npm - get-tbd - Versions diffs - 0.1.28 → 0.1.30 - Mend

get-tbd 0.1.28 → 0.1.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/bin.mjs +444 -126
package/dist/bin.mjs.map +1 -1
package/dist/cli.mjs +442 -128
package/dist/cli.mjs.map +1 -1
package/dist/{config-C0ITTrtc.mjs → config-BPHcePSm.mjs} +1 -1
package/dist/{config-B38rbI9u.mjs → config-DVap9omo.mjs} +6 -2
package/dist/config-DVap9omo.mjs.map +1 -0
package/dist/docs/SKILL.md +0 -5
package/dist/docs/guidelines/bun-monorepo-patterns.md +92 -289
package/dist/docs/guidelines/cli-agent-skill-patterns.md +1023 -1244
package/dist/docs/guidelines/pnpm-monorepo-patterns.md +104 -321
package/dist/docs/guidelines/supply-chain-hardening.md +237 -0
package/dist/docs/install/ensure-gh-cli.sh +59 -24
package/dist/docs/shortcuts/standard/new-validation-plan.md +1 -1
package/dist/index.mjs +1 -1
package/dist/{src-D2xEmH4L.mjs → src-BK_EF6mk.mjs} +2 -2
package/dist/{src-D2xEmH4L.mjs.map → src-BK_EF6mk.mjs.map} +1 -1
package/dist/tbd +444 -126
package/package.json +1 -1
package/dist/config-B38rbI9u.mjs.map +0 -1

package/dist/docs/guidelines/bun-monorepo-patterns.md CHANGED Viewed

@@ -34,7 +34,7 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 | **flowmark** | latest | [github.com/jlevy/flowmark](https://github.com/jlevy/flowmark) — Markdown auto-formatter (via `uvx`). |
 | **publint** | ^0.3.20 (0.3.21 too recent) | [npmjs.com/package/publint](https://www.npmjs.com/package/publint) — **Pinned to 0.3.20 (2026-05-08) per the 14-day rule**; 0.3.21 (2026-05-13) is 9 days old today. Incremental: re-enabled TS/TSX file existence checks; `exports["default"]` support. |
 | **actions/checkout** | v6 | [github.com/actions/checkout/releases](https://github.com/actions/checkout/releases) — v6.0.2 (2026-01-09). Credentials now stored in `$RUNNER_TEMP` rather than `.git/config`; Node 24 runtime; requires runner ≥ 2.327.1. |
-| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — v2.2.0 (2026-03-14). Migrated to Node.js 24 runtime ahead of GitHub's **2026-06-02 deadline** that forces all Node.js 20 actions to Node.js 24. |
+| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — v2.2.0 (2026-03-14). Migrated to Node.js 24 runtime ahead of GitHub’s **2026-06-02 deadline** that forces all Node.js 20 actions to Node.js 24. |
 | **lefthook** | ^2.1.5 (2.1.7/2.1.8 too recent) | [github.com/evilmartians/lefthook/releases](https://github.com/evilmartians/lefthook/releases) — **Pinned to 2.1.5 (2026-04-06) per the 14-day rule**; 2.1.7 and 2.1.8 both shipped 2026-05-19 (3 days old). Patch-level since 2.1.1: dependency bumps and config-warning improvements. v2 still excludes regexp `exclude` and `skip_output` from v1. |
 | **npm-check-updates** | ^22.0.0 (22.2.0 too recent) | [npmjs.com/package/npm-check-updates](https://www.npmjs.com/package/npm-check-updates) — **Major version jump from 19 to 22.** **Pinned to 22.0.0 (2026-04-25) per the 14-day rule**; 22.2.0 (2026-05-12) is 10 days old today. Now pure ESM; named imports only (`import { run } from 'npm-check-updates'`); `.ncurc.js` with `module.exports` no longer works in `"type": "module"` projects (use `.ncurc.cjs`). **Critical for supply chain: now ships `--cooldown <days>` to refuse versions younger than the specified age.** See [Supply-Chain Mitigation](#supply-chain-mitigation). |
@@ -62,9 +62,9 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 6. **Review “Open Research Questions”** section for any resolved items
-7. **Honor the 14-day package-age rule** when bumping versions in code examples. See
-   [Supply-Chain Mitigation](#supply-chain-mitigation) — versions cited here should be
-   ≥14 days old at the time the table is updated, except where a clearly-noted
+7. **Honor the 14-day package-age rule** when bumping versions in code examples.
