fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
0a34b45bb707103df02a4f638622d17bd616c00d
agentic-dev-template/docs/library-decisions/2026-05-14-reflect-metadata.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

3.2 KiB
Raw Blame History

package, version, tier, decision, date, deciders, adr, lastRevalidated, is-sub-processor, processes-pii, filter-results, verification-commands, accepted-cves
package version tier decision date deciders adr lastRevalidated is-sub-processor processes-pii filter-results verification-commands accepted-cves
reflect-metadata ^0.2.2 feature approved 2026-05-14
Danijel Martinek
adr-002 null false false
license types maintenance boundary-fit shadow-check eu-residency cve-scan named-consumer socketRisk
Apache-2.0 native dormant pass pass n/a clean pass clean
npm view reflect-metadata license
npm view reflect-metadata version
pnpm audit --audit-level=moderate

Filter: license

npm view reflect-metadata license returns Apache-2.0. Apache-2.0 is on the allowlist.

Filter: types

reflect-metadata ships its own .d.ts declaration files. Types are bundled with the package.

Filter: maintenance

reflect-metadata implements the TC39 Metadata Reflection API proposal polyfill. The library is intentionally stable; new releases are rare because the spec is frozen pending TC39 progress. dormant is the accurate classification for a finished polyfill — this is not a concern for a library at this maturity level.

Filter: boundary-fit

reflect-metadata is a required peer of InversifyJS (ADR-002). Feature packages importing inversify are expected to also import reflect-metadata once at the entry point of each feature's DI layer. No boundary rule restricts it.

Filter: shadow-check

reflect-metadata is the only metadata polyfill in the workspace. It is explicitly paired with inversify per ADR-002 and has no competing alternative present.

Filter: eu-residency

reflect-metadata is a pure runtime polyfill with no network communication, telemetry, or data transmission. EU residency does not apply.

Filter: cve-scan

pnpm audit --audit-level=moderate reports no advisories against reflect-metadata at the time of this trace.

Filter: named-consumer

All five feature packages — @repo/auth, @repo/blog, @repo/media, @repo/marketing-pages, @repo/navigation — list reflect-metadata as a runtime dependency. It is imported at each feature's DI entry point to activate the metadata polyfill required by inversify decorators.

Prompt: replaces

No prior metadata polyfill was in use. reflect-metadata is a direct requirement of InversