get-tbd 0.1.27 → 0.1.29

package/dist/docs/SKILL.md

@@ -17,10 +17,6 @@ description: >-
 allowed-tools: Bash(tbd:*), Read, Write
 ---
 
----
-title: tbd Workflow
-description: Full tbd workflow guide for agents
----
 **`tbd` helps humans and agents ship code with greater speed, quality, and discipline.**
 
 1. **Beads**: Git-native issue tracking (tasks, bugs, features).

package/dist/docs/guidelines/bun-monorepo-patterns.md

@@ -5,7 +5,7 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 ---
 # Bun Monorepo Patterns
 
-**Last Updated**: 2026-02-18
+**Last Updated**: 2026-05-21
 
 **Related**:
 
@@ -14,6 +14,7 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 - [Changesets Documentation](https://github.com/changesets/changesets)
 - [Biome Documentation](https://biomejs.dev/)
 - [Companion: pnpm Monorepo Patterns](./pnpm-monorepo-patterns.md)
+- [Supply-Chain Mitigation](#supply-chain-mitigation) (in this document)
 
 * * *
 
@@ -23,19 +24,19 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 
 | Tool / Package | Version | Check For Updates |
 | --- | --- | --- |
-| **Bun** | 1.3.8 | [bun.sh/blog](https://bun.sh/blog) — Runtime, bundler, package manager, test runner. Acquired by Anthropic (Dec 2025). |
-| **TypeScript** | ^5.9.3 | [github.com/microsoft/TypeScript/releases](https://github.com/microsoft/TypeScript/releases) — 5.9.3 stable. TS 6.0 is “bridge” release; TS 7.0 (Go rewrite) in VS 2026 Insiders preview. |
-| **Bunup** | ^0.16.22 | [npmjs.com/package/bunup](https://www.npmjs.com/package/bunup) — Build tool for TS libs. Rapid iteration (0.16.22 latest). |
-| **Biome** | ^2.3.14 | [biomejs.dev](https://biomejs.dev/) — Formatter + linter. v2.0 added plugins and type-aware linting; 2.3.14 is latest stable. |
-| **@changesets/cli** | ^2.29.8 | [github.com/changesets/changesets/releases](https://github.com/changesets/changesets/releases) — 2.29.8 latest. No native Bun support yet. |
-| **bun-types** | ^1.3.8 | [npmjs.com/package/bun-types](https://www.npmjs.com/package/bun-types) — Type definitions for Bun runtime APIs. |
+| **Bun** | 1.3.13 (1.3.14 too recent) | [bun.sh/blog](https://bun.sh/blog) — Runtime, bundler, package manager, test runner. Acquired by Anthropic (Dec 2025). **Pinned to 1.3.13 (2026-04-20) per the 14-day rule** — 1.3.14 (2026-05-13) is the **last Zig-based release** and the Rust rewrite merged to `main` 2026-05-14 (~960K lines, generated by Claude AI agents over ~6 days). New built-ins in 1.3.x: `Bun.Image` (Sharp replacement), experimental HTTP/3 in `Bun.serve()`, 7× faster warm installs via isolated linker global store, rewritten `fs.watch()` on Linux/macOS. Bump to 1.3.14 (or 1.4.x once it ships) once the 14-day window has elapsed. |
+| **TypeScript** | ^6.0.3 | [github.com/microsoft/TypeScript/releases](https://github.com/microsoft/TypeScript/releases) — **6.0.3 stable** (shipped 2026-03-23). TS 6.0 is the **last JavaScript-based release** and is positioned as a bridge to 7.0: `strict: true` is now the default, ESM is the default module system, and ~9 compiler settings flipped defaults. **TS 7.0 Beta** (Project Corsa, Go rewrite) shipped 2026-04-21 as `@typescript/native-preview` (binary: `tsgo`); claims ~10× type-check speed and ~3× less memory. TS 7.0 stable is expected mid-to-late 2026. Do not adopt `tsgo` for production builds yet. |
+| **Bunup** | ^0.16.31 | [npmjs.com/package/bunup](https://www.npmjs.com/package/bunup) — Build tool for TS libs. Still 0.x; 0.16.23 through 0.16.31 are bug-fix only (DTS alias fixes, workspace `onSuccess` fix, external/noExternal honoring). Pin to a specific minor version for stability. |
