chore: Port consistency tweaks from main (#414)

csandman · claude · web-flow · commit 5ee33138fab7 · 2026-05-16T00:36:39.000-04:00
* chore: Port consistency tweaks from main Bundle of small, mechanical changes already shipped on main that apply cleanly to v5: CI workflows: - Bump Node 22 → 24 on lint, pkg-pr, package-size-report jobs (publish was already on 24 for OIDC). - Name previously-anonymous workflow steps for clearer logs. - Drop quotes around `cache: pnpm` for consistency with other workflow inputs. - Rename zizmor-scan.yml → zizmor.yml. publish.yml hardening: - Quote shell variables ("$TAG_NAME", "$GITHUB_OUTPUT", "$TARBALL") against IFS / glob expansion surprises. - Move the `env:` block above `run:` to match the convention on other steps. Dep-script protection: - Drop .npmrc (`ignore-scripts=true`). pnpm's `allowBuilds` whitelist in pnpm-workspace.yaml already gates dependency install scripts with finer granularity; the publish workflow passes --ignore-scripts to `pnpm install` explicitly for the high-stakes path. Removing the blanket flag lets husky's `prepare` script run automatically on fresh installs. - Update CONTRIBUTING.md to reflect the model change. - Drop the now-obsolete `.npmrc` → `ini` files.associations entry from .vscode/settings.json; add `typescript.tsdk` so VS Code picks up the workspace TS version. Lint-staged: - Move config from package.json to .lintstagedrc.mjs. - Add an `*.mjs` override to .oxlintrc.json so the new config file doesn't trip nodejs-modules / unsafe-* rules. Docs: - Add SECURITY.md describing the support window and the GitHub Security Advisories reporting path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(publish): Pack tarball with --ignore-scripts Without .npmrc's ignore-scripts=true, `npm pack` runs the project's own `prepare` script (husky), which dumps lifecycle output to stdout. TARBALL=$(npm pack) captures that output alongside the tarball filename, producing a multi-line value that breaks $GITHUB_OUTPUT's key=value\n format and fails the build job. pnpm's `allowBuilds` whitelist only gates *dependency* install scripts; it doesn't suppress the project's own scripts during `npm pack`. Adding --ignore-scripts to the pack invocation restores clean stdout. Husky's `prepare` doesn't need to run during CI pack — git hooks aren't relevant in the ephemeral runner. Same fix as #416 on main; included here so the v5 publish flow doesn't regress when .npmrc is dropped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(actions): Bump upload-artifact v4 → v7 for Node 24 v4.6.2 runs on Node 20, which GitHub deprecated in their September 2025 changelog. Workflow runs now emit a warning; Node 20 actions will be force-upgraded to Node 24 by default on 2026-06-02 and removed entirely on 2026-09-16. v7.0.1 runs on Node 24 and is otherwise drop-in for our usage (simple name + path inputs, no merging or advanced features). Same change as on main; included here so v5 doesn't carry the deprecation warning forward. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -14,18 +14,19 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - name: Use Node.js 22
+      - name: Use Node.js 24
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
-          cache: "pnpm"
+          node-version: 24
+          cache: pnpm
 
       - name: Install Dependencies
         run: pnpm install
diff --git a/.github/workflows/package-size-report.yml b/.github/workflows/package-size-report.yml
@@ -24,8 +24,8 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
-          cache: "pnpm"
+          node-version: 24
+          cache: pnpm
 
       - name: Install dependencies
         run: pnpm install
diff --git a/.github/workflows/pkg-pr.yml b/.github/workflows/pkg-pr.yml
@@ -24,15 +24,17 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - name: Use Node.js 24
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
-          cache: "pnpm"
+          node-version: 24
+          cache: pnpm
 
       - name: Install dependencies
         run: pnpm install
 
       - name: Build
         run: pnpm build
 
-      - run: pnpm dlx pkg-pr-new publish --compact --template './demo'
+      - name: Publish preview release
+        run: pnpm dlx pkg-pr-new publish --compact --template './demo'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -70,18 +70,18 @@ jobs:
         run: pnpm build
 
       - name: Align package.json version with release tag
-        run: npm version $TAG_NAME --git-tag-version=false --allow-same-version
         env:
           TAG_NAME: ${{ github.ref_name }}
+        run: npm version "$TAG_NAME" --git-tag-version=false --allow-same-version
 
       - name: Pack tarball
         id: pack
         run: |
-          TARBALL=$(npm pack)
-          echo "tarball=$TARBALL" >> $GITHUB_OUTPUT
+          TARBALL=$(npm pack --ignore-scripts)
+          echo "tarball=$TARBALL" >> "$GITHUB_OUTPUT"
 
       - name: Upload tarball artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: tarball
           path: ${{ steps.pack.outputs.tarball }}
@@ -109,4 +109,4 @@ jobs:
           registry-url: "https://registry.npmjs.org"
 
