0.11.0

⇅ Show all commits

Improvements

Opt-in Dependabot version update configuration — #94 ⇄ #95 (⊶ d34de53)

↠ The .github/dependabot.yml Dependabot configuration file for automation version updates that was introduced in #52 often causes a lot of PR noise and does not really help since updates also often require more action than just a bump of the version number itself like migration steps or adjustments to changes (e.g. APIs or deprecated implementations). Since Dependabot is not able to fulfill this and only does a stupid increase of the version number it often creates more work than it helps. The result are often hundreds of notifications and more digital noise for developers and maintainers without any real benefit since version & security updates are done on a regular schedule by maintainers who know what they are doing and how modern software should be maintained.
Therefore the .github/dependabot.yml file has been renamed to .github/dependabot.tmpl.yml to disable Dependabot for this repository while still allowing repositories that are based on this template repository to opt-in.

The full changelog is available in the repository

Copyright © 2020-present Sven Greb

0.10.0

⇅ Show all commits

Improvements

Migrate to Markdown style guide version 0.4.0 — #76 ⇄ #77 (⊶ 0bb40e3)

↠ This project adheres to the Arctic Ice Studio Markdown style guide which recently published version 0.4.0 that introduces some larger changes:

• The repository was converted into a monorepo and the currently used remark-preset-lint-arcticicestudio npm package was deprecated and moved into the new, scoped @arcticicestudio/remark-preset-lint package.
• Support for the shiny new remark version 13.0.0 was introduced which is now the minimum required version for the rule preset packages.
• Several other great improvements and migrations like the adaption of this template repository as well as the usage of the GitHub Flow branching model and new main branch concept.

Optimize GitHub action workflow scope — #84 ⇄ #85 (⊶ 079bd3d)

↠ Currently all jobs are summarized in the ci workflow but not separated by their scope, e.g. only Node specific tasks. The workflow is also not optimized to only run when specific files have been changed which results in false-positive executions and wastes limited free tier and developer time.
Therefore the ci workflow will be optimized.

CI Node

A new ci-node workflow will…

• only run when any *.js, *.json, *.md, *.yaml and *.yml file has been modified. This matches the lint-staged, Prettier and remark configurations. See the extensive GitHub action documentations about on.<push|pull_request>.paths and the filter pattern cheat sheet for more details.
• only run for ubuntu-latest instead of a matrix with macos-latest and windows-latest since there is no platform specific code yet.
• use cache npm dependencies which is possible as of actions/setup-node@v2.2.0.

Tasks

Update Node packages — #78 ⇄ #79 (⊶ 0f13e87)

↠ Updated all outdated Node packages to their latest versions:

• lint-staged — Bumped minimum version from v10.5.4 to v11.0.0.
• prettier — Bumped minimum version from v2.2.1 to v2.3.2. It comes with the nice improvement to treat the .prettierrc file as YAML when formatting it.
• Validated and fixed/improved matches after running formatting and linting tools with their latest versions.

Bump actions/setup-node from 2.1.5 to 2.4.1 — #83 (⊶ d516b49)

↠ Updated actions/setup-node from version 2.1.5 to 2.4.1.

Update Node package dependencies & GitHub Action versions — #86 ⇄ #87 (⊶ f97b7e5)

↠ Updated all repository (development) Node packages and GitHub Actions to the latest versions and adapt to their changes:

• husky — Bump minimum version from ^6.0.0 to ^7.0.4 where 7.0.0 is a major update that allows to remove the .husky/.gitignore file to simplify the local installation and usage.
• lint-staged — Bump minimum version from ^11.0.0 to ^12.0.4 where 12.0.0 is a major update that allows ESM usage.
• prettier — Bump minimum version from ^2.3.2 to ^2.4.1.
• remark-cli — Bump minimum version from ^9.0.0 to ^10.0.0.

The full changelog is available in the repository

Copyright © 2020-present Sven Greb

0.9.0

Changelog for the collection of template repositories for new projects.

