v1.83.0 - better mass support for old node versions

-   use `node:` prefix on builtins as our min supported node version supports it
-   consistently order imports
-   base:
    -   for fetching, instead of `master` use `HEAD` (evolutes to the default branch)
    -   if a bevry organisation:
        -   output `SECURITY.md`
        -   add tidelift to `FUNDING.yml` if publishing to npm
-   ci:
    -   remove macos and windows ci tests for now, was causing too much overload with dependabot
    -   update `bevry-actions/npm` version
    -   include automerge into `bevry.yml` as per github recommendation, rather than as its own third party workflow
    -   have dependabot also update github action packages
    -   have dependabot only update on sunday on midnight in perth time (so it doesn't overload @balupton's work schedule)
    -   only allow security dependabot requests, as boundation handles the dep updates, and the dep updates overwhelm github
-   fs:
    -   instead of exec'ing `rm -rf`, use builtin recursive remove now that our min supported node supports it
    -   better handling of poor internet connection and invalid caching
-   git:
    -   correctly name `getGitActiveDefaultBranch` to `getGitActiveBranch`
-   questions/runtime:
    -   **introduced target versions, instead of using supported/test versions, to ensure that `expandNodeVersions`` works correctly**
-   runtime:
    -   update legacy version compat table (needs to be adjusted for semver as coerce isn't available on older semver versions, or rather needs to be dep and node version specific rather than clumped together)
    -   have npm scripts use `rm -rf` instead of `rm -Rf` for greater compat
    -   **if targeting old node versions, have prettier enforce es5 comma mode, otherwise native javascript editions and the editions autoload will break compat**

.github/workflows/bevry.yml

@@ -45,7 +45,7 @@ jobs:
       - run: npm run our:compile
       - run: npm run our:meta
       - name: publish to npm
-        uses: bevry-actions/npm@v1.1.0
+        uses: bevry-actions/npm@v1.1.1
         with:
           npmAuthToken: ${{ secrets.NPM_AUTH_TOKEN }}
           npmBranchTag: ':next'

HISTORY.md

@@ -1,5 +1,33 @@
 # History
 
+## v1.83.0 2023 November 16
+
+-   use `node:` prefix on builtins as our min supported node version supports it
+-   consistently order imports
+-   base:
+    -   for fetching, instead of `master` use `HEAD` (evolutes to the default branch)
+    -   if a bevry organisation:
+        -   output `SECURITY.md`
+        -   add tidelift to `FUNDING.yml` if publishing to npm
+-   ci:
+    -   remove macos and windows ci tests for now, was causing too much overload with dependabot
+    -   update `bevry-actions/npm` version
+    -   include automerge into `bevry.yml` as per github recommendation, rather than as its own third party workflow
+    -   have dependabot also update github action packages
+    -   have dependabot only update on sunday on midnight in perth time (so it doesn't overload @balupton's work schedule)
+    -   only allow security dependabot requests, as boundation handles the dep updates, and the dep updates overwhelm github
+-   fs:
+    -   instead of exec'ing `rm -rf`, use builtin recursive remove now that our min supported node supports it
+    -   better handling of poor internet connection and invalid caching
+-   git:
+    -   correctly name `getGitActiveDefaultBranch` to `getGitActiveBranch`
+-   questions/runtime:
+    -   **introduced target versions, instead of using supported/test versions, to ensure that `expandNodeVersions`` works correctly**
+-   runtime:
+    -   update legacy version compat table (needs to be adjusted for semver as coerce isn't available on older semver versions, or rather needs to be dep and node version specific rather than clumped together)
+    -   have npm scripts use `rm -rf` instead of `rm -Rf` for greater compat
+    -   **if targeting old node versions, have prettier enforce es5 comma mode, otherwise native javascript editions and the editions autoload will break compat**
+
 ## v1.82.1 2023 November 4
 