       - name: Publish to npm
-        run: npm publish --provenance --access public --tag chakra2 $TARBALL
+        run: npm publish --provenance --access public --tag chakra2 "$TARBALL"
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
diff --git a/.lintstagedrc.mjs b/.lintstagedrc.mjs
@@ -0,0 +1,9 @@
+const config = {
+  "demo/**/*.{js,jsx,ts,tsx}":
+    "oxlint -c demo/.oxlintrc.json --disable-nested-config --fix",
+  "!(demo|codemod)/**/*.{js,jsx,ts,tsx}":
+    "oxlint -c .oxlintrc.json --disable-nested-config --fix",
+  "*": "oxfmt",
+};
+
+export default config;
diff --git a/.npmrc b/.npmrc
diff --git a/.oxlintrc.json b/.oxlintrc.json
@@ -124,5 +124,15 @@
     "sort-keys": "off",
     "unicorn/no-null": "off"
   },
-  "overrides": []
+  "overrides": [
+    {
+      "files": ["*.mjs"],
+      "rules": {
+        "import/no-nodejs-modules": "off",
+        "@typescript-eslint/no-unsafe-argument": "off",
+        "@typescript-eslint/no-unsafe-call": "off",
+        "@typescript-eslint/no-unsafe-return": "off"
+      }
+    }
+  ]
 }
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,9 +1,7 @@
 {
+  "typescript.tsdk": "node_modules/typescript/lib",
   "editor.defaultFormatter": "oxc.oxc-vscode",
   "editor.formatOnSave": true,
-  "files.associations": {
-    ".npmrc": "ini"
-  },
   "[json]": {
     "editor.defaultFormatter": "oxc.oxc-vscode"
   },
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -5,10 +5,10 @@ welcome, from issue reports to PRs and documentation / write-ups.
 
 Before you open a PR:
 
-- In development, run `pnpm install` to setup the dependencies for the
-  core package and the demo. On a fresh clone, also run `pnpm prepare` once
-  to install the git hooks (lifecycle scripts are disabled via `.npmrc` for
-  supply-chain safety, so husky doesn't auto-install).
+- In development, run `pnpm install` to setup the dependencies for the core
+  package and the demo. Dependency install scripts are gated by pnpm's
+  [`allowBuilds`](./pnpm-workspace.yaml) whitelist for supply-chain safety;
+  husky's `prepare` script runs automatically on install.
 - Run `pnpm dev` to build (and watch) the package source, as well as run the
   demo project which can be viewed at http://localhost:5152.
 - Please ensure all the examples work correctly after your change.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,48 @@
+# Security Policy
+
+## Supported Versions
+
+`chakra-react-select` major versions track the major version of its peer
+dependency, [`@chakra-ui/react`](https://github.com/chakra-ui/chakra-ui). The
+two most recent majors receive security fixes; earlier majors are no longer
+maintained.
+
+| Version | Chakra UI peer | Supported          |
+| ------- | -------------- | ------------------ |
+| 6.x     | 3.x            | :white_check_mark: |
+| 5.x     | 2.x            | :white_check_mark: |
+| 4.x     | 2.x            | :x:                |
+| < 4     | 1.x            | :x:                |
+
+If you need a fix on an older line, please open a discussion describing the
+constraint that prevents upgrading.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues,
+discussions, or pull requests.**
+
+Report privately via
+[GitHub Security Advisories](https://github.com/csandman/chakra-react-select/security/advisories/new).
+
+Include as much of the following as you can:
+
+- Affected version(s) of `chakra-react-select`
+- A description of the issue and its impact
+- Steps to reproduce, ideally with a minimal repro
+- Any known mitigations or workarounds
+
+You can expect an initial acknowledgement within a few days. Once the report
+is triaged, we'll keep you updated as a fix is developed and coordinate a
+disclosure timeline with you before publishing the advisory and patched
+release.
+
+### Out of scope
+
+This package is a thin wrapper around
+[`react-select`](https://github.com/JedWatson/react-select) styled with
+[`@chakra-ui/react`](https://github.com/chakra-ui/chakra-ui). Issues that
+originate in those upstream projects should be reported to them directly:
+
+- react-select — https://github.com/JedWatson/react-select/security
+- Chakra UI — https://github.com/chakra-ui/chakra-ui/security
diff --git a/package.json b/package.json
@@ -88,10 +88,5 @@
     "react": ">=18",
     "react-dom": ">=18"
   },
-  "lint-staged": {
-    "demo/**/*.{js,jsx,ts,tsx}": "oxlint -c demo/.oxlintrc.json --disable-nested-config --fix",
-    "!(demo|codemod)/**/*.{js,jsx,ts,tsx}": "oxlint -c .oxlintrc.json --disable-nested-config --fix",
-    "*": "oxfmt"
-  },
   "packageManager": "pnpm@11.1.1+sha512.d1fdf5f73c617b64fa1a56a81c3c8dfe0e966e33a6010aa256b517ae77be21d93e05affc0de1a83b0e4f29d569f68b446ae8f068cd7247c0bb3df0fb4d7bdf9a"
 }
