mirror of
https://github.com/lancedb/lancedb.git
synced 2026-05-14 10:30:40 +00:00
81617fd3d9
## Summary Switch the nodejs bindings and examples package from npm to pnpm 11 to pick up its stronger supply-chain defaults: - `minimumReleaseAge` defaults to 1 day, so newly-published (potentially compromised) versions aren't resolved into installs for at least 24h. - Install lifecycle scripts (`preinstall`/`install`/`postinstall`) are no longer run for arbitrary transitive deps; only an explicit allowlist may run them, and unapproved scripts cause install to fail (`strictDepBuilds: true`). - Audit uses GHSA IDs and `--fix=update` to add patched versions to `minimumReleaseAgeExclude`. This is the same class of protection that would have blunted the recent TanStack/`@uipath`/etc. compromise discussed in the [Aikido write-up](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised). ## Changes - Replace `nodejs/package-lock.json` and `nodejs/examples/package-lock.json` with `pnpm-lock.yaml`. - Pin pnpm via `packageManager: pnpm@11.1.1` in both `package.json`s. - Add `pnpm-workspace.yaml` with the four build-script packages we actually need: `@biomejs/biome`, `onnxruntime-node`, `protobufjs`, `sharp`. Everything else is blocked from running install scripts. - Update package.json scripts (`npm run X` → `pnpm X`). - Update workflows: `.github/workflows/nodejs.yml`, `.github/workflows/npm-publish.yml`, and `.github/workflows/codex-fix-ci.yml` — install pnpm via `pnpm/action-setup@v4` and switch `setup-node` caches to `pnpm-lock.yaml`. - Refresh `nodejs/AGENTS.md`, `nodejs/CLAUDE.md`, and `nodejs/CONTRIBUTING.md`. `docs/package-lock.json` is **not** touched — out of scope for this PR. ## Test plan - [ ] `Lint` job (lint Rust/TS + examples lint) passes on CI. - [ ] `Linux (NodeJS 18/20)` build+test passes, including the examples test step. - [ ] `macos` build+test passes. - [ ] `NPM Publish` workflow's PR dry-run completes (build matrix + test matrix + dry `npm publish`). - [ ] No new install-script approvals are required at install time. ## Follow-ups - `update_package_lock_run_nodejs.yml` references a composite action path that doesn't exist (`./.github/workflows/update_package_lock_nodejs`); it was already broken pre-PR. We may want to either delete this workflow or rewrite it for pnpm in a follow-up. - Consider migrating `docs/` to pnpm in a separate PR. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1.7 KiB
1.7 KiB
Contributing to LanceDB Typescript
This document outlines the process for contributing to LanceDB Typescript. For general contribution guidelines, see CONTRIBUTING.md.
Project layout
The Typescript package is a wrapper around the Rust library, lancedb. We use
the napi-rs library to create the bindings between Rust and
Typescript.
src/: Rust bindings source codelancedb/: Typescript package source code__test__/: Unit testsexamples/: A pnpm package with the examples shown in the documentation
Development environment
To set up your development environment, you will need to install the following:
- Node.js 22 or later (required by pnpm 11)
- pnpm 11 or later (or run via
corepack enable, which uses thepackageManagerfield inpackage.json) - Rust's package manager, Cargo. Use rustup to install.
- protoc (Protocol Buffers compiler)
Initial setup:
pnpm install
Commit Hooks
It is highly recommended to install the pre-commit hooks to ensure that your code is formatted correctly and passes basic checks before committing:
pre-commit install
Development
Most common development commands can be run using the pnpm scripts.
Build the package
pnpm install
pnpm build
Lint:
pnpm lint
Format and fix lints:
pnpm lint-fix
Run tests:
pnpm test
To run a single test:
# Single file: table.test.ts
pnpm test -- table.test.ts
# Single test: 'merge insert' in table.test.ts
pnpm test -- table.test.ts --testNamePattern=merge\ insert