chore: modernize build tooling by qw-in · Pull Request #6093 · arcjet/arcjet-js

qw-in · 2026-06-20T00:49:34Z

Unify arcjet-guard into shared workspace
Port from rollup to tsdown
Port from typescript 5 to 6 & tsgo
Port from eslint to oxlint & oxfmt

Advice to reviewers:

Focus on package.json, tsconfig, and tsdown config changes. The rest of the diff is mostly just noise. Specifically:

The GitHub actions changes
The wasm-specific handling (from the old rollup config). For instance in analyze-wasm/wasm-plugins.js
The tsdown config (all very similar for instance analyze/tsdown.config.ts)
The package.json changes (sorted by oxlint but specifically the exports & main fields - for instance in analyze/package.json)

The individual commits (before the last few) are fairly clean and may help!

Replace the Rollup-based build with tsdown: - Move source to `src/` and emit to `dist/` (was flat at package root). - Add an `exports` map (`.` + `./package.json`); point `main`/`types` at `dist/` and ship only `dist/` via `files`. - Add `tsdown.config.ts` (esm, `platform: neutral`, `unbundle`, `dts`). - Drop Rollup/ESLint tooling deps (`@arcjet/rollup-config`, `@arcjet/eslint-config`, `@bytecodealliance/jco`, `@rollup/wasm-node`, `eslint`); add `tsdown`. - Run tests against the built output via package self-reference; tests now run directly on `.ts`. Non-breaking: exported API is identical to the published 1.5.0 `.d.ts` (11 symbols, identical signatures); `npm pack` ships the same files relocated under `dist/`; publint passes and attw resolution matches the currently-published package. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…verBundle Aligns @arcjet/analyze with the shared tsdown config used across the SDK. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Replace the Rollup build with tsdown: sources moved to `src/`, output to `dist/`, an `exports` map added with `main`/`types` pointing at `dist/`, `tsdown.config.ts` added, and the Rollup/ESLint tooling devDependencies dropped. Tests run directly on `.ts` against the built `dist/` output. Non-breaking: identical public entry points and conditions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Replace the Rollup build with tsdown (src/ -> dist/, exports map, tsdown.config). Preserves the `./cloudflare` subpath (both extensionless and `.js` forms) so existing `@arcjet/ip/cloudflare` imports keep resolving. Tests run on .ts against dist. Non-breaking. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Replace the Rollup build with tsdown. Preserve the `./client`, `./convert` and `./well-known-bots` subpaths (both extensionless and `.js` forms) used by consumers. The generated Protobuf code under `proto/` is shipped verbatim: its relative imports are kept external and the directory is copied into `dist/` so every generated export survives without tree shaking. Tests run on .ts against dist. Non-breaking. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Replace the Rollup build with tsdown while preserving the WebAssembly Component Model (jco) packaging: the proven `base64-wasm` and `externalize-wasm` plugins are ported into `wasm-plugins.js`, the `jco transpile` pre-step is retained, and the externalized core `.wasm` binaries are copied into `dist/wasm/` so the edge-light and workerd conditions resolve. The default entry still inlines wasm as a base64 data URL. Verified executing real wasm on Node and Cloudflare workerd. Non-breaking: same edge-light/workerd/ default conditions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Every package swapped its Rollup/ESLint build tooling for tsdown. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@arcjet/guard was the last package outside the npm workspace, on its own lockfile and a raw rolldown build. Bring it in line with the rest of the SDK: - Replace the rolldown build (rolldown + rolldown-plugin-dts) with tsdown, matching the shared config (esm, platform neutral, deps.neverBundle, unbundle, dts). The generated Protobuf `proto/` is shipped verbatim (externalized + copied) like @arcjet/protocol. - Drop the workspace exclusion (`"!arcjet-guard"`) and delete its standalone package-lock.json; guard now resolves through the root lockfile. - Fold publishing into the normal Level 3 step (it depends on @arcjet/analyze) and remove the separate guard publish job. Keeps guard's stricter toolchain (tsgo typecheck, oxlint, oxfmt) and its runtime test matrix (guard.yml). Verified: build, tsgo typecheck, oxlint, and 263 unit tests all pass; full workspace build 34/34 and test 36/36 green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Both were internal build tooling now obsolete after the tsdown migration: no package depends on them and nothing in the workspace uses them. Remove the packages, drop them from the publish workflow, delete a leftover arcjet-nest/rollup.config.mjs, and clean up the now-stale `@rollup/plugin-typescript` note in tsconfig.base.json (the `moduleResolution`/`module` settings are kept; they remain correct for tsdown). Lockfile regenerated from scratch. Note: these were published packages; removing them stops future releases. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Restore linting/formatting after dropping eslint, starting from @arcjet/guard's config: - Root .oxlintrc.json: typescript/unicorn/oxc/import/node/promise plugins, correctness + suspicious. Globally relax the three rules the legacy packages violate en masse and that the old eslint never enforced (no-shadow, no-unused-vars, unicorn/no-array-sort); the remaining one-off violations get inline `oxlint-disable-next-line` comments so the rules stay active for new code. - Root .oxfmtrc.json: oxfmt with import sorting, ignoring generated code (dist, wasm, proto), examples, and markdown (CHANGELOG.md is release-managed). - Root scripts (lint/format/format:check) run with --disable-nested-config so @arcjet/guard keeps its own stricter type-aware config and self-lints. Also restructures a UnionToIntersection conditional-type comment in arcjet so oxfmt is idempotent on it. oxlint is green (0 errors, 130 rules). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Mechanical reformat of all packages with `oxfmt` (including import sorting), replacing the previous Prettier formatting. No logic changes. Generated code (dist, wasm, proto), examples, markdown, and @arcjet/guard are excluded via .oxfmtrc.json / handled by their own pipelines. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Add a reusable lint workflow that runs `npm run lint` (oxlint) and `npm run format:check` (oxfmt --check), and wire it into the pull-request and push workflows alongside the existing test and examples jobs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Introduce real type checking across the workspace using the native TypeScript compiler (tsgo, @typescript/native-preview), with TypeScript bumped 5.9.3 -> 6 as the stable foundation for the eventual TS 7 / native transition. - Each package gains a `typecheck` script (`tsgo --noEmit`) and a turbo `typecheck` task (depends on `^build` so dependency `.d.ts` exist); root `npm run typecheck` runs them all. - tsconfig.base.json: add `webworker` lib + `skipLibCheck` + `types: ["node"]` so the full type check resolves Web (Headers/AbortSignal/fetch) and Node globals the previous build never validated. Aligns with @arcjet/guard. - Per-runtime types where needed: arcjet-bun (`bun-types`), arcjet-deno (`@types/deno`); arcjet-sveltekit and arcjet-astro get local `ambient.d.ts` declarations for their framework virtual modules (`$env/dynamic/private`, `astro:env/server`), which frameworks otherwise only generate inside user projects. Verified: build 34/34, typecheck 51/51, test 34/34, lint + format clean. @arcjet/guard keeps its own stricter type-aware typecheck. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Build the workspace and run `npm run typecheck` (tsgo) in the reusable lint workflow, alongside oxlint and the oxfmt format check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Turn on `isolatedDeclarations` (with `declaration`) in tsconfig.base.json so tsdown can generate `.d.ts` via oxc and the exported type surface is explicit. Annotate the exported declarations that previously relied on inference across ~25 packages — framework client wrappers (`ReturnType<typeof createClient>`), transports, wasm `initializeWasm`, stable-hash `hash`, env/cache/decorate helpers, protocol convert/reason types, and nosecone's header builders, Map/Set tables, and `defaults`. Notably the type-magic-heavy core `arcjet` package needed only a single annotation, confirming isolatedDeclarations is compatible with its generics. Five framework-integration packages keep `isolatedDeclarations: false` for now, as their inferred return types need follow-up work that would otherwise require lossy casts in the public .d.ts: - @arcjet/nest — conditional class-expression + Nest decorators - @arcjet/next — withArcjet wrapper returning a Res | NextResponse union - @arcjet/astro — integration-hook return types - @arcjet/nuxt — defineNuxtModule default-export generic inference - @nosecone/sveltekit — pre-existing odd top-level `directives` shape (worth a look) Verified: build 34/34, typecheck 51/51, test 34/34, lint + format clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

