Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
3.3 KiB
package, version, tier, decision, date, deciders, adr, filter-results, verification-commands, lastRevalidated, accepted-cves
| package | version | tier | decision | date | deciders | adr | filter-results | verification-commands | lastRevalidated | accepted-cves | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @trpc/server | ^11.0.0 | core | approved | 2026-05-14 |
|
null |
|
|
2026-05-19 |
Filter: license
npm view @trpc/server license returns MIT. MIT is on the allowlist.
Filter: types
@trpc/server is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/ package is needed.
Filter: maintenance
Actively maintained by the tRPC team. The 11.x line is the current major. Regular releases; strong community adoption in the Next.js ecosystem.
Filter: boundary-fit
@trpc/server is the workspace-standard RPC layer for type-safe client-server communication (ADR-019 references tRPC as the transport for use-case exposure). Feature packages export their tRPC routers; core-api aggregates them; apps mount the root router. Feature packages own their error middleware (integrations/api/procedures.ts). No boundary rule restricts @trpc/server to a specific tier.
Filter: shadow-check
@trpc/server is the sole RPC framework in the workspace. No competing API layer (REST, GraphQL, gRPC) is present for the same purpose.
Filter: eu-residency
@trpc/server is a pure server-side routing library with no network communication to vendor-controlled endpoints. EU residency does not apply.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against @trpc/server at the time of this trace.
Filter: named-consumer
All five feature packages export a tRPC router that uses @trpc/server. @repo/core-api aggregates these routers. @repo/core-shared provides the tRPC base instance and error middleware utilities. @repo/core-dsr exposes the dsrRouter via createDsrRouter. Named, non-hypothetical consumers exist today.
Prompt: replaces
@trpc/server replaces a hypothetical hand-written REST API layer. tRPC enables end-to-end type safety between the server use cases and the Next.js client without a separate OpenAPI spec or code generation step.
Prompt: migration-cost-out
Hard. tRPC router types propagate from the server to the client via TypeScript inference. Every feature package's tRPC router, the root AppRouter type in core-api, and every client-side query in the apps reference @trpc/server types. Migrating to REST would require replacing all router definitions, regenerating types (e.g., via OpenAPI), and updating all client call sites.
Prompt: alternatives-considered
- GraphQL (Apollo/Pothos) — More complex schema layer required; the resolver pattern does not map cleanly onto the factory-function use-case pattern mandated by CLAUDE.md.
- OpenAPI + Zodios — Requires a separate schema definition step and code generation; tRPC's type inference is more direct for a monorepo where client and server share the same TypeScript project.