+   See [Supply-Chain Mitigation](#supply-chain-mitigation) — versions cited here should
+   be ≥14 days old at the time the table is updated, except where a clearly-noted
    security exception applies.
 * * *
@@ -146,17 +146,18 @@ research stock.
 - Missing some pnpm features: no `pnpm deploy`, less strict `node_modules` (phantom
   dependencies possible)
-- **Notable**: Bun was acquired by Anthropic on 2025-12-02 — Anthropic's first
+- **Notable**: Bun was acquired by Anthropic on 2025-12-02 — Anthropic’s first
   acquisition. Bun powers Claude Code (which ships as a `bun build --compile`
-  executable), the Claude Agent SDK, and other Anthropic AI tooling, signaling
-  strong ongoing investment and maintenance. **Language transition**: Bun 1.3.14
-  (2026-05-13) is the last Zig-based release. A full Rust rewrite (~960K lines,
-  generated by Claude agents over ~6 days, 6,755 commits) merged to `main` on
-  2026-05-14 and passes 99.8% of the test suite. The transition was motivated by
-  Zig's no-AI-contribution policy conflicting with the Bun team's workflow. The
-  external API surface (`bun`, `bunx`, `bun install`, `bun test`, `bun build`)
-  is unchanged; consumers should expect no breakage but watch the 1.4.x release
-  notes for migration details.
+  executable), the Claude Agent SDK, and other Anthropic AI tooling, signaling strong
+  ongoing investment and maintenance.
+  **Language transition**: Bun 1.3.14 (2026-05-13) is the last Zig-based release.
+  A full Rust rewrite (~960K lines, generated by Claude agents over ~6 days, 6,755
+  commits) merged to `main` on 2026-05-14 and passes 99.8% of the test suite.
+  The transition was motivated by Zig’s no-AI-contribution policy conflicting with the
+  Bun team’s workflow.
+  The external API surface (`bun`, `bunx`, `bun install`, `bun test`, `bun build`) is
+  unchanged; consumers should expect no breakage but watch the 1.4.x release notes for
+  migration details.
 **Assessment**: Bun workspaces are functional and fast, but less strict than pnpm.
 The text-based `bun.lock` format (since Bun 1.2) resolves the earlier diffability
@@ -1709,11 +1710,11 @@ This is a unique advantage that the pnpm ecosystem does not offer natively.
 **Details**:
-npm-check-updates (`ncu`) works with Bun. The main difference is using `bun install`
-instead of `pnpm install` after updates. **All upgrade commands must honor the
-14-day package-age rule** — see [Supply-Chain Mitigation](#supply-chain-mitigation)
-for the rationale and exception process. `ncu` v22+ ships a native `--cooldown`
-flag that enforces this directly.
+npm-check-updates (`ncu`) works with Bun.
+The main difference is using `bun install` instead of `pnpm install` after updates.
+**All upgrade commands must honor the 14-day package-age rule** — see
+[Supply-Chain Mitigation](#supply-chain-mitigation) for the rationale and exception
+process. `ncu` v22+ ships a native `--cooldown` flag that enforces this directly.
 **Root `package.json` scripts**:
@@ -1728,13 +1729,12 @@ flag that enforces this directly.
 ```
 **Note on npm-check-updates v22**: v22 is pure ESM, named imports only
-(`import { run } from 'npm-check-updates'`), and config files must be
-`.ncurc.cjs` (not `.ncurc.js`) in projects with `"type": "module"`. The
-`--cooldown <days>` flag is the recommended enforcement point for the 14-day
-package-age rule.
+(`import { run } from 'npm-check-updates'`), and config files must be `.ncurc.cjs` (not
+`.ncurc.js`) in projects with `"type": "module"`. The `--cooldown <days>` flag is the
+recommended enforcement point for the 14-day package-age rule.
