Merge pull request #1161 from xeroxinteractive/AL-pnpm-vulnerability

Move to pnpm and fix vulnerabilities

.github/labels.yml

@@ -1,34 +1,35 @@
-# Xerox standard labels
-- name: approved
-  description: approved and ready to merge
+# States a PR can be in (Changes over the lifecylce of the PR)
+- name: 'state: approved'
+  description: PR is approved and ready to merge
   color: 76fc16
-- name: needs review
-  description: needs reviewing
+- name: 'state: needs review'
+  description: PR needs reviewing
   color: 0052cc
-- name: bug
-  description: fixes a bug and should be reviewed ASAP
-  color: b54f0b
-- name: cron
-  description: generated by a CI cron job
-  color: 226e7f
-- name: work in progress
+- name: 'state: work in progress'
   description: being worked on
   color: edcd39
-- name: discussion
-  description: being discussed
-  color: a2d3f9
-- name: blocked
+- name: 'state: released'
+  description: PR has been released
+  color: 84f5f3
+- name: 'state: blocked'
   description: blocked by some external factor
   color: 780505
-- name: security
+
+# Types of PR (Should not change over lifecycle of the PR)
+- name: 'type: bug'
+  description: fixes a bug and should be reviewed ASAP
+  color: b54f0b
+- name: 'type: cron'
+  description: generated by a CI cron job
+  color: 226e7f
+- name: 'type: security'
   description: addresses a security vulnerability
   color: ff0000
-- name: good first issue
-  description: good issue for people new to the project
-  color: 7057ff
-- name: enhancement
+- name: 'type: enhancement'
   description: adds a new feature or improves on an existing one
   color: ad12cc
+
+# Semver change type
 - name: 'change: major'
   description: A major breaking change
   color: fcf3b8
@@ -56,6 +57,15 @@
 - name: 'change: chore'
   description: Changes around build process
   color: 696969
-- name: 'release'
-  description: Create a release when this pr is merged
-  color: 067314
+
+- name: 'release: skip'
+  description: Skips the release step when this pr is merged
+  color: f08df7
+
+# Other labels
+- name: 'good first issue'
+  description: good issue for people new to the project
+  color: 7057ff
+- name: discussion
+  description: being discussed
+  color: a2d3f9

.github/workflows/publish.yml

@@ -12,17 +12,21 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x, 16.x]
+        node-version: [16.x, 18.x]
 
     steps:
       - uses: actions/checkout@v3
+      - uses: pnpm/action-setup@v2
+        with:
+          version: 7
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - uses: bahmutov/npm-install@v1
-      - run: yarn lint
-      - run: yarn test
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm run lint
+      - run: pnpm run test
 
   release:
     needs: test
@@ -34,13 +38,15 @@ jobs:
           ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
       - name: Prepare repository
         run: git fetch --unshallow --tags
+      - uses: pnpm/action-setup@v2
+        with:
+          version: 7
       - uses: actions/setup-node@v3
         with:
-          node-version: 14
-      - uses: bahmutov/npm-install@v1
-      - name: Deploy
-        run: |
-          yarn deploy
+          node-version: 18
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm run deploy
         env:
           NPM_TOKEN: ${{secrets.NPM_TOKEN}}
           SLACK_WEBHOOK_URL: ${{secrets.NPM_SLACK_WEBHOOK}}

.github/workflows/test.yml

@@ -12,15 +12,18 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x, 16.x, 18.x]
+        node-version: [16.x, 18.x]
 
     steps:
       - uses: actions/checkout@v3
+      - uses: pnpm/action-setup@v2
+        with:
+          version: 7
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - uses: bahmutov/npm-install@v1
-      - run: yarn install
-      - run: yarn lint
-      - run: yarn test
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm run lint
+      - run: pnpm run test

.npmrc

@@ -1 +1,2 @@
-save-exact=true
+save-exact=true
+auto-install-peers=true

.nvmrc

@@ -1 +1 @@
-16
+18

README.md

@@ -5,12 +5,10 @@
 [![ci status][ci-badge]][ci-link]
 [![license MIT][license-badge]][license]
 [![auto][auto-badge]][auto-link]
-[![commit style angular][commit-style-badge]][commit-style-link]
 
 Holds the source code for the Xerox shareable configurations. Each used to be their own repo, but it took a lot of maintenance to update the same things in n seperate repos. The monorepo provides centralised dependencies, linting, testing and deployment.
 