⇅ [Show all commits][gh-compare-tag-v0.8.0_v0.9.0]

Improvements

From npm to Yarn and back again — #72 ⇄ #73 (⊶ b996786)

↠ Some years ago, the switch from [npm][] (v4) to [Yarn][yarn-v1] (v1) was mainly done because of the fantastic [workspace feature][yarn-docs-ws] for [monorepos][wiki-monorepo] as well as the great performance and UX improvements. This was a good decision and almost every popular and well-known project used to do the same, but with the announcement of [Yarn v2][yarn] (named [“berry“][gh-yarnpkg/berry]) the community got upset about the path the project has taken. Next to this, [npm joined GitHub][gh-blog-npm_joins] back in March 2020 which meant that the development continues in a good direction and is baked by the open source platform itself.
These events, the overall fantastic new npm release version v7, including the introduction of [workspaces][npm-docs-ws], and the fact that I never liked the disadvantage of requiring to use an “external“ package manager instead of the one that is bundled with Node, lead to the decision to finally switch back to npm again.

The only drawback is the constraint that the minimum [npm version is now v7.7.0][gh-npm/cli-rel-v7.7.0] because this is the first version that comes with workspace support for the run-script and exec commands through the --workspace/-w and --workspaces/-ws CLI flags, e.g. npm run -w PACKAGE run lint. The first Node version that ships with npm v7.7.x is [v15.13.0][node-dist-v15.13.0] which is globally available as of april 1, 2021 (no, it‘s not an april fool 😄). To ensure that these constraints are met, without only relying on users to read the documentation, both npm and node have been added to [the engines field][npm-docs-pkgjson#engines] of the package.json file.

This change also comes with updates to all documentations, including the addition of the version constraints, as well as updates to repository template features like the GitHub Action workflows. The .yarnrc file has been replaced by .npmrc that includes the package-lock=false and save-exact=false configurations.

Tasks

Node package dependency & GitHub action version updates — #67, #68, #69, #74 ⇄ #75

↠ Bumped outdated Go module dependencies and GitHub actions to their latest versions:

• #67, #68, #69 (⊶ 8bff7a5, 46a92f0, 14a9108) [actions/setup-node][gh-actions/setup-node] from [v2.1.2 to v2.1.5][gh-actions/setup-node-comp-v2.1.2_v2.1.5]
• #74 ⇄ #75 (⊶ d827dbf) [husky][gh-typicode/husky] — Bumped minimum version from [v4.3.0 to v6.0.0][gh-typicode/husky-comp-v4.3.0_v6.0.0]. This also includes some breaking changes that require migrations. Run the official migration CLI to automatically migrate from v4 to v6: npx husky-init && npm exec -- github:typicode/husky-4-to-6 --remove-v4-config
• #74 ⇄ #75 (⊶ d827dbf) [lint-staged][gh-okonet/lint-staged] — Bumped minimum version from [v10.5.1 to v10.5.4][gh-okonet/lint-staged-comp-v10.5.1_v10.5.4].
• #74 ⇄ #75 (⊶ d827dbf) [remark-cli][gh-remarkjs/remark] — Bumped minimum version from [v8.0.1 to v9.0.0][gh-remarkjs/remark-comp-v8.0.1_v9.0.0].

Dependency handling with lockfiles — #70 ⇄ #71 (⊶ a98d9b1)

↠ The usage of dependency lockfiles like [package-lock.json][npm-docs-v7-lockfile] or [yarn.lock][yarn-docs-lock] has always been a controversial topic where opinions go in different directions. On one side many project maintainers tend to argue that is helps to achieve deterministic build results, but on the side it might also hide problems when any later versions of a used dependency, or its transitive dependencies, is not compatible with the own project anymore.

I‘ve investigated a lot of time into research again to finally find a solution that works for my projects. In short, the result is to go with the rule that is also used by many large-scale projects: Do not use lockfiles for multi-consumer projects like libraries but only for single-consumer projects like applications.

Therefore the yarn.lock file has been removed since this makes no sense for a repository template anyway. See the sections below for some more details about how to decide to use a lockfile or not.

When to use lockfiles

The clear advantage of lockfiles are reproducible builds and the persistence of a running project state. They ensure that a project artifact can be rebuild at anytime using the exact same dependencies, resulting in the exact same artifact, even when the project was not updated in years.
This applies to projects that are focused on building a end-to-end experience like applications and other end-user products.

These are the advantages listed in the official npm documentation about package-lock.json files:

• Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
• Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
• Facilitate greater visibility of tree changes through readable source control diffs.
• Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
• As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.