+| **Biome** | ^2.4.14 (2.4.15 borderline) | [biomejs.dev](https://biomejs.dev/) — Formatter + linter. **Pinned to 2.4.14 (2026-05-01) per the 14-day rule**; 2.4.15 (2026-05-09) is 13 days old today — bump on next refresh. v2.4 (Feb 2026) added experimental embedded snippet formatting (CSS/GraphQL in JS/TS template literals), 15 HTML accessibility lint rules enabled by default, and promoted 24 nursery rules to stable (Vue 3, Next.js, Qwik). |
+| **@changesets/cli** | ^2.31.0 | [github.com/changesets/changesets/releases](https://github.com/changesets/changesets/releases) — 2.31.0 latest. **Still no native Bun support**; `changeset version` does not resolve `workspace:*` references for Bun workspaces — workarounds below remain required. |
+| **bun-types** | ^1.3.13 | [npmjs.com/package/bun-types](https://www.npmjs.com/package/bun-types) — Type definitions for Bun runtime APIs. Track Bun version (pinned to 1.3.13 per the 14-day rule). |
 | **tryscript** | ^0.1.6 | [npmjs.com/package/tryscript](https://www.npmjs.com/package/tryscript) — Golden/CLI testing via Markdown test files. |
 | **flowmark** | latest | [github.com/jlevy/flowmark](https://github.com/jlevy/flowmark) — Markdown auto-formatter (via `uvx`). |
-| **publint** | ^0.3.17 | [npmjs.com/package/publint](https://www.npmjs.com/package/publint) — 0.3.17 latest |
-| **actions/checkout** | v6 | [github.com/actions/checkout/releases](https://github.com/actions/checkout/releases) |
-| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — Verified on GitHub Marketplace |
-| **lefthook** | ^2.0.15 | [github.com/evilmartians/lefthook/releases](https://github.com/evilmartians/lefthook/releases) — 2.0.15 latest |
-| **npm-check-updates** | ^19.0.0 | [npmjs.com/package/npm-check-updates](https://www.npmjs.com/package/npm-check-updates) |
+| **publint** | ^0.3.20 (0.3.21 too recent) | [npmjs.com/package/publint](https://www.npmjs.com/package/publint) — **Pinned to 0.3.20 (2026-05-08) per the 14-day rule**; 0.3.21 (2026-05-13) is 9 days old today. Incremental: re-enabled TS/TSX file existence checks; `exports["default"]` support. |
+| **actions/checkout** | v6 | [github.com/actions/checkout/releases](https://github.com/actions/checkout/releases) — v6.0.2 (2026-01-09). Credentials now stored in `$RUNNER_TEMP` rather than `.git/config`; Node 24 runtime; requires runner ≥ 2.327.1. |
+| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — v2.2.0 (2026-03-14). Migrated to Node.js 24 runtime ahead of GitHub’s **2026-06-02 deadline** that forces all Node.js 20 actions to Node.js 24. |
+| **lefthook** | ^2.1.5 (2.1.7/2.1.8 too recent) | [github.com/evilmartians/lefthook/releases](https://github.com/evilmartians/lefthook/releases) — **Pinned to 2.1.5 (2026-04-06) per the 14-day rule**; 2.1.7 and 2.1.8 both shipped 2026-05-19 (3 days old). Patch-level since 2.1.1: dependency bumps and config-warning improvements. v2 still excludes regexp `exclude` and `skip_output` from v1. |
+| **npm-check-updates** | ^22.0.0 (22.2.0 too recent) | [npmjs.com/package/npm-check-updates](https://www.npmjs.com/package/npm-check-updates) — **Major version jump from 19 to 22.** **Pinned to 22.0.0 (2026-04-25) per the 14-day rule**; 22.2.0 (2026-05-12) is 10 days old today. Now pure ESM; named imports only (`import { run } from 'npm-check-updates'`); `.ncurc.js` with `module.exports` no longer works in `"type": "module"` projects (use `.ncurc.cjs`). **Critical for supply chain: now ships `--cooldown <days>` to refuse versions younger than the specified age.** See [Supply-Chain Mitigation](#supply-chain-mitigation). |
 
 ### Reminders When Updating
 
@@ -61,6 +62,11 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 
 6. **Review “Open Research Questions”** section for any resolved items
 
+7. **Honor the 14-day package-age rule** when bumping versions in code examples.
+   See [Supply-Chain Mitigation](#supply-chain-mitigation) — versions cited here should
+   be ≥14 days old at the time the table is updated, except where a clearly-noted
+   security exception applies.
+
 * * *
 
