Skip to content

Add TypeScript declaration bundle output#635

Open
dicnunz wants to merge 2 commits into
egoist:masterfrom
dicnunz:issue-183-dts-bundles
Open

Add TypeScript declaration bundle output#635
dicnunz wants to merge 2 commits into
egoist:masterfrom
dicnunz:issue-183-dts-bundles

Conversation

@dicnunz

@dicnunz dicnunz commented May 9, 2026

Copy link
Copy Markdown

Fixes #183.

IssueHunt bounty: https://issuehunt.io/repos/64843649/issues/183 ()

What changed

  • Adds output.dts and --dts [fileName] for TypeScript declaration bundling.
  • Emits declarations for the TypeScript entry and bundles them with rollup-plugin-dts.
  • Removes intermediate emitted declaration files so the output keeps one .d.ts bundle.
  • Documents the new option and adds a fixture test for a declaration that imports another module.

Tested

  • yarn install --frozen-lockfile (passes; optional fsevents native build warning on local Node 25 is ignored by Yarn)
  • yarn test:unit --runInBand
  • yarn types
  • yarn build
  • node lib/cli index.ts --root-dir test/fixtures/declaration-bundle --out-dir test/fixtures/declaration-bundle/cli-dist --dts --quiet
  • git diff --check

IssueHunt Summary

Referenced issues

This pull request has been submitted to:


@vercel

vercel Bot commented May 9, 2026

Copy link
Copy Markdown

@dicnunz is attempting to deploy a commit to the EGOIST's projects Team on Vercel.

A member of the Team first needs to authorize it.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@dicnunz

dicnunz commented May 13, 2026

Copy link
Copy Markdown
Author

Follow-up pushed in aa9a116 after revalidation: the dts bundle test could complete locally, but it needed more than Jest's 5s default and was timing out before its snapshot assertion settled. The test now has a scoped 20s timeout.

Revalidated locally on May 13, 2026:

  • yarn test:unit --runInBand
  • yarn types
  • yarn build
  • node lib/cli index.ts --root-dir test/fixtures/declaration-bundle --out-dir test/fixtures/declaration-bundle/cli-dist --dts --quiet
  • yarn prettier --check test/index.test.ts
  • git diff --check HEAD~1 HEAD

The remaining failed Vercel status is the team authorization gate shown in the Vercel comment, not a local test/build failure on this branch.

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary

CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL)

Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4

Patched version: 2.5.4

From: ?npm/form-data@2.3.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: npm json-schema is vulnerable to Prototype Pollution

CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL)

Affected versions: < 0.4.0

Patched version: 0.4.0

From: ?npm/json-schema@0.2.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

*.d.ts bundles

1 participant