Like mentioned, npm v7 comes with a lot of advantages and the [team recommends to commit the file into project repositories][npm-blog-v7_keep_lock]:

• the lockfile has enough information to describe the precise package tree all by itself.
• the lockfile maps the packages to their information by their relative location to the root (instead of their name).
• the npm CLI uses yarn.lock lockfiles if available, as a source of package metadata and resolution guidance when there is missing information, knowing that the package-lock.json is the authoritative definition.
  • yarn.lock lockfiles cannot completely replace npm’s lockfile since the current implementation doesn’t have enough information needed for the complete npm functionality.
• the npm CLI uses a “hidden lockfile“ placed inside the node_module directory that helps to avoid repeated package tree reading.

Another point is that in end-user projects dependencies in package.json files are often pinned instead of using [SemVer range selectors][npm-webapp-semver] like ^ (latest minor-only) or ~ (latest patch only). In such cases a lockfile helps to keep control about transitive dependencies and persist projects states in time.

When to avoid lockfiles

Even though [the Yarn team published a blog post in 2016][yarn-blog-lockfiles] that states to always commit the yarn.lock file, regardless of the project type, this advice was not adopted by every project and some “real-world scenarios“ often showed that this decision was justified. There are [blog posts that summarize when not to use a lockfile][devto-gajus-stop_lockfile] where even [Yarn maintainers reply with comments that claim the opposite][devto-gajus-stop_lockfile-comment-yarn_maintainer], but over the time more and more projects went away from using lockfiles.
One argument is that [lockfiles are important to enure that library contributors in 10 years still know what was the last confirmed set of packages which worked as expected][tw-arcanis-1164229994165559299-comment-19], but this can almost be ignored in a ecosystem like Node that changes almost every day.

Another important point is to mention that the usage of [lockfiles were also a attack surface to inject malicious dependencies][snyk-blog-lockfile]. Due to the large size of lockfiles, it is also often a challenge for project maintainers to review and validate a lockfile in pull requests are so they are often [ignored and blindly trusted][tw-bcrypt-1208950722097598465].

The community is still not of one opinion and I guess this will never change, but [learning about the experience of well-known maintainers][gh-sindresorhus/ama-479#c-310661514] and [popular projects][gh-airbnb/javascript-2409] is often a good way to find the own decision.

In conclusion, the usage of lockfiles in a non-end-user project can be well summarized with [“just postponing the inevitable breakage“][tw-renovatebot-1163789817492230144]:

The full changelog is available in the repository

---

Copyright © 2020-present

0.8.0

Changelog for the collection of template repositories for new projects.

⇅ Show all commits

Improvements

Reduce Dependabot PR noise for NPM package ecosystem — #65 ⇄ #66 (⊶ 32925a1)

↠ To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations have been made:

1. The schedule changed to the monthly interval. This is still enough to keep up with the fast updates in the NPM ecosystem.
2. Only watch production packages (dependencies) and ignore development packages (devDependencies). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit.

Since GitHub takes security really serious, important Dependabot security updates are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval.

Use the allow option to customize which dependencies are updated. This has no impact on security updates for vulnerable dependencies.

Tasks

Prepared project/repository publication — #59 ⇄ #60 (⊶ 5023833)

↠ Before switching the GitHub repository visibility to “public“ a few adjustments had to be made.
Basically #22 was reverted, taking the changes from #23 into account, so that SVG images like the repository hero are using the URLs for public repositories again instead of the ones that allow to resolve the files in private repositories.

Node.js package dependency version updates — #63

↠ Bumped outdated Node.js package dependencies to their latest versions:

• #63 (⊶ 3528754) prettier from 2.1.2 to 2.2.1 — The the official Prettier 2.2 introduction blog post for more details.

The full changelog is available in the repository

---

Copyright © 2020-present Sven Greb

0.7.0

⇅ Show all commits

Tasks

Updated to latest Node.js package dependency & GitHub Action versions — #54,#55,#56,#57

↠ Bumped outdated Node.js package dependencies & GitHub Actions to their latest versions:

• #54 (⊶ 41e11b9) actions/setup-node from v1 to v2.1.2 — v2 comes with speed and performance improvements by using a dedicated, built-in image cache for Node.js distributions.
• #55 (⊶ d1e3d53) lint-staged from 10.2.11 to 10.5.12
• #56 (⊶ 22652c5) husky from 4.2.5 to 4.3.0
• #57 (⊶ 17378a1) prettier from 2.0.5 to 2.1.2

---

The full changelog ist available here

0.6.0

⇅ Show all commits

Feature

Initial project documentation — #50 ⇄ #51 (⊶ f18bf43)

↠ Wrote the initial project documentation for the README.md file that includes…

1. …an project introduction and motivation.
2. …an overview of the project features.
3. …a listing of available template repositories.
4. …a rough overview of the directory structure.
5. …more detailed sections about all features.
6. …some basic instructions how to use this template repository.
7. …information about how to contribute to this project.