 ## Executive Summary
@@ -140,9 +146,18 @@ research stock.
 - Missing some pnpm features: no `pnpm deploy`, less strict `node_modules` (phantom
   dependencies possible)
 
-- **Notable**: Bun was acquired by Anthropic in December 2025. Bun now powers Claude
-  Code, Claude Agent SDK, and other Anthropic AI tooling, signaling strong ongoing
-  investment and maintenance.
+- **Notable**: Bun was acquired by Anthropic on 2025-12-02 — Anthropic’s first
+  acquisition. Bun powers Claude Code (which ships as a `bun build --compile`
+  executable), the Claude Agent SDK, and other Anthropic AI tooling, signaling strong
+  ongoing investment and maintenance.
+  **Language transition**: Bun 1.3.14 (2026-05-13) is the last Zig-based release.
+  A full Rust rewrite (~960K lines, generated by Claude agents over ~6 days, 6,755
+  commits) merged to `main` on 2026-05-14 and passes 99.8% of the test suite.
+  The transition was motivated by Zig’s no-AI-contribution policy conflicting with the
+  Bun team’s workflow.
+  The external API surface (`bun`, `bunx`, `bun install`, `bun test`, `bun build`) is
+  unchanged; consumers should expect no breakage but watch the 1.4.x release notes for
+  migration details.
 
 **Assessment**: Bun workspaces are functional and fast, but less strict than pnpm.
 The text-based `bun.lock` format (since Bun 1.2) resolves the earlier diffability
@@ -375,8 +390,8 @@ Key advantages:
 
 - **Compile support**: Can produce standalone executables via `bun --compile`
 
-- **Rapid iteration**: Bunup is under active development (0.16.x as of Jan 2026), with
-  frequent releases. Pin to a specific minor version for stability.
+- **Rapid iteration**: Bunup is under active development (0.16.31 as of May 2026,
+  bug-fix releases since 0.16.22). Pin to a specific minor version for stability.
 
 **Configuration (`bunup.config.ts`)**:
 
@@ -1085,7 +1100,7 @@ bun add -d @biomejs/biome
 
 ```json
 {
-  "$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.14/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",
@@ -1697,21 +1712,29 @@ This is a unique advantage that the pnpm ecosystem does not offer natively.
 
 npm-check-updates (`ncu`) works with Bun.
 The main difference is using `bun install` instead of `pnpm install` after updates.
+**All upgrade commands must honor the 14-day package-age rule** — see
+[Supply-Chain Mitigation](#supply-chain-mitigation) for the rationale and exception
+process. `ncu` v22+ ships a native `--cooldown` flag that enforces this directly.
 
 **Root `package.json` scripts**:
 