-**Assessment**: Identical workflow to pnpm. `bunx` replaces `npx`. Always
-include `--cooldown 14`.
+**Assessment**: Identical workflow to pnpm.
+`bunx` replaces `npx`. Always include `--cooldown 14`.
 * * *
@@ -1810,216 +1810,19 @@ in core library code if the library needs to work in Node.js environments.
 ## Supply-Chain Mitigation
-> **Sync note**: this section is normative and is duplicated **verbatim** in both
-> `bun-monorepo-patterns.md` and `pnpm-monorepo-patterns.md`. When you change one,
-> change the other in the same commit. Tooling-specific commands (e.g.
-> `bun audit` vs. `pnpm audit`) are called out inline.
+Supply-chain hardening applies to **every repo, not just new monorepos**, so the full
+policy and hands-on enforcement now live in a standalone guideline:
+**`tbd guidelines supply-chain-hardening`**. It covers the cross-ecosystem 14-day
+cool-off plus the Node/pnpm/Bun specifics — lifecycle-script allowlists, lockfile
+discipline, `npm-check-updates --cooldown 14`, the CI audit gate, and the
+`check-package-age` pre-push guard.
+Deeper background and the named-incident watch list:
+<https://github.com/jlevy/supply-chain-hardening>.
-Modern TypeScript supply-chain attacks land through fresh package versions — a
-maintainer's npm token is compromised, malware is published as a patch release, and
-the registry yanks it 1–10 days later once detection catches up. The
-**Shai-Hulud 2.0** campaign of May 2026 compromised 170+ npm packages this way, and
-similar campaigns ran through 2025 (`debug`, `chalk`, `ansi-styles` lookalikes;
-`expr-eval` post-install RCE). pnpm shipped `minimumReleaseAge` as a default in
-v11.0 (1 day). Bun ships a built-in trusted-dependency allowlist and `bun audit`.
-The settings below are stricter than the ecosystem defaults and intentionally so.
-### The 14-day package-age rule
-**Never install or upgrade to a package version less than 14 days old.**
-Why 14 days specifically:
-- **Detection window**: most malicious publishes are reported and yanked within
-  3–7 days; 14 days gives a generous buffer past that median.
-- **Patch-level releases ship dangerous code more often**: many compromises arrive
-  as `1.2.3 → 1.2.4` patch bumps. A trailing window neutralizes the entire class
-  of "fresh patch is malicious" attacks regardless of which dependency moved.
-- **Cheap to enforce, cheap to wait**: there is essentially no business cost to
-  waiting 14 days on a routine upgrade, and the upside is large.
-Scope:
-- Applies to **`dependencies`, `devDependencies`, `peerDependencies`, and
-  `optionalDependencies`** alike. devDependencies (bundlers, linters, test
-  runners) have historically been *more* dangerous than runtime deps because
-  they execute with full developer privileges on every install.
-- Applies to **transitive dependencies** to the extent the package manager
-  enforces it (see below). Direct deps are the primary control point.
-- Applies to **upgrades and new installs**. Existing pins resolved before this
-  policy was adopted are grandfathered until their next planned upgrade.
-Exception process: if a security patch within the 14-day window is needed —
-e.g., a CVE patch published yesterday that fixes a vulnerability you are
-exposed to — the exception **must** be documented in the upgrade commit message
-or PR description, including:
-- The CVE ID (or vulnerability description if no CVE yet).
-- A link to the upstream release notes.
-- A reviewer sign-off line (`Reviewed-by: …`).
-No exception is "trivial" — even a `prettier` patch is in scope. The whole
-point of the rule is that we don't trust ourselves to spot-judge which fresh
-versions are safe.
-### Enforcement: Bun
-Bun blocks arbitrary lifecycle scripts by default via an internal allowlist of
-trusted packages. To extend that allowlist for your repo, declare the packages
-explicitly in `package.json`:
-```json
-{
-  "trustedDependencies": [
-    "esbuild",
-    "sharp"
-  ]
-}
-```
-Anything not in the allowlist runs without `postinstall`/`preinstall`/`install`
-scripts. This is the most important single mitigation Bun gives you out of the
-box.