Dependabot: Automated dependency updates and security alerts — #52 ⇄ #53 (⊶ 4816e4e)

↠ In June 2020 Dependabot was natively integrated into GitHub. This allows to use automated dependency updates and security vulnerability alerts.

Created the dependabot.yml file and configured updates for GitHub Actions and Yarn/NPM. The documentation also mentions the need to manually enable or disable Dependabot per repository.

---

The full changelog ist available here

v0.5.0

⇅ Show all commits

Improvements

Use namespace for NPM package name — #48 ⇄ #49 (⊶ 85f0b08)

↠ To prevent collisions with already existing NPM packages like tmpl the NPM package name of this repository has been changed to use the @svengreb namespace prefix.

---

The full changelog is available here

0.4.0

⇅ Show all commits

Improvements

Optimize OS version matrix strategy for CI workflow — #46 ⇄ #47 (⊶ cb77258)

↠ Before the CI workflow used a matrix strategy to run the lint-node job, but this was not necessary for this repository. It has been improved to make the workflow run faster by avoiding unnecessary steps. The lint-node job has been changed to only run on the currently latest stable Node version 14.x only on Linux because this repository is not focused on JavaScript but only runs Node based tools to lint other files within this repository.

This change also helps to keep the required GitHub Action run minutes for the account of this repository as small as possible without wasting resources for unnecessary tasks.

---

The full changelog is available here

0.3.0

Changelog for the collection of repository templates for new projects.

⇅ Show all commits

Improvements

Pin version to v2 for actions/checkout in CI workflow — #44 ⇄ #45 (⊶ 5d2ce0c)

↠ Before actions/checkout was used from the master branch in the ci workflow. This has now ben pinned to the latest version v2 to ensure a stable pipeline.

---

The full changelog is available here

0.2.0

⇅ Show all commits

Features

Git ignore pattern for Yarn and JetBrains products — #39 ⇄ #40 (⊶ 5d2ce0c)

↠ Before there were only ignore pattern for the Node.js node_modules folder, but specific pattern for Yarn were missing.
Because the fantastic JetBrains products like GoLand (or respectively IntelliJ with the official Go plugin) are an integral part of my daily toolbox the pattern have also been added.

Improvements

More fine-grained GitHub Action trigger configuration — #34 ⇄ #35 (⊶ c184ae8)

↠ The CI GitHub Action Workflow used the push setting for the on field in order to trigger the workflow. That was superficial and the workflow ran for every new commit and PR.

To improve this behavior and prevent unnecessary workflow runs the push field of the on field is now configured to only run for the main branch and v* tags while the pull_request field is set without any specific configuration so that it runs for all PRs regardless of the target branch.

Lowercase naming for GitHub Action workflows — #36 ⇄ #37 (⊶ e53fbaf)

↠ Even though it is possible to use uppercase names (including whitespaces) for GitHub Action workflows it is best practice for almost every language to use lowercase names. This prevents problems with parsing as well as errors due to lower- and uppercase mismatches.

One example is the shields.io SVG badge that is used in the README of this repository: The actual workflow is only found when the name matches the exact notation including lower- and uppercase characters
To mitigate such problems the name has been changed to lowercase only.

Maximum line length for Markdown EditorConfig — #41 ⇄ #42 (⊶ 6c1a2ac)

↠ Since Markdown is written as flowing text the globally defined maximum line length of EditorConfig has been disabled to prevent false-positive errors.

Bug Fixes

Fix missing LF EOL definition in Git attributes — #38 ⇄ #43 (⊶ 01d4aee)

↠ The comment for the * text=auto rule in the .gitattributes file documents the usage of LF for EOL, but the actual eol=lf property was missing.

---

The full changelog is available here