 ```json
 {
   "scripts": {
-    "upgrade:check": "bunx npm-check-updates --format group",
-    "upgrade": "bunx npm-check-updates --target minor -u && bun install && bun test",
-    "upgrade:major": "bunx npm-check-updates --target latest --interactive --format group"
+    "upgrade:check": "bunx npm-check-updates --cooldown 14 --format group",
+    "upgrade": "bunx npm-check-updates --cooldown 14 --target minor -u && bun install && bun test",
+    "upgrade:major": "bunx npm-check-updates --cooldown 14 --target latest --interactive --format group"
   }
 }
 ```
 
-**Assessment**: Identical workflow.
-`bunx` replaces `npx`.
+**Note on npm-check-updates v22**: v22 is pure ESM, named imports only
+(`import { run } from 'npm-check-updates'`), and config files must be `.ncurc.cjs` (not
+`.ncurc.js`) in projects with `"type": "module"`. The `--cooldown <days>` flag is the
+recommended enforcement point for the 14-day package-age rule.
+
+**Assessment**: Identical workflow to pnpm.
+`bunx` replaces `npx`. Always include `--cooldown 14`.
 
 * * *
 
@@ -1741,7 +1764,7 @@ Bun natively executes TypeScript, eliminating the need for `tsx` entirely.
 | Aspect | pnpm (tsx) | Bun |
 | --- | --- | --- |
 | Dev command | `tsx packages/pkg/src/cli/bin.ts` | `bun packages/pkg/src/cli/bin.ts` |
-| Extra dependency | `tsx` (~4.21.0) | None (built-in) |
+| Extra dependency | `tsx` (~4.22.3) | None (built-in) |
 | TypeScript support | Via esbuild transform | Native |
 | Startup time | ~50ms | ~5ms |
 
@@ -1785,6 +1808,24 @@ in core library code if the library needs to work in Node.js environments.
 
 * * *
 
+## Supply-Chain Mitigation
+
+Supply-chain hardening applies to **every repo, not just new monorepos**, so the full
+policy and hands-on enforcement now live in a standalone guideline:
+**`tbd guidelines supply-chain-hardening`**. It covers the cross-ecosystem 14-day
+cool-off plus the Node/pnpm/Bun specifics — lifecycle-script allowlists, lockfile
+discipline, `npm-check-updates --cooldown 14`, the CI audit gate, and the
+`check-package-age` pre-push guard.
+Deeper background and the named-incident watch list:
+<https://github.com/jlevy/supply-chain-hardening>.
+
+**Bun specifics**: Bun blocks lifecycle scripts by default — extend the allowlist via
+`trustedDependencies` in `package.json`, run `bun audit` in CI with
+`bun install --frozen-lockfile`, and commit `bun.lock`. Bun has no native release-age
+gate yet, so enforce the 14-day cool-off with `bunx npm-check-updates --cooldown 14`.
+
+* * *
+
 ## Comparative Analysis
 
 ### Full-Stack Tooling Comparison
@@ -1834,63 +1875,69 @@ in core library code if the library needs to work in Node.js environments.
 
 ## Best Practices
 
-1. **Use Bun workspaces** with `"workspaces"` in root `package.json`. Use `--cwd` to
+1. **Follow the 14-day package-age rule** for every dependency install and upgrade.
+   See [Supply-Chain Mitigation](#supply-chain-mitigation).
+   Use `bunx npm-check-updates --cooldown 14` and `bun audit` in CI; declare
+   `trustedDependencies` explicitly; commit `bun.lock`; use
+   `bun install --frozen-lockfile` in CI.
+
+2. **Use Bun workspaces** with `"workspaces"` in root `package.json`. Use `--cwd` to
    target specific workspaces when adding dependencies.
 
-2. **Enable `isolatedDeclarations`** in `tsconfig.base.json` for dramatically faster DTS
+3. **Enable `isolatedDeclarations`** in `tsconfig.base.json` for dramatically faster DTS
    generation with Bunup.
 
-3. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
+4. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
    synchronized with build output.
 
-4. **Use Biome for formatting + linting** via a single `biome.json`. Use
+5. **Use Biome for formatting + linting** via a single `biome.json`. Use
    `biome check --write` locally and `biome ci` in CI for stricter checks.
 
-5. **Add `bun update` after `changeset version`** to fix workspace reference resolution
+6. **Add `bun update` after `changeset version`** to fix workspace reference resolution
    in the lockfile.
 
-6. **Use `bun publish` per package** instead of `changeset publish` to ensure proper
+7. **Use `bun publish` per package** instead of `changeset publish` to ensure proper
    workspace resolution.
 
-7. **Run CLI from source with `bun`** directly — no need for `tsx` or any TypeScript
+8. **Run CLI from source with `bun`** directly — no need for `tsx` or any TypeScript
    execution wrapper.
 
-8. **Consider `bun --compile`** for distributing CLI tools as standalone executables,
+9. **Consider `bun --compile`** for distributing CLI tools as standalone executables,
    especially for users who don’t have Node.js or Bun installed.
 