-`bun audit` (documented at [bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit))
-checks the installed tree against the npm advisory database:
-```bash
-# Run as part of CI; non-zero exit on findings
-bun audit --audit-level=moderate
-# JSON output for parsing in scripts
-bun audit --json
-```
-Bun does **not yet** ship a built-in equivalent of pnpm's `minimumReleaseAge`,
-so age enforcement is handled at the upgrade-tool layer (see below).
-### Enforcement: cross-tool tooling
-**`npm-check-updates --cooldown`** is the primary upgrade-time check. Use it
-even on Bun-managed projects (via `bunx`):
-```bash
-# Refuse any candidate version younger than 14 days
-bunx npm-check-updates --cooldown 14
-# Interactive upgrade with the 14-day filter applied
-bunx npm-check-updates --cooldown 14 --target minor --interactive
-# CI-style check: exits non-zero if upgrades are available
-bunx npm-check-updates --cooldown 14 --errorLevel 2
-```
-**Direct registry query** (when in doubt about a specific version):
-```bash
-# Show all publish times for a package
-npm view typescript time
-# Show the time of a specific version
-npm view typescript time.6.0.3
-```
-If `npm view <pkg> time.<version>` reports less than 14 days ago, **wait**.
-### Enforcement: lockfile discipline
-- **Always commit `bun.lock`** (the text JSONC lockfile, default since Bun 1.2).
-- **Use `bun install --frozen-lockfile` in CI** so any drift between
-  `package.json` and `bun.lock` fails the build instead of silently resolving
-  to fresh versions.
-- **Never run `bun update` (or `bun install` on a fresh `node_modules` with an
-  unpinned `package.json`) without lockfile review.** Treat lockfile diffs the
-  same as code diffs.
-- In a monorepo, **a single root `bun.lock`** is the source of truth; per-package
-  lockfiles are an anti-pattern.
-### Enforcement: provenance and signatures
-- Prefer dependencies that publish with [npm provenance attestations](https://docs.npmjs.com/generating-provenance-statements).
-  Major projects (TypeScript, Vitest, Prettier, ESLint, etc.) ship these.
-- Run `npm audit signatures` (or the upcoming `bun audit signatures` once it
-  ships) in CI on a periodic basis to catch tampered packages.
-### Sample CI gate
-Add this job to the CI workflow alongside lint/test:
-```yaml
-audit:
-  runs-on: ubuntu-latest
-  steps:
-    - uses: actions/checkout@v6
-    - uses: oven-sh/setup-bun@v2
-      with:
-        bun-version: latest
-    - run: bun install --frozen-lockfile
-    - name: Vulnerability audit
-      run: bun audit --audit-level=moderate
-    - name: Package-age check
-      run: bunx npm-check-updates --cooldown 14 --errorLevel 0
-      # errorLevel 0 logs but doesn't fail — flip to 2 once you've cleared
-      # the existing backlog.
-```
-### Recommended local script
-Drop a `scripts/check-package-age.mjs` (or `.ts`) one-liner in the repo that a
-pre-push hook can call:
-```ts
-#!/usr/bin/env bun
-// Refuses to commit if any direct dependency in package.json was published
-// less than COOLDOWN_DAYS ago. Intended for the pre-push hook.
-import pkg from '../package.json' with { type: 'json' };
-const COOLDOWN_MS = 14 * 24 * 60 * 60 * 1000;
-const now = Date.now();
-const all = { ...pkg.dependencies, ...pkg.devDependencies };
-let violations = 0;
-for (const [name, spec] of Object.entries(all)) {
-  const version = String(spec).replace(/^[\^~=<>]+/, '');
-  const meta = await (await fetch(`https://registry.npmjs.org/${name}`)).json();
-  const publishedAt = meta.time?.[version];
-  if (!publishedAt) continue;
-  const ageMs = now - new Date(publishedAt).getTime();
-  if (ageMs < COOLDOWN_MS) {
-    const days = (ageMs / 86_400_000).toFixed(1);
-    console.error(`✗ ${name}@${version} is only ${days} days old (< 14)`);
-    violations++;
-  }
-}
-process.exit(violations > 0 ? 1 : 0);
-```
-Wire it into lefthook (see Appendix E):
-```yaml
-pre-push:
-  commands:
-    package-age:
-      glob: "package.json"
-      run: bun scripts/check-package-age.ts
-```
-### Exception bookkeeping
-When you take an exception, leave a one-line marker in `package.json` adjacent
-to the pin:
-```jsonc
-{
-  "devDependencies": {
-    // Exception: CVE-2026-XXXX patch within 14d window. Reviewed 2026-05-21.
