Skip to content

fs-packages M1 moderate remediation (Armorer)#33

Open
Goosterhof wants to merge 3 commits intomainfrom
armorer/m1-moderate-remediation
Open

fs-packages M1 moderate remediation (Armorer)#33
Goosterhof wants to merge 3 commits intomainfrom
armorer/m1-moderate-remediation

Conversation

@Goosterhof
Copy link
Copy Markdown
Contributor

@Goosterhof Goosterhof commented Apr 17, 2026

Summary

Executes the Armorer portion of the fs-packages M1 moderate remediation deployment order (orders/fs-packages/2026-04-17-m1-moderate-remediation-deployment.md).

Tasks

  • Task 1 — Pre-Publish Dist Validation (26de0c7): Adds a CI step to .github/workflows/publish.yml that runs npm pack --dry-run --json on every package before npx changeset publish. Fails the workflow with a named error if any package is missing dist/index.{mjs,cjs,d.mts,d.cts} or has a 0-byte artifact. Level 1 enforcement preventing regression of the fs-http 0.1.1/0.1.2 empty-tarball incident.
  • Task 2 — dialog vitest environment (SKIPPED): Intel stale. packages/fs-dialog/tests/dialog.spec.ts already declares // @vitest-environment happy-dom at file level (commit d690c6e, 2026-04-07), matching the 9-package convention. Adding environment: 'happy-dom' to vitest.config.ts would be a no-op — vitest 4 workspace mode does not pass environment from defineProject (documented rationale in that commit). See execution report for details.
  • Task 3 — fs-router peer range (6719432): Bumps vue peer range in packages/fs-router/package.json from ^3.5.0 to ^3.5.32, matching the other 9 packages. No hidden constraint requiring the broader range.
  • Task 4 — repository.url git+ prefix (4bd3115): Updates repository.url in all 10 packages to git+https://… per npm registry best practice. Silences publint suggestion L1.

Verification

Full 8-gate pipeline green locally on 2026-04-17:

Gate Result
npm audit 0 vulnerabilities
format:check 130 files correctly formatted
lint 0 warnings, 0 errors (93 rules, 80 files)
build All 10 packages built (dual ESM + CJS)
typecheck All workspaces pass
lint:pkg All 10 packages: "No problems found" (publint + attw)
test:coverage 419 tests pass across 18 test files; per-package 100% gates green
test:mutation All 10 packages ≥ 90% (range 91.20% – 100%)

Task 1 test-first simulation:

  • rm -rf packages/http/dist/ triggered validation failure: ::error::@script-development/fs-http is missing dist/index.mjs in published tarball (+ 3 sibling errors) and exit code 1.
  • Truncating dist/index.mjs to 0 bytes triggered: ::error::@script-development/fs-http dist/index.mjs is 0 bytes and exit code 1.
  • Green state (all packages built) passes with "All packages validated".

Scope Notes

  • Task 2 skipped with rationale (see execution report).
  • Out-of-scope items held out of this PR: CLAUDE.md ADR projection changes (Phase 4 governance parity work, to be committed separately), npm deprecate of fs-http 0.1.1/0.1.2 (Commander direct), kendo-scoped moduleResolution + HttpService re-export fixes (separate kendo order).

Test plan

  • Full 8-gate local verification
  • Task 1 deliberate-failure simulation (MISSING + 0-byte)
  • Task 1 green-state pass
  • CI runs green on PR

🤖 Generated with Claude Code

Goosterhof and others added 3 commits April 17, 2026 13:53
@Goosterhof @claude
ci(publish): add pre-publish dist validation
26de0c7 
Validates each package's tarball contents via `npm pack --dry-run --json`
before `npx changeset publish` runs. Fails the workflow with a clear error
naming the affected package if any required dist artifact
(index.mjs, index.cjs, index.d.mts, index.d.cts) is missing or 0 bytes.

Prevents regression of the fs-http 0.1.1/0.1.2 empty-tarball incident
caused by upload-artifact glob path stripping. Level 1 enforcement per
Surveyor M1 C1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Goosterhof @claude
chore(router): align vue peer range to ^3.5.32
6719432 
Matches the vue peer range declared by the other 9 packages. Prevents
consumers from negotiating conflicting constraints when fs-router is
combined with any other fs-packages package in the same workspace.

Closes Cartographer M1 M4.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Goosterhof @claude
chore: add git+ prefix to repository.url across packages
4bd3115 
Aligns with npm registry best practice (publint suggestion L1). Updates
all 10 packages' repository.url to "git+https://..." to silence the
publint notice emitted in the lint:pkg gate.

Closes Cartographer M1 L1 / Surveyor M1 L1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Apr 17, 2026

Deploying fs-packages with  Cloudflare Pages  Cloudflare Pages

Latest commit: 4bd3115
Status: ✅  Deploy successful!
Preview URL: https://f477f9b7.fs-packages.pages.dev
Branch Preview URL: https://armorer-m1-moderate-remediat.fs-packages.pages.dev

View logs

@Goosterhof Goosterhof mentioned this pull request Apr 17, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Goosterhof