-9. **Use `bun test`** for testing — fake timers are now supported (v1.3.4+). Switch to
-   Vitest only if you need test isolation, browser mode, or sharding.
+10. **Use `bun test`** for testing — fake timers are now supported (v1.3.4+). Switch to
+    Vitest only if you need test isolation, browser mode, or sharding.
 
-10. **Keep the root `package.json` private** with `"private": true` and only workspace
+11. **Keep the root `package.json` private** with `"private": true` and only workspace
     tooling.
 
-11. **Scope your package names** with `@org/package-name` for GitHub Packages
+12. **Scope your package names** with `@org/package-name` for GitHub Packages
     compatibility.
 
-12. **Validate before publish** with `publint` in CI and before every release.
+13. **Validate before publish** with `publint` in CI and before every release.
 
-13. **Use lefthook** for git hooks with `biome check` in pre-commit (single command
+14. **Use lefthook** for git hooks with `biome check` in pre-commit (single command
     replaces separate format + lint hooks).
 
-14. **Add the `"bun"` export condition** to let Bun consumers import TypeScript source
+15. **Add the `"bun"` export condition** to let Bun consumers import TypeScript source
     directly, bypassing compiled output.
 
-15. **Use dynamic git-based versioning** for dev builds — the pattern works identically
+16. **Use dynamic git-based versioning** for dev builds — the pattern works identically
     with Bun, and `bun` replaces `tsx` for script execution.
 
-16. **Use `biome ci`** in CI workflows instead of `biome check` — it’s stricter and
+17. **Use `biome ci`** in CI workflows instead of `biome check` — it’s stricter and
     produces cleaner output for CI logs.
 
-17. **Consider ESM-only output** for Bun-native CLI tools and packages targeting modern
+18. **Consider ESM-only output** for Bun-native CLI tools and packages targeting modern
     Node.js (>=22). Only add CJS if specific consumers require it.
 
-18. **Use flowmark** for Markdown formatting in pre-commit hooks — Biome does not format
+19. **Use flowmark** for Markdown formatting in pre-commit hooks — Biome does not format
     Markdown, and consistent Markdown formatting improves documentation quality.
 
-19. **Add golden/CLI tests** with `tryscript` alongside `bun test` for CLI tools — they
+20. **Add golden/CLI tests** with `tryscript` alongside `bun test` for CLI tools — they
     catch regressions in help text, output formatting, and argument parsing.
 
-20. **Consider tag-triggered OIDC releases** as an alternative to the Changesets GitHub
+21. **Consider tag-triggered OIDC releases** as an alternative to the Changesets GitHub
     Action — they provide npm provenance attestation and automatic GitHub Releases.
 
 * * *
@@ -1913,12 +1960,12 @@ in core library code if the library needs to work in Node.js environments.
    It is diffable in code review and supported by GitHub rendering.
    The binary `bun.lockb` is deprecated.
 
-4. **Biome plugin ecosystem**: Biome v2.0+ introduced plugins and type-aware linting
-   without `tsc`. As of v2.3.x, the rule set continues growing (300+ rules,
-   `noFloatingPromises` in nursery).
-   Monitor for parity with security and accessibility ESLint plugins.
-   Custom ESLint rules remain a reason to keep ESLint (see craft-agents-oss case study
-   in Appendix G).
+4. **Biome plugin ecosystem**: Biome v2.4 (Feb 2026) added experimental embedded snippet
+   formatting (CSS/GraphQL inside JS/TS template literals), 15 HTML accessibility rules
+   enabled by default, and promoted Vue 3 / Next.js / Qwik rules to stable.
+   The rule set continues growing toward parity with security and accessibility ESLint
+   plugins. Custom ESLint rules remain a reason to keep ESLint (see craft-agents-oss case
+   study in Appendix G).
 
 5. **Bun workspace strictness**: Bun still uses flat `node_modules` (no
    content-addressable store).
@@ -1931,21 +1978,41 @@ in core library code if the library needs to work in Node.js environments.
    The open issue ([#5854](https://github.com/oven-sh/bun/issues/5854)) remains tracked.
    The `--minify` and `--bytecode` flags help with startup time but not binary size.
 
-7. **TypeScript 6.0/7.0**: TypeScript 6.0 is a “bridge” release; TypeScript 7.0 (Go
-   rewrite) promises 10x faster builds.
-   TS 7.0 is now available in Visual Studio 2026 Insiders preview with ~8x faster
-   project load times. Install via `npm install -D @typescript/native-preview`. May
-   change the DTS generation landscape for Bunup and tsdown once stable.
+7. ~~**TypeScript 6.0**~~: **SHIPPED** 2026-03-23. TypeScript 6.0 is the last