-    "vitest": "4.1.7"
-  }
-}
-```
-(JSON strict-parsers will reject `//` comments — use a JSONC-aware tool or
-move the note to a `README.md` / `CHANGELOG.md` entry instead.)
+**Bun specifics**: Bun blocks lifecycle scripts by default — extend the allowlist via
+`trustedDependencies` in `package.json`, run `bun audit` in CI with
+`bun install --frozen-lockfile`, and commit `bun.lock`. Bun has no native release-age
+gate yet, so enforce the 14-day cool-off with `bunx npm-check-updates --cooldown 14`.
 * * *
@@ -2073,8 +1876,8 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
 ## Best Practices
 1. **Follow the 14-day package-age rule** for every dependency install and upgrade.
-   See [Supply-Chain Mitigation](#supply-chain-mitigation). Use
-   `bunx npm-check-updates --cooldown 14` and `bun audit` in CI; declare
+   See [Supply-Chain Mitigation](#supply-chain-mitigation).
+   Use `bunx npm-check-updates --cooldown 14` and `bun audit` in CI; declare
    `trustedDependencies` explicitly; commit `bun.lock`; use
    `bun install --frozen-lockfile` in CI.
@@ -2084,57 +1887,57 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
 3. **Enable `isolatedDeclarations`** in `tsconfig.base.json` for dramatically faster DTS
    generation with Bunup.
-3. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
+4. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
    synchronized with build output.
-4. **Use Biome for formatting + linting** via a single `biome.json`. Use
+5. **Use Biome for formatting + linting** via a single `biome.json`. Use
    `biome check --write` locally and `biome ci` in CI for stricter checks.
-5. **Add `bun update` after `changeset version`** to fix workspace reference resolution
+6. **Add `bun update` after `changeset version`** to fix workspace reference resolution
    in the lockfile.
-6. **Use `bun publish` per package** instead of `changeset publish` to ensure proper
+7. **Use `bun publish` per package** instead of `changeset publish` to ensure proper
    workspace resolution.
-7. **Run CLI from source with `bun`** directly — no need for `tsx` or any TypeScript
+8. **Run CLI from source with `bun`** directly — no need for `tsx` or any TypeScript
    execution wrapper.
-8. **Consider `bun --compile`** for distributing CLI tools as standalone executables,
+9. **Consider `bun --compile`** for distributing CLI tools as standalone executables,
    especially for users who don’t have Node.js or Bun installed.
-9. **Use `bun test`** for testing — fake timers are now supported (v1.3.4+). Switch to
-   Vitest only if you need test isolation, browser mode, or sharding.
+10. **Use `bun test`** for testing — fake timers are now supported (v1.3.4+). Switch to
+    Vitest only if you need test isolation, browser mode, or sharding.
-10. **Keep the root `package.json` private** with `"private": true` and only workspace
+11. **Keep the root `package.json` private** with `"private": true` and only workspace
     tooling.
-11. **Scope your package names** with `@org/package-name` for GitHub Packages
+12. **Scope your package names** with `@org/package-name` for GitHub Packages
     compatibility.
-12. **Validate before publish** with `publint` in CI and before every release.
+13. **Validate before publish** with `publint` in CI and before every release.
-13. **Use lefthook** for git hooks with `biome check` in pre-commit (single command
+14. **Use lefthook** for git hooks with `biome check` in pre-commit (single command
     replaces separate format + lint hooks).
-14. **Add the `"bun"` export condition** to let Bun consumers import TypeScript source
+15. **Add the `"bun"` export condition** to let Bun consumers import TypeScript source
     directly, bypassing compiled output.
