@embroider/shared-internals - npm Package Compare versions

Comparing version 2.6.4-unstable.ad1534d to 2.6.4-unstable.f7656a3

package.json

 {
   "name": "@embroider/shared-internals",
-  "version": "2.6.4-unstable.ad1534d",
+  "version": "2.6.4-unstable.f7656a3",
   "private": false,
@@ -5,0 +5,0 @@ "description": "Utilities shared among the other embroider packages",

src/package.js

@@ -17,2 +17,30 @@ "use strict";
 const flatMap_1 = __importDefault(require("lodash/flatMap"));
+// This is controllable via env var because there are many different contexts
+// (babel/rollup/vite/webpack/handlebars plugins) that can all depend on
+// `@embroider/shared-internals` to help understand the structure of packages,
+// and we want one clear way to signal to all of those whether this feature is
+// configured.
+//
+// The initial motivating use case for this is that new-enough ember-source can
+// function as a v2 addon despite not declaring itself to be a v2 addon, because
+// that would be potentially-breaking for people who still consume it via AMD
+// and/or depend on the specific timng of the classic vendor.js file. We don't
+// want to break people but we also want people on the bleeding edge to be able
+// to take advantage of the capability.
+const forcedV2Packages = (() => {
+    let cached;
+    return () => {
+        if (!cached) {
+            if (typeof process !== undefined &&
+                typeof process.env !== undefined &&
+                process.env.EMBROIDER_FORCED_V2_PACKAGES) {
+                cached = process.env.EMBROIDER_FORCED_V2_PACKAGES.split(',');
+            }
+            else {
+                cached = [];
+            }
+        }
+        return cached;
+    };
+})();
 class Package {
@@ -46,2 +74,20 @@ constructor(root, packageCache, isApp) {
         }
+        if (forcedV2Packages().includes(json.name)) {
+            let defaults;
+            if (this.isApp) {
+                defaults = {
+                    version: 2,
+                    type: 'app',
+                    assets: [],
+                    'root-url': '/',
+                };
+            }
+            else {
+                defaults = {
+                    version: 2,
+                    type: 'addon',
+                };
+            }
+            json['ember-addon'] = Object.assign(defaults, json['ember-addon']);
+        }
         return json;
@@ -48,0 +94,0 @@ }

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 2 instances in 1 package

Improved metrics

Total package byte prevSize

165969

increased by2.74%

Lines of code

1643

increased by2.88%

Worsened metrics

Number of low supply chain risk alerts

15

increased by25%

No dependency changes