 ## Configurations
-* [@xerox/commitlint-config][package-commitlint] Commit message linting with angular style and extended length.
 * [@xerox/eslint-config][package-eslint] 3 eslint configurations for Javascript, React and TypeScript.
 * [@xerox/prettier-config][package-prettier] Xerox code formatting styles.
 * [@xerox/semantic-release-config][package-semantic-release] Publishing/deployment process configuration.
@@ -21,7 +19,6 @@ Holds the source code for the Xerox shareable configurations. Each used to be th
 
 [LICENSE][license]
 
-[package-commitlint]: ./packages/xerox-commitlint-config
 [package-eslint]: ./packages/xerox-eslint-config
 [package-prettier]: ./packages/xerox-prettier-config
 [package-semantic-release]: ./packages/xerox-semantic-release-config
@@ -30,13 +27,10 @@ Holds the source code for the Xerox shareable configurations. Each used to be th
 
 [license]: ./LICENSE
 
-[ci-badge]: https://img.shields.io/github/workflow/status/xeroxinteractive/config/Publish?logo=github&style=flat-square
+[ci-badge]: https://img.shields.io/github/actions/workflow/status/xeroxinteractive/config/publish.yml?logo=github&style=flat-square&branch=release
 [ci-link]: https://github.com/xeroxinteractive/config/actions?query=branch%3Arelease
 
 [license-badge]: https://img.shields.io/badge/license-MIT-yellow?style=flat-square
 
-[commit-style-badge]: https://img.shields.io/badge/commit%20style-angular-blueviolet?style=flat-square
-[commit-style-link]: https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#-git-commit-guidelines
-
 [auto-badge]: https://img.shields.io/badge/release-auto.svg?style=flat-square&color=9B065A&label=auto&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAACzElEQVR4AYXBW2iVBQAA4O+/nLlLO9NM7JSXasko2ASZMaKyhRKEDH2ohxHVWy6EiIiiLOgiZG9CtdgG0VNQoJEXRogVgZYylI1skiKVITPTTtnv3M7+v8UvnG3M+r7APLIRxStn69qzqeBBrMYyBDiL4SD0VeFmRwtrkrI5IjP0F7rjzrSjvbTqwubiLZffySrhRrSghBJa8EBYY0NyLJt8bDBOtzbEY72TldQ1kRm6otana8JK3/kzN/3V/NBPU6HsNnNlZAz/ukOalb0RBJKeQnykd7LiX5Fp/YXuQlfUuhXbg8Di5GL9jbXFq/tLa86PpxPhAPrwCYaiorS8L/uuPJh1hZFbcR8mewrx0d7JShr3F7pNW4vX0GRakKWVk7taDq7uPvFWw8YkMcPVb+vfvfRZ1i7zqFwjtmFouL72y6C/0L0Ie3GvaQXRyYVB3YZNE32/+A/D9bVLcRB3yw3hkRCdaDUtFl6Ykr20aaLvKoqIXUdbMj6GFzAmdxfWx9iIRrkDr1f27cFONGMUo/gRI/jNbIMYxJOoR1cY0OGaVPb5z9mlKbyJP/EsdmIXvsFmM7Ql42nEblX3xI1BbYbTkXCqRnxUbgzPo4T7sQBNeBG7zbAiDI8nWfZDhQWYCG4PFr+HMBQ6l5VPJybeRyJXwsdYJ/cRnlJV0yB4ZlUYtFQIkMZnst8fRrPcKezHCblz2IInMIkPzbbyb9mW42nWInc2xmE0y61AJ06oGsXL5rcOK1UdCbEXiVwNXsEy/6+EbaiVG8eeEAfxvaoSBnCH61uOD7BS1Ul8ESHBKWxCrdyd6EYNKihgEVrwOAbQruoytuBYIFfAc3gVN6iawhjKyNCEpYhVJXgbOzARyaU4hCtYizq5EI1YgiUoIlT1B7ZjByqmRWYbwtdYjoWoN7+LOIQefIqKawLzK6ID69GGpQgwhhEcwGGUzfEPAiPqsCXadFsAAAAASUVORK5CYII=
 [auto-link]: https://github.com/intuit/auto