 -   Better error message when all ESM editions fail

package.json

@@ -1,6 +1,6 @@
 {
   "name": "boundation",
-  "version": "1.82.1",
+  "version": "1.83.0",
   "description": "Automatic scaffolding and upgrading of your JavaScript ecosystem projects using Bevry's best practices",
   "homepage": "https://github.com/bevry/boundation",
   "license": "Artistic-2.0",
@@ -110,7 +110,6 @@
     "inquirer": "^9.2.11",
     "js-yaml": "^4.1.0",
     "safeps": "^10.18.0",
-    "semver": "^7.5.4",
     "typechecker": "^7.18.0",
     "version-compare": "^1.5.0",
     "version-range": "^1.5.0"

source/base.js

@@ -1,8 +1,8 @@
 /* eslint-disable camelcase */
 
 // builtin
-import * as pathUtil from 'path'
-import * as urlUtil from 'url'
+import * as pathUtil from 'node:path'
+import * as urlUtil from 'node:url'
 
 // external
 import Errlop from 'errlop'
@@ -19,7 +19,7 @@ import {
 	unlink,
 	spawn,
 	writeYAML,
-	rmrf,
+	remove,
 } from './fs.js'
 
 export async function download(opts) {
@@ -87,7 +87,7 @@ export async function updateBaseFiles({ answers, packageData }) {
 	].filter((i) => i)
 	if (answers.packageManager !== 'yarn')
 		purgeList.push('./.yarnrc', './.yarnrc.yml', './.yarn/')
-	await rmrf(purgeList.filter((i) => `./${i}`))
+	await remove(purgeList.filter((i) => `./${i}`))
 	status('...removed old files')
 
 	// rename old files
@@ -137,35 +137,35 @@ export async function updateBaseFiles({ answers, packageData }) {
 	status('downloading files...')
 	/** @type {Array<string | Object<string, any>} */
 	const downloads = [
-		'https://raw.githubusercontent.com/bevry/base/master/.editorconfig',
+		'https://raw.githubusercontent.com/bevry/base/HEAD/.editorconfig',
 		{
-			url: 'https://raw.githubusercontent.com/bevry/base/master/.gitignore',
+			url: 'https://raw.githubusercontent.com/bevry/base/HEAD/.gitignore',
 			custom: true,
 		},
 		{
-			url: 'https://raw.githubusercontent.com/bevry/base/master/.prettierignore',
+			url: 'https://raw.githubusercontent.com/bevry/base/HEAD/.prettierignore',
 			custom: true,
 		},
-		'https://raw.githubusercontent.com/bevry/base/master/LICENSE.md',
-		'https://raw.githubusercontent.com/bevry/base/master/CONTRIBUTING.md',
+		'https://raw.githubusercontent.com/bevry/base/HEAD/LICENSE.md',
+		'https://raw.githubusercontent.com/bevry/base/HEAD/CONTRIBUTING.md',
 	]
 	if (answers.type === 'package') {
 		downloads.push({
-			url: 'https://raw.githubusercontent.com/bevry/base/master/HISTORY.md',
+			url: 'https://raw.githubusercontent.com/bevry/base/HEAD/HISTORY.md',
 			overwrite: false,
 		})
 	}
 	if (answers.npm) {
 		downloads.push({
-			url: 'https://raw.githubusercontent.com/bevry/base/master/.npmignore',
+			url: 'https://raw.githubusercontent.com/bevry/base/HEAD/.npmignore',
 			custom: true,
 		})
 	} else {
 		await unlink('.npmignore')
 	}
 	if (answers.flowtype) {
 		downloads.push(
-			'https://raw.githubusercontent.com/bevry/base/master/.flowconfig',
+			'https://raw.githubusercontent.com/bevry/base/HEAD/.flowconfig',
 		)
 	} else {
 		await unlink('.flowconfig')
@@ -203,16 +203,16 @@ export async function updateBaseFiles({ answers, packageData }) {
 		await write(
 			'README.md',
 			[
-				'<!--TITLE -->',
-				'<!--BADGES -->',
-				'<!--DESCRIPTION -->',
+				'<!-- TITLE -->',
+				'<!-- BADGES -->',
+				'<!-- DESCRIPTION -->',
 				'## Usage',
 				answers.docs && newDocumentationLink,
-				'<!--INSTALL -->',
-				'<!--HISTORY -->',
-				'<!--CONTRIBUTE -->',
-				'<!--BACKERS -->',
-				'<!--LICENSE -->',
+				'<!-- INSTALL -->',
+				'<!-- HISTORY -->',
+				'<!-- CONTRIBUTE -->',
+				'<!-- BACKERS -->',
+				'<!-- LICENSE -->',
 			]
 				.filter((i) => i)
 				.join('\n\n'),
@@ -238,7 +238,7 @@ export async function updateBaseFiles({ answers, packageData }) {
 				/\[(Tutorials & Guides|Documentation)\.?\]/g,
 				'[Tutorials & Guides.]',
 			)
-		// insert new documentaiton under usage
+		// insert new documentation under usage
 		if (newDocumentationLink) {
 			content = content.replace('## Usage', function (found) {
 				return found + '\n\n' + newDocumentationLink
@@ -277,8 +277,44 @@ export async function updateBaseFiles({ answers, packageData }) {
 		status('...updated history file')
 	}
 
