Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
89 lines
2.7 KiB
Markdown
89 lines
2.7 KiB
Markdown
---
|
|
package: globals
|
|
version: "^17.6.0"
|
|
tier: core
|
|
decision: approved
|
|
date: 2026-05-14
|
|
deciders: [Danijel Martinek]
|
|
adr: null
|
|
lastRevalidated: null
|
|
is-sub-processor: false
|
|
processes-pii: false
|
|
filter-results:
|
|
license: MIT
|
|
types: native
|
|
maintenance: active
|
|
boundary-fit: pass
|
|
shadow-check: pass
|
|
eu-residency: n/a
|
|
cve-scan: clean
|
|
named-consumer: pass
|
|
socketRisk: clean
|
|
verification-commands:
|
|
- npm view globals license
|
|
- npm view globals version
|
|
- pnpm audit --audit-level=moderate
|
|
accepted-cves: []
|
|
---
|
|
|
|
## Filter: license
|
|
|
|
<!-- Result: MIT -->
|
|
|
|
`npm view globals license` returns `MIT`. MIT is on the allowlist.
|
|
|
|
## Filter: types
|
|
|
|
<!-- Result: native -->
|
|
|
|
`globals` ships its own TypeScript declaration files. No separate `@types/globals` package is needed.
|
|
|
|
## Filter: maintenance
|
|
|
|
<!-- Result: active -->
|
|
|
|
Maintained by the Sindre Sorhus ecosystem. Regularly updated to track ECMAScript specification changes and new browser/Node.js globals. Last release < 18 months.
|
|
|
|
## Filter: boundary-fit
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`globals` is a dependency of `@repo/core-eslint`, the shared ESLint configuration package. It provides the global variable definitions consumed by ESLint's `languageOptions.globals` configuration. This is the correct placement for a configuration-layer utility.
|
|
|
|
## Filter: shadow-check
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`globals` is the de-facto standard globals catalog for ESLint configurations. No competing globals package is present in the workspace.
|
|
|
|
## Filter: eu-residency
|
|
|
|
<!-- Result: n/a -->
|
|
|
|
`globals` is a static data package (JSON + TypeScript types) with no network communication. EU residency does not apply.
|
|
|
|
## Filter: cve-scan
|
|
|
|
<!-- Result: clean -->
|
|
|
|
`pnpm audit --audit-level=moderate` reports no advisories against `globals` at the time of this trace.
|
|
|
|
## Filter: named-consumer
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@repo/core-eslint` uses `globals` in its ESLint flat-config exports to declare browser and Node.js global environments. Named, non-hypothetical consumer exists today.
|
|
|
|
## Prompt: replaces
|
|
|
|
`globals` replaces the deprecated `env` configuration approach in ESLint's legacy config format. In the flat config system, `languageOptions.globals` with the `globals` package is the recommended approach.
|
|
|
|
## Prompt: migration-cost-out
|
|
|
|
Mechanical. `globals` is used in one configuration file (`@repo/core-eslint`). Migrating to a different globals source requires updating that file only.
|
|
|
|
## Prompt: alternatives-considered
|
|
|
|
1. **Inline global declarations** — Verbose and maintenance-heavy; the `globals` package is the ESLint ecosystem standard for this purpose.
|
|
2. **`@types/node` globals only** — Insufficient for browser environments; `globals` covers both environments cleanly.
|