Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,9 @@ jobs:
- uses: actions/checkout@v3

- name: Setup Bun
uses: oven-sh/setup-bun@v1
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.0

- name: Install dependencies
run: bun install
Expand Down
36 changes: 34 additions & 2 deletions .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,9 @@ jobs:
- uses: actions/checkout@v3

- name: Setup Bun
uses: oven-sh/setup-bun@v1
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.0

- name: Install dependencies
run: bun install
Expand All @@ -29,6 +31,34 @@ jobs:
- name: Build
run: bun run build

npm-install:
name: Validate npm Install Path
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '22'

- name: Setup npm
run: npm install -g npm@11.10.0

- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.0

- name: Install dependencies with npm
run: npm ci
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Run tests through npm
run: npm test

size:
name: Check Bundle Size
runs-on: ubuntu-latest
Expand All @@ -41,7 +71,9 @@ jobs:
node-version: '18'

- name: Setup Bun
uses: oven-sh/setup-bun@v1
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.0

- name: Install dependencies
run: bun install
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Bun
uses: oven-sh/setup-bun@v1
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.0

- name: Install dependencies
run: bun install
Expand Down
2 changes: 2 additions & 0 deletions .npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
save-exact=true
min-release-age=7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Replace unsupported npm release-age config

The new .npmrc key min-release-age is not a valid npm project config, so npm installs will not enforce the intended 7-day package-age gate. In this repo I verified with npm 11.4.2 (npm config ls -l) that npm emits Unknown project config "min-release-age", which means the security/hygiene policy described in README is silently ineffective for anyone using npm install.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 min-release-age requires npm ≥ 11.10.0

min-release-age was introduced in npm v11.10.0. On older npm versions this key is silently ignored, meaning the 7-day gate won't be enforced. Neither the README nor the engines field in package.json documents this minimum npm version requirement, so contributors or CI pipelines running older npm will unknowingly get no protection.

Prompt To Fix With AI
This is a comment left during a code review.
Path: .npmrc
Line: 2

Comment:
**`min-release-age` requires npm ≥ 11.10.0**

`min-release-age` was introduced in npm v11.10.0. On older npm versions this key is silently ignored, meaning the 7-day gate won't be enforced. Neither the README nor the `engines` field in `package.json` documents this minimum npm version requirement, so contributors or CI pipelines running older npm will unknowingly get no protection.

How can I resolve this? If you propose a fix, please make it concise.

10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
# Changelog

## 1.0.9 - 2026-05-22

### Changed
- Removed the unused Jest dev toolchain in favor of the existing Bun test runner, eliminating deprecated dev-only transitive packages.
- Pinned development dependency versions and added Bun/npm install guardrails for exact installs with a 7-day release age gate.
- Refreshed Bun and npm lockfiles for the production npm release.

### Notes
- No runtime SDK source, public exports, request behavior, or package runtime dependencies changed.

## 1.0.5 - 2026-02-25

### Added
Expand Down
27 changes: 20 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,11 @@ Get started with our [📚 integration guides](https://docs.bentonow.com), or [

## Requirements

The Bento Node.js SDK requires Node.js version 12 or later.
The Bento Node.js SDK requires Node.js version 18 or later.

Contributors also need Bun 1.3 or later for installs, tests, and builds. npm can
be used for dependency installation, but the npm release-age gate requires npm
11.10 or later.

Bento Account for a valid **SITE_UUID**, **BENTO_PUBLISHABLE_KEY** & **BENTO_SECRET_KEY**.

Expand Down Expand Up @@ -70,7 +74,7 @@ bun install
bun test

# Run tests with coverage
bun test:coverage
bun run test:coverage

# Build the package
bun run build
Expand All @@ -82,20 +86,22 @@ bun run lint
bun run format
```

### Using npm
### Using npm for dependency install

npm can install dependencies, but tests and builds still run through Bun.

```bash
# Install dependencies
npm install

# Run tests
npm run test:npm
# Tests and builds still run through Bun
npm test

# Run tests with coverage
npm run test:coverage:npm
npm run test:coverage

# Build the package
npm run build:npm
npm run build

# Lint code
npm run lint
Expand All @@ -104,6 +110,13 @@ npm run lint
npm run format
```

### Dependency hygiene

Development dependencies are pinned to exact versions. Bun installs also use a
7-day minimum release age gate via `bunfig.toml`. npm installs use the same
policy via `.npmrc` when run with npm 11.10 or later; older npm versions ignore
that setting.

### Integration

Initialize the Bento client and start tracking events:
Expand Down
Binary file modified bun.lockb
Binary file not shown.
3 changes: 3 additions & 0 deletions bunfig.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,6 @@ coverage = true
[install]
registry = "https://registry.npmjs.org/"
scope = "@bentonow"
exact = true
minimumReleaseAge = 604800
auto = "disable"
17 changes: 0 additions & 17 deletions jest.config.cjs

This file was deleted.

Loading
Loading