__tests__/audit.test.js

@@ -9,7 +9,5 @@ test('packages do not have vunerabilities', () => {
   return expect({
     level: 'moderate',
     dependencyType: 'dependencies',
-  }).toPassPackageAudit({
-    allow: ['minimist'],
-  });
+  }).toPassPackageAudit();
 });

auto.config.js

@@ -0,0 +1,77 @@
+const labels = [
+  {
+    name: 'change: major',
+    changelogTitle: 'Breaking Change',
+    description: 'A major breaking change',
+    releaseType: 'major',
+  },
+  {
+    name: 'change: feature',
+    changelogTitle: 'Feature',
+    description: 'Adds a new feature or improves on an existing one',
+    releaseType: 'minor',
+  },
+  {
+    name: 'change: fix',
+    changelogTitle: 'Fix',
+    description: 'Fixes a bug',
+    releaseType: 'patch',
+  },
+  {
+    name: 'change: documentation',
+    changelogTitle: 'Documentation',
+    description: 'Changes only affect the documentation',
+    releaseType: 'patch',
+  },
+  {
+    name: 'change: refactor',
+    changelogTitle: 'Refactor',
+    description: 'Changes that introduce no new features or fixes',
+    releaseType: 'patch',
+  },
+  {
+    name: 'change: performance',
+    changelogTitle: 'Performance',
+    description: 'Improve performance of an existing feature',
+    releaseType: 'patch',
+  },
+  {
+    name: 'change: dependencies',
+    changelogTitle: 'Dependencies',
+    description: 'Updates to dependencies only',
+    releaseType: 'patch',
+  },
+  {
+    name: 'change: chore',
+    changelogTitle: 'Chore',
+    description: 'Changes around build process',
+    releaseType: 'none',
+  },
+  {
+    name: 'change: tests',
+    changelogTitle: 'Tests',
+    description: 'Add or improve existing tests',
+    releaseType: 'none',
+  },
+  {
+    name: 'release: skip',
+    description: 'Skips the release step when this pr is merged',
+    releaseType: 'skip',
+  },
+  {
+    name: 'state: released',
+    description: 'PR has been released',
+    releaseType: 'release',
+  },
+];
+
+/**
+ * @type {import('auto').AutoRc}
+ */
+module.exports = {
+  baseBranch: 'release',
+  plugins: ['npm', 'slack', 'released'],
+  noDefaultLabels: true,
+  labels,
+  prereleaseBranches: ['next'],
+};

fixtures/eslint-javascript/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "eslint-javascript",
+  "devDependencies": {
+    "@xerox/eslint-config": "workspace:*"
+  },
+  "private": true
+}

fixtures/eslint-react/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "eslint-react",
+  "dependencies": {
+    "react": "18.1.0"
+  },
+  "devDependencies": {
+    "@xerox/eslint-config": "workspace:*"
+  },
+  "private": true
+}

fixtures/eslint-typescript/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "eslint-typescript",
+  "devDependencies": {
+    "@types/node": "18.11.18",
+    "@xerox/eslint-config": "workspace:*",
+    "typescript": "4.9.4"
+  },
+  "private": true
+}

fixtures/eslint-typescriptreact/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "eslint-typescriptreact",
+  "dependencies": {
+    "react": "18.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "18.11.18",
+    "@types/react": "18.0.26",
+    "@xerox/eslint-config": "workspace:*",
+    "typescript": "4.9.4"
+  },
+  "private": true
+}

lerna.json

@@ -1,7 +1,6 @@
 {
-  "packages": ["packages/*"],
   "version": "independent",
-  "npmClient": "yarn",
+  "npmClient": "pnpm",
   "useWorkspaces": true,
   "command": {
     "publish": {