-	// write the funding file
+	// write bevry specific files
 	if (isBevryOrganisation(answers.organisation)) {
+		// security
+		if (answers.npm) {
+			status('writing security file...')
+			await write(
+				'SECURITY.md',
+				[
+					'# Security Policy',
+					'',
+					'## Security Practices',
+					'',
+					`This project meets standardized secure software development practices, including 2FA for all members, password managers with monitoring, secure secret retrieval instead of storage. [Learn about our practices.](https://tidelift.com/funding/github/npm/${answers.name})`,
+					'',
+					'## Supported Versions',
+					'',
+					`This project uses [Bevry's automated tooling](https://github.com/bevry/boundation) to deliver the latest updates, fixes, and improvements inside the latest release while still maintaining widespread ecosystem compatibility.`,
+					'',
+					`[Refer to supported ecosystem versions: \`Editions\` section in \`README.md\`](https://github.com/${answers.githubSlug}/blob/${answers.defaultBranch}/README.md#Editions)`,
+					'',
+					`[Refer to automated support of ecosystem versions: \`boundation\` entries in \`HISTORY.md\`](https://github.com/${answers.githubSlug}/blob/${answers.defaultBranch}/HISTORY.md)`,
+					'',
+					`Besides testing and verification, out CI also [auto-merges](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) [Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [auto-publishes](https://github.com/bevry-actions/npm) successful builds of the [\`${answers.defaultBranch}\` branch](https://github.com/bevry/wait/actions?query=branch%3A${answers.defaultBranch}) to the [\`next\` version tag](https://www.npmjs.com/package/${answers.name}?activeTab=versions), offering immediate resolutions before scheduled maintenance releases.`,
+					'',
+					'## Reporting a Vulnerability',
+					'',
+					`[Report the vulnerability to the project owners.](https://github.com/${answers.githubSlug}/security/advisories)`,
+					'',
+					'[Report the vulnerability to Tidelift.](https://tidelift.com/security)',
+				]
+					.filter((i) => i)
+					.join('\n\n'),
+			)
+			status('...wrote security file')
+		}
+
+		// fuunding
+		// https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
 		await spawn(['mkdir', '-p', '.github'])
 		await write(
 			'.github/FUNDING.yml',
@@ -288,8 +324,11 @@ export async function updateBaseFiles({ answers, packageData }) {
 				'open_collective: bevry',
 				'ko_fi: balupton',
 				'liberapay: bevry',
+				answers.npm ? `tidelift: npm/${answers.name}` : '',
 				"custom: ['https://bevry.me/fund']",
-			].join('\n'),
+			]
+				.filter(Boolean)
+				.join('\n'),
 		)
 	}
 }

source/bin.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // builtin
-import { resolve, join } from 'path'
+import { resolve, join } from 'node:path'
 
 // get root with imports
 import filedirname from 'filedirname'

source/ci.js

@@ -1,10 +1,12 @@
+// external
+import { intersect } from '@bevry/list'
+import { filterNodeVersions } from '@bevry/nodejs-versions'
+
 // local
 import { status, warn } from './log.js'
 import { readYAML, unlink, exists, writeYAML, spawn } from './fs.js'
 import { trimEmpty } from './util.js'
-import { intersect } from '@bevry/list'
 import { allLanguages } from './data.js'
-import { filterNodeVersions } from '@bevry/nodejs-versions'
 
 // github actions no longer supports node versions prior to 16
 // https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
@@ -19,7 +21,7 @@ function generateGitHubActionsJSON(state) {
 