-15. **Use dynamic git-based versioning** for dev builds — the pattern works identically
+16. **Use dynamic git-based versioning** for dev builds — the pattern works identically
     with Bun, and `bun` replaces `tsx` for script execution.
-16. **Use `biome ci`** in CI workflows instead of `biome check` — it’s stricter and
+17. **Use `biome ci`** in CI workflows instead of `biome check` — it’s stricter and
     produces cleaner output for CI logs.
-17. **Consider ESM-only output** for Bun-native CLI tools and packages targeting modern
+18. **Consider ESM-only output** for Bun-native CLI tools and packages targeting modern
     Node.js (>=22). Only add CJS if specific consumers require it.
-18. **Use flowmark** for Markdown formatting in pre-commit hooks — Biome does not format
+19. **Use flowmark** for Markdown formatting in pre-commit hooks — Biome does not format
     Markdown, and consistent Markdown formatting improves documentation quality.
-19. **Add golden/CLI tests** with `tryscript` alongside `bun test` for CLI tools — they
+20. **Add golden/CLI tests** with `tryscript` alongside `bun test` for CLI tools — they
     catch regressions in help text, output formatting, and argument parsing.
-20. **Consider tag-triggered OIDC releases** as an alternative to the Changesets GitHub
+21. **Consider tag-triggered OIDC releases** as an alternative to the Changesets GitHub
     Action — they provide npm provenance attestation and automatic GitHub Releases.
 * * *
@@ -2157,12 +1960,12 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
    It is diffable in code review and supported by GitHub rendering.
    The binary `bun.lockb` is deprecated.
-4. **Biome plugin ecosystem**: Biome v2.4 (Feb 2026) added experimental embedded
-   snippet formatting (CSS/GraphQL inside JS/TS template literals), 15 HTML
-   accessibility rules enabled by default, and promoted Vue 3 / Next.js / Qwik
-   rules to stable. The rule set continues growing toward parity with security and
-   accessibility ESLint plugins. Custom ESLint rules remain a reason to keep ESLint
-   (see craft-agents-oss case study in Appendix G).
+4. **Biome plugin ecosystem**: Biome v2.4 (Feb 2026) added experimental embedded snippet
+   formatting (CSS/GraphQL inside JS/TS template literals), 15 HTML accessibility rules
+   enabled by default, and promoted Vue 3 / Next.js / Qwik rules to stable.
+   The rule set continues growing toward parity with security and accessibility ESLint
+   plugins. Custom ESLint rules remain a reason to keep ESLint (see craft-agents-oss case
+   study in Appendix G).
 5. **Bun workspace strictness**: Bun still uses flat `node_modules` (no
    content-addressable store).
@@ -2176,40 +1979,40 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
    The `--minify` and `--bytecode` flags help with startup time but not binary size.
 7. ~~**TypeScript 6.0**~~: **SHIPPED** 2026-03-23. TypeScript 6.0 is the last
-   JavaScript-based release; `strict: true` is the default; ESM is the default
-   module system; ~9 compiler settings flipped defaults. Currently 6.0.3. Adopt
-   for the codebase as part of the May 2026 currency refresh; review
-   `tsconfig.base.json` for now-redundant flag declarations.
+   JavaScript-based release; `strict: true` is the default; ESM is the default module
+   system; ~9 compiler settings flipped defaults.
+   Currently 6.0.3. Adopt for the codebase as part of the May 2026 currency refresh;
+   review `tsconfig.base.json` for now-redundant flag declarations.
 8. **TypeScript 7.0 (Project Corsa, Go rewrite)**: Beta shipped 2026-04-21 as
-   `@typescript/native-preview` (binary `tsgo`). Claims ~10x type-check speed
-   and ~3x less memory; passes 95%+ of the test suite. Available in
-   Visual Studio 2026 18.6 Insiders by default. **Do not adopt for production
-   builds yet** — wait for stable (expected mid-to-late 2026). May change the
-   DTS generation landscape for Bunup and tsdown once stable.
+   `@typescript/native-preview` (binary `tsgo`). Claims ~10x type-check speed and ~3x
+   less memory; passes 95%+ of the test suite.