+   JavaScript-based release; `strict: true` is the default; ESM is the default module
+   system; ~9 compiler settings flipped defaults.
+   Currently 6.0.3. Adopt for the codebase as part of the May 2026 currency refresh;
+   review `tsconfig.base.json` for now-redundant flag declarations.
+
+8. **TypeScript 7.0 (Project Corsa, Go rewrite)**: Beta shipped 2026-04-21 as
+   `@typescript/native-preview` (binary `tsgo`). Claims ~10x type-check speed and ~3x
+   less memory; passes 95%+ of the test suite.
+   Available in Visual Studio 2026 18.6 Insiders by default.
+   **Do not adopt for production builds yet** — wait for stable (expected mid-to-late
+   2026). May change the DTS generation landscape for Bunup and tsdown once stable.
 
-8. **Bunup maturity**: Bunup is iterating rapidly (0.16.x as of Jan 2026, up from 0.4.x
+9. **Bunup maturity**: Bunup is iterating rapidly (0.16.31 as of May 2026, up from 0.4.x
    a few months earlier).
    The API surface (`defineConfig`, `defineWorkspace`, `exports`, `compile`) appears
    stable, but pin versions carefully.
 
-9. **Bun + Anthropic**: Bun was acquired by Anthropic (Dec 2025) and now powers Claude
-   Code and Claude Agent SDK. This signals strong continued investment but also a shift
-   toward AI-tooling use cases.
-   Monitor whether the broader open-source community continues to benefit equally.
+10. **Bun + Anthropic + Rust rewrite**: Bun was acquired by Anthropic on 2025-12-02
+    (Anthropic’s first acquisition) and now powers Claude Code, the Claude Agent SDK,
+    and other Anthropic AI tooling.
+    A full Rust rewrite (~960K lines, generated by Claude agents over ~6 days) merged to
+    `main` on 2026-05-14 and passes 99.8% of the test suite.
+    **Bun 1.3.14 is the last Zig-based release.** External API surface (`bun`, `bunx`,
+    `bun install`, `bun test`, `bun build`, `bun --compile`) is unchanged, but watch
+    1.4.x release notes for migration details.
+    Monitor whether the broader open-source community continues to benefit equally as
+    the codebase integrates more deeply with Anthropic’s AI tooling.
+
+11. **`bun audit`**: Now a documented command
+    ([bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit)) with
+    `--audit-level=<low|moderate|high|critical>` and `--json` output.
+    Should be a required CI check (see
+    [Supply-Chain Mitigation](#supply-chain-mitigation)). A `bun audit signatures`
+    equivalent to npm’s signature verification has not yet shipped — monitor.
 
 * * *
 
@@ -2113,10 +2180,10 @@ testing features.
   },
   "dependencies": {},
   "devDependencies": {
-    "bun-types": "^1.3.8",
-    "bunup": "^0.16.22",
-    "publint": "^0.3.17",
-    "typescript": "^5.9.3"
+    "bun-types": "^1.3.13",
+    "bunup": "^0.16.31",
+    "publint": "^0.3.20",
+    "typescript": "^6.0.3"
   }
 }
 ```
@@ -2168,10 +2235,10 @@ testing features.
     "optional-sdk": { "optional": true }
   },
   "devDependencies": {
-    "bun-types": "^1.3.8",
-    "bunup": "^0.16.22",
-    "publint": "^0.3.17",
-    "typescript": "^5.9.3"
+    "bun-types": "^1.3.13",
+    "bunup": "^0.16.31",
+    "publint": "^0.3.20",
+    "typescript": "^6.0.3"
   }
 }
 ```
@@ -2210,29 +2277,35 @@ testing features.
     "upgrade:major": "bunx npm-check-updates --target latest --interactive --format group"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.3.14",
-    "@changesets/cli": "^2.29.8",
-    "lefthook": "^2.0.15",
-    "npm-check-updates": "^19.0.0",
-    "typescript": "^5.9.3"
+    "@biomejs/biome": "^2.4.14",
+    "@changesets/cli": "^2.31.0",
+    "lefthook": "^2.1.5",
+    "npm-check-updates": "^22.0.0",
+    "typescript": "^6.0.3"
   }
 }
 ```
 
 **Notes**:
 
+- All pinned versions above are ≥14 days old as of 2026-05-21 per the
+  [Supply-Chain Mitigation](#supply-chain-mitigation) policy.
+  Newer releases may exist (`@biomejs/biome` 2.4.15, `lefthook` 2.1.8,
+  `npm-check-updates` 22.2.0) but were too fresh at the time of this document update.
 - `"check:ci": "biome ci ."` uses `biome ci` (stricter than `biome check` — errors on
   formatting issues)
 - `bun run --filter '*' <script>` delegates to each workspace package
 - The `@changesets/changelog-github` dependency is optional — use
   `"changelog": "@changesets/cli/changelog"` in `.changeset/config.json` for a simpler
   built-in changelog generator
+- `npm-check-updates` v22+ is pure ESM. Add `--cooldown 14` to every invocation per the
+  14-day package-age rule (see Supply-Chain Mitigation section).
 
 ### Appendix C: Complete biome.json Example
 
 ```json
 {
-  "$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.14/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",