fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
agentic-dev-template/docs/library-decisions/2026-05-14-superjson.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

2.8 KiB
Raw Permalink Blame History

package, version, tier, decision, date, deciders, adr, lastRevalidated, is-sub-processor, processes-pii, filter-results, verification-commands, accepted-cves
package version tier decision date deciders adr lastRevalidated is-sub-processor processes-pii filter-results verification-commands accepted-cves
superjson ^2.2.1 core approved 2026-05-14
Danijel Martinek
null null false false
license types maintenance boundary-fit shadow-check eu-residency cve-scan named-consumer socketRisk
MIT native active pass pass n/a clean pass clean
npm view superjson license
npm view superjson version
pnpm audit --audit-level=moderate

Filter: license

npm view superjson license returns MIT. MIT is on the allowlist.

Filter: types

superjson is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/superjson package is needed.

Filter: maintenance

Actively maintained. Last release < 18 months. Used widely in the tRPC and Next.js ecosystem.

Filter: boundary-fit

superjson is the serialization transformer used by the tRPC layer (@repo/core-shared) to handle non-JSON-serializable types (Dates, Maps, Sets) over the wire. core-testing uses it for mock tRPC client setup. No boundary rules restrict superjson to a specific tier.

Filter: shadow-check

superjson is the sole tRPC-compatible serialization transformer in the workspace. No competing serializer (devalue, msgpackr, etc.) is present.

Filter: eu-residency

superjson is a pure serialization library with no network communication, telemetry, or data transmission. EU residency does not apply.

Filter: cve-scan

pnpm audit --audit-level=moderate reports no advisories against superjson at the time of this trace.

Filter: named-consumer

@repo/core-shared uses superjson as the tRPC transformer. @repo/core-testing uses superjson for mock tRPC client configuration. Named, non-hypothetical consumers exist today.

Prompt: replaces

superjson replaces the default JSON-only serialization in tRPC, which would fail silently when Date objects or other non-JSON types are passed through procedure calls.

Prompt: migration-cost-out

Low. superjson is used as the transformer option in the tRPC router and client configuration — two call sites in core-shared. Replacing it requires swapping the transformer and ensuring the replacement handles the same non-JSON types. No feature package references superjson directly.

Prompt: alternatives-considered

  1. devalue — Supports more types but is less mature in the tRPC ecosystem; superjson is the de-facto tRPC transformer standard.
  2. JSON-only (no transformer) — Rejected because it silently loses type fidelity for Dates and breaks any use case that returns or receives a Date value.