Publishing & Versioning
Monorepo tooling
- npm workspaces for the monorepo (
"workspaces"in rootpackage.json) - tsup to build each package to both ESM (
dist/index.js) and CJS (dist/index.cjs) with generated.d.tsfiles - The
exportsmap in eachpackage.jsonroutesimport/requireto the right file
Versioning with Changesets
Install and initialize:
bash
npm install -D @changesets/cli
npx changeset initWorkflow
- After making a change, run
npx changeset— it asks which packages changed and whether it's a patch/minor/major bump, and writes a small markdown file describing the change. - Merge that alongside your PR.
- A CI job (or you, locally) runs
npx changeset version— this bumps every affected package'spackage.json, updates their changelogs, and bumps dependent packages' version ranges to real version numbers. npm publish --workspacesornpx changeset publishpublishes everything that changed to npm in the correct dependency order.
Semantic versioning discipline
@nodalite/core— any public API signature change is a major bump, always. This is the package everything depends on.- Adapters — can iterate faster, but breaking
serve()orcreateLambdaHandler()signatures is still major. - Be honest — resist under-bumping to avoid a major version number. Consumers pinning
^ranges will get broken installs.
CI/CD (GitHub Actions)
yaml
name: CI
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: 22, cache: npm }
- run: npm ci
- run: npm run typecheck --workspaces --if-present
- run: npm test
- run: npm run build --workspaces --if-present
release:
needs: test
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: 22, cache: npm }
- run: npm ci
- uses: changesets/action@v1
with:
publish: npm run release
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Security auditing
npm auditor Dependabot for known-vulnerable dependencies@nodalite/core's zero-dependency policy keeps its supply-chain attack surface minimal by construction- Run
npm pack --dry-runin each package before publishing to verify onlydist/files ship to consumers