socket-security · 2026-06-20T00:50:51Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
@connectrpc/connect-web@2.1.2
svelte@5.56.3
tsdown@0.22.3
typescript@5.9.2 ⏵ 6.0.3	⁺¹	⁺¹
@connectrpc/connect@2.1.2
@connectrpc/connect-node@2.1.2

View full report

socket-security · 2026-06-20T00:50:53Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@emnapi/runtime` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → `npm/next@16.2.6` → `npm/vite@8.0.16` → `npm/nuxt@4.4.8` → `npm/astro@6.4.6` → `npm/tsdown@0.22.3` → `npm/miniflare@4.20260617.0` → `npm/@emnapi/runtime@1.11.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@emnapi/runtime@1.11.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: `?` → `npm/typescript@5.4.5` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@5.4.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: analyze-wasm/package.json → `npm/typescript@6.0.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@6.0.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

- guard.yml: build the whole workspace in each job so @arcjet/guard's now-local workspace dependencies (e.g. @arcjet/analyze) have their dist/ output for guard's source tests, type checking, and runtime tests. Previously guard.yml only built guard, which worked when those deps were installed from npm. - examples/bun-rate-limit: drop the deleted @arcjet/eslint-config and @arcjet/rollup-config from the workspaces array and remove the stale bun.lock (regenerated on install). - examples/deno-sensitive-info: point the import map and tsconfig at the new src/ + dist/ layout instead of the old flat index.js paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

