 @@ in core library code if the library needs to work in Node.js environments.
    It is diffable in code review and supported by GitHub rendering.
    The binary `bun.lockb` is deprecated.
 
-4. **Biome plugin ecosystem**: Biome v2.0+ introduced plugins and type-aware linting
-   without `tsc`. As of v2.3.x, the rule set continues growing (300+ rules,
-   `noFloatingPromises` in nursery).
-   Monitor for parity with security and accessibility ESLint plugins.
-   Custom ESLint rules remain a reason to keep ESLint (see craft-agents-oss case study
-   in Appendix G).
+4. **Biome plugin ecosystem**: Biome v2.4 (Feb 2026) added experimental embedded
+   snippet formatting (CSS/GraphQL inside JS/TS template literals), 15 HTML
+   accessibility rules enabled by default, and promoted Vue 3 / Next.js / Qwik
+   rules to stable. The rule set continues growing toward parity with security and
+   accessibility ESLint plugins. Custom ESLint rules remain a reason to keep ESLint
+   (see craft-agents-oss case study in Appendix G).
 
 5. **Bun workspace strictness**: Bun still uses flat `node_modules` (no
    content-addressable store).
@@ -1931,21 +2175,41 @@ in core library code if the library needs to work in Node.js environments.
    The open issue ([#5854](https://github.com/oven-sh/bun/issues/5854)) remains tracked.
    The `--minify` and `--bytecode` flags help with startup time but not binary size.
 
-7. **TypeScript 6.0/7.0**: TypeScript 6.0 is a “bridge” release; TypeScript 7.0 (Go
-   rewrite) promises 10x faster builds.
-   TS 7.0 is now available in Visual Studio 2026 Insiders preview with ~8x faster
-   project load times. Install via `npm install -D @typescript/native-preview`. May
-   change the DTS generation landscape for Bunup and tsdown once stable.
+7. ~~**TypeScript 6.0**~~: **SHIPPED** 2026-03-23. TypeScript 6.0 is the last
+   JavaScript-based release; `strict: true` is the default; ESM is the default
+   module system; ~9 compiler settings flipped defaults. Currently 6.0.3. Adopt
+   for the codebase as part of the May 2026 currency refresh; review
+   `tsconfig.base.json` for now-redundant flag declarations.
+
+8. **TypeScript 7.0 (Project Corsa, Go rewrite)**: Beta shipped 2026-04-21 as
+   `@typescript/native-preview` (binary `tsgo`). Claims ~10x type-check speed
+   and ~3x less memory; passes 95%+ of the test suite. Available in
+   Visual Studio 2026 18.6 Insiders by default. **Do not adopt for production
+   builds yet** — wait for stable (expected mid-to-late 2026). May change the
+   DTS generation landscape for Bunup and tsdown once stable.
 
-8. **Bunup maturity**: Bunup is iterating rapidly (0.16.x as of Jan 2026, up from 0.4.x
+9. **Bunup maturity**: Bunup is iterating rapidly (0.16.31 as of May 2026, up from 0.4.x
    a few months earlier).
    The API surface (`defineConfig`, `defineWorkspace`, `exports`, `compile`) appears
    stable, but pin versions carefully.
 
-9. **Bun + Anthropic**: Bun was acquired by Anthropic (Dec 2025) and now powers Claude
-   Code and Claude Agent SDK. This signals strong continued investment but also a shift
-   toward AI-tooling use cases.
-   Monitor whether the broader open-source community continues to benefit equally.
+10. **Bun + Anthropic + Rust rewrite**: Bun was acquired by Anthropic on
+    2025-12-02 (Anthropic's first acquisition) and now powers Claude Code, the
+    Claude Agent SDK, and other Anthropic AI tooling. A full Rust rewrite
+    (~960K lines, generated by Claude agents over ~6 days) merged to `main` on
+    2026-05-14 and passes 99.8% of the test suite. **Bun 1.3.14 is the last
+    Zig-based release.** External API surface (`bun`, `bunx`, `bun install`,
+    `bun test`, `bun build`, `bun --compile`) is unchanged, but watch 1.4.x
+    release notes for migration details. Monitor whether the broader
+    open-source community continues to benefit equally as the codebase
+    integrates more deeply with Anthropic's AI tooling.
+
+11. **`bun audit`**: Now a documented command
+    ([bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit)) with
+    `--audit-level=<low|moderate|high|critical>` and `--json` output. Should be
+    a required CI check (see [Supply-Chain Mitigation](#supply-chain-mitigation)).
+    A `bun audit signatures` equivalent to npm's signature verification has not
+    yet shipped — monitor.
 
 * * *
 
@@ -2113,10 +2377,10 @@ testing features.
   },
   "dependencies": {},
   "devDependencies": {
-    "bun-types": "^1.3.8",
-    "bunup": "^0.16.22",
-    "publint": "^0.3.17",
-    "typescript": "^5.9.3"
+    "bun-types": "^1.3.13",
+    "bunup": "^0.16.31",
+    "publint": "^0.3.20",
+    "typescript": "^6.0.3"
   }
 }
 ```
@@ -2168,10 +2432,10 @@ testing features.
     "optional-sdk": { "optional": true }
   },
   "devDependencies": {
-    "bun-types": "^1.3.8",
-    "bunup": "^0.16.22",
-    "publint": "^0.3.17",
-    "typescript": "^5.9.3"
+    "bun-types": "^1.3.13",
+    "bunup": "^0.16.31",
+    "publint": "^0.3.20",
+    "typescript": "^6.0.3"
   }
 }
 ```
@@ -2210,29 +2474,35 @@ testing features.
     "upgrade:major": "bunx npm-check-updates --target latest --interactive --format group"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.3.14",
-    "@changesets/cli": "^2.29.8",
-    "lefthook": "^2.0.15",
-    "npm-check-updates": "^19.0.0",
-    "typescript": "^5.9.3"
+    "@biomejs/biome": "^2.4.14",
+    "@changesets/cli": "^2.31.0",
+    "lefthook": "^2.1.5",
+    "npm-check-updates": "^22.0.0",
+    "typescript": "^6.0.3"
   }
 }
 ```
 
 **Notes**:
 
+- All pinned versions above are ≥14 days old as of 2026-05-21 per the
+  [Supply-Chain Mitigation](#supply-chain-mitigation) policy. Newer releases
+  may exist (`@biomejs/biome` 2.4.15, `lefthook` 2.1.8, `npm-check-updates`
+  22.2.0) but were too fresh at the time of this document update.
 - `"check:ci": "biome ci ."` uses `biome ci` (stricter than `biome check` — errors on
   formatting issues)
 - `bun run --filter '*' <script>` delegates to each workspace package
 - The `@changesets/changelog-github` dependency is optional — use
   `"changelog": "@changesets/cli/changelog"` in `.changeset/config.json` for a simpler
   built-in changelog generator
+- `npm-check-updates` v22+ is pure ESM. Add `--cooldown 14` to every invocation per
+  the 14-day package-age rule (see Supply-Chain Mitigation section).
 
 ### Appendix C: Complete biome.json Example
 
 ```json
 {
-  "$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.14/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",