 	// prepare vars
 	const actionsOperatingSystems = answers.npm
-		? ['ubuntu-latest', 'macos-latest', 'windows-latest']
+		? ['ubuntu-latest'] // , 'macos-latest', 'windows-latest']
 		: ['ubuntu-latest']
 	const actionsOperatingSystemsExperimental = intersect(
 		actionsOperatingSystems,
@@ -94,7 +96,7 @@ function generateGitHubActionsJSON(state) {
 	const npmPublishSteps = [
 		{
 			name: 'publish to npm',
-			uses: 'bevry-actions/npm@v1.1.0',
+			uses: 'bevry-actions/npm@v1.1.1',
 			with: {
 				npmAuthToken: '${{ secrets.NPM_AUTH_TOKEN }}',
 				npmBranchTag: answers.npm ? ':next' : null,
@@ -206,6 +208,24 @@ function generateGitHubActionsJSON(state) {
 						],
 				  }
 				: null,
+			automerge: {
+				permissions: {
+					contents: 'write',
+					'pull-requests': 'write',
+				},
+				'runs-on': 'ubuntu-latest',
+				if: "github.actor == 'dependabot[bot]'",
+				steps: [
+					{
+						name: 'Enable auto-merge for Dependabot PRs',
+						run: 'gh pr merge --auto --merge "$PR_URL"',
+						env: {
+							PR_URL: '${{github.event.pull_request.html_url}}',
+							GITHUB_TOKEN: '${{secrets.GITHUB_TOKEN}}',
+						},
+					},
+				],
+			},
 		},
 	})
 }
@@ -219,19 +239,38 @@ export async function updateCI(state) {
 		unlink('.travis.yml'),
 		unlink('.mergify.yml'),
 		unlink('.dependabot/config.yml'),
+		unlink('.github/workflows/automerge.yml'),
 		spawn(['mkdir', '-p', '.github/workflows']),
 	])
 
 	// dependabot v2 file
-	// https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates#enabling-github-dependabot-version-updates
-	// https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#ignore
+	// https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 	await writeYAML('.github/dependabot.yml', {
 		version: 2,
 		updates: [
+			{
+				'package-ecosystem': 'github-actions',
+				directory: '/',
+				schedule: {
+					interval: 'weekly',
+					day: 'sunday',
+					time: '00:00',
+					timezone: 'Australia/Perth',
+				},
+			},
 			{
 				'package-ecosystem': 'npm',
 				directory: '/',
-				schedule: { interval: 'weekly', day: 'sunday' },
+				schedule: {
+					interval: 'weekly',
+					day: 'sunday',
+					time: '00:00',
+					timezone: 'Australia/Perth',
+				},
+				// only allow security updates
+				// this is because of the lag it causes on the bevry org
+				// as well as that github only supports the maintained node.js versions so dependabot could merge a dependency that breaks unmaintained node.js versions that are still supported by our package
+				'open-pull-requests-limit': 0,
 			},
 		],
 	})
@@ -247,28 +286,6 @@ export async function updateCI(state) {
 		)
 	}
 
-	// dependabot automerge
-	// https://github.com/ahmadnassri/action-dependabot-auto-merge
-	await writeYAML('.github/workflows/automerge.yml', {
-		name: 'automerge',
-		on: ['pull_request'],
-		jobs: {
-			automerge: {
-				'runs-on': 'ubuntu-latest',
-				steps: [
-					{ uses: 'actions/checkout@v4' },
-					{
-						uses: 'ahmadnassri/action-dependabot-auto-merge@v2',
-						with: {
-							'github-token':
-								'${{ secrets.DEPENDABOT_AUTOMERGE_GITHUB_TOKEN }}',
-						},
-					},
-				],
-			},
-		},
-	})
-
 	// log
 	status('...customised ci')
 }

source/data.js

@@ -1,5 +1,5 @@
 // builtin
-import { cwd } from 'process'
+import { cwd } from 'node:process'
 
 // external
 import {

source/editions.js

@@ -1,5 +1,5 @@
 // builtin
-import * as pathUtil from 'path'
+import * as pathUtil from 'node:path'
 
 // external
 import { add, has } from '@bevry/list'