The guard jobs ran `npm install` from arcjet-guard, which did not install the root devDependencies (turbo), so the workspace build failed with `turbo: not found`. Install at the workspace root instead. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

After removing the stale bun.lock, a fresh `bun install` hoists @types/bun where tsc no longer auto-discovers it, so `bun tsc --noEmit` failed with "Cannot find name 'Bun'". Declare the types explicitly via `types: ["bun"]`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…test The node transport optimistically pre-connects on creation, so createTransport("https://example.com") made a real outbound DNS/connection. Now that guard runs in the main workspace CI (egress-policy: block), that call was blocked and flagged by Harden-Runner. Use the already-allowlisted Arcjet API host instead; the test still only asserts that a valid URL does not throw. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

The Wasm base64/externalize plugins (ported from the former @arcjet/rollup-config) and the proto externalization plugins now use JSDoc doc-comments instead of `//`, and are marked `@internal` since they are build-time helpers, not published API. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…Type<typeof createConnectTransport> Restore the stable `Transport` type as the public return type for `createTransport`, matching the pre-migration signature. The `ReturnType<typeof createConnectTransport>` form was added to satisfy isolatedDeclarations but dragged a type-only import of `@connectrpc/connect-node`/`connect-web` into the emitted `.d.ts`. `Transport` (from `@connectrpc/connect`, already a direct dependency) satisfies isolatedDeclarations cleanly and keeps the declaration file minimal. Co-Authored-By: Claude <noreply@anthropic.com>

qw-in · 2026-06-22T19:42:37Z

🤖 Automated verification on behalf of @qw-in — posted by Claude Code.

Verified locally (commit 14405145):

Build: 34/34 packages · Typecheck (tsgo/TS6 + isolatedDeclarations): 51/51 · oxlint: 0 errors · oxfmt: clean (tracked files) · Tests: 34/34
npm pack + tarball inspection (arcjet, runtime, transport, protocol, analyze-wasm, guard, analyze, next, stable-hash): dist/-only layouts, no test-file leakage, all exports targets resolve to real files. Guard proto/ copy and analyze-wasm _virtual wasm chunks resolve.
.d.ts consumed under TS 5.9 (not just tsgo) in a fresh consumer project: full public API + subpath imports (@arcjet/protocol/client.js, @arcjet/guard/node, @arcjet/guard/fetch, @arcjet/runtime) typecheck clean. No regression vs main's declarations.
Runtime smoke from packed tarballs: arcjet, @arcjet/guard (./node + ./fetch), @arcjet/transport, @arcjet/runtime, @arcjet/protocol all load and execute.
This commit restores createTransport's public return type to Transport (was ReturnType<typeof createConnectTransport> to satisfy isolatedDeclarations); removes a dragged-in @connectrpc/connect-node/-web type import from the emitted .d.ts. Assignable to Transport, verified.

Accepted as-is (per @qw-in): restrictive exports on @arcjet/protocol and condition-only @arcjet/transport subpaths — direct consumption was never supported, and the stricter map is more correct.

Node floor bump (>=20 → >=22.21.0 <23 || >=24.5.0) is the separate tracked breaking change in #6090.

arcjet-rei · 2026-06-26T23:34:30Z

What's blocking moving this out of draft status?

qw-in and others added 30 commits June 19, 2026 17:48

build(analyze): externalize node builtins/virtual modules via deps.ne…

dc48b36

…verBundle Aligns @arcjet/analyze with the shared tsdown config used across the SDK. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

qw-in and others added 13 commits June 19, 2026 17:48

build: regenerate lockfile for tsdown migration

b08fefa

Every package swapped its Rollup/ESLint build tooling for tsdown. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ci: run type checking in CI

c54952d

Build the workspace and run `npm run typecheck` (tsgo) in the reusable lint workflow, alongside oxlint and the oxfmt format check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

qw-in self-assigned this Jun 20, 2026

github-code-quality Bot found potential problems Jun 20, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: modernize build tooling#6093

chore: modernize build tooling#6093
qw-in wants to merge 49 commits into
mainfrom
quinn/arcjet-js-modernize

qw-in commented Jun 20, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 20, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 20, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

qw-in commented Jun 22, 2026

Uh oh!

arcjet-rei commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

qw-in commented Jun 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Jun 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Jun 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

qw-in commented Jun 22, 2026

Uh oh!

arcjet-rei commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

qw-in commented Jun 20, 2026 •

edited

Loading

socket-security Bot commented Jun 20, 2026 •

edited

Loading

socket-security Bot commented Jun 20, 2026 •

edited

Loading