+   Available in Visual Studio 2026 18.6 Insiders by default.
+   **Do not adopt for production builds yet** — wait for stable (expected mid-to-late
+   2026). May change the DTS generation landscape for Bunup and tsdown once stable.
 9. **Bunup maturity**: Bunup is iterating rapidly (0.16.31 as of May 2026, up from 0.4.x
    a few months earlier).
    The API surface (`defineConfig`, `defineWorkspace`, `exports`, `compile`) appears
    stable, but pin versions carefully.
-10. **Bun + Anthropic + Rust rewrite**: Bun was acquired by Anthropic on
-    2025-12-02 (Anthropic's first acquisition) and now powers Claude Code, the
-    Claude Agent SDK, and other Anthropic AI tooling. A full Rust rewrite
-    (~960K lines, generated by Claude agents over ~6 days) merged to `main` on
-    2026-05-14 and passes 99.8% of the test suite. **Bun 1.3.14 is the last
-    Zig-based release.** External API surface (`bun`, `bunx`, `bun install`,
-    `bun test`, `bun build`, `bun --compile`) is unchanged, but watch 1.4.x
-    release notes for migration details. Monitor whether the broader
-    open-source community continues to benefit equally as the codebase
-    integrates more deeply with Anthropic's AI tooling.
+10. **Bun + Anthropic + Rust rewrite**: Bun was acquired by Anthropic on 2025-12-02
+    (Anthropic’s first acquisition) and now powers Claude Code, the Claude Agent SDK,
+    and other Anthropic AI tooling.
+    A full Rust rewrite (~960K lines, generated by Claude agents over ~6 days) merged to
+    `main` on 2026-05-14 and passes 99.8% of the test suite.
+    **Bun 1.3.14 is the last Zig-based release.** External API surface (`bun`, `bunx`,
+    `bun install`, `bun test`, `bun build`, `bun --compile`) is unchanged, but watch
+    1.4.x release notes for migration details.
+    Monitor whether the broader open-source community continues to benefit equally as
+    the codebase integrates more deeply with Anthropic’s AI tooling.
 11. **`bun audit`**: Now a documented command
     ([bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit)) with
-    `--audit-level=<low|moderate|high|critical>` and `--json` output. Should be
-    a required CI check (see [Supply-Chain Mitigation](#supply-chain-mitigation)).
-    A `bun audit signatures` equivalent to npm's signature verification has not
-    yet shipped — monitor.
+    `--audit-level=<low|moderate|high|critical>` and `--json` output.
+    Should be a required CI check (see
+    [Supply-Chain Mitigation](#supply-chain-mitigation)). A `bun audit signatures`
+    equivalent to npm’s signature verification has not yet shipped — monitor.
 * * *
@@ -2486,17 +2289,17 @@ testing features.
 **Notes**:
 - All pinned versions above are ≥14 days old as of 2026-05-21 per the
-  [Supply-Chain Mitigation](#supply-chain-mitigation) policy. Newer releases
-  may exist (`@biomejs/biome` 2.4.15, `lefthook` 2.1.8, `npm-check-updates`
-  22.2.0) but were too fresh at the time of this document update.
+  [Supply-Chain Mitigation](#supply-chain-mitigation) policy.
+  Newer releases may exist (`@biomejs/biome` 2.4.15, `lefthook` 2.1.8,
+  `npm-check-updates` 22.2.0) but were too fresh at the time of this document update.
 - `"check:ci": "biome ci ."` uses `biome ci` (stricter than `biome check` — errors on
   formatting issues)
 - `bun run --filter '*' <script>` delegates to each workspace package
 - The `@changesets/changelog-github` dependency is optional — use
   `"changelog": "@changesets/cli/changelog"` in `.changeset/config.json` for a simpler
   built-in changelog generator
-- `npm-check-updates` v22+ is pure ESM. Add `--cooldown 14` to every invocation per
-  the 14-day package-age rule (see Supply-Chain Mitigation section).
+- `npm-check-updates` v22+ is pure ESM. Add `--cooldown 14` to every invocation per the
+  14-day package-age rule (see Supply-Chain Mitigation section).
 ### Appendix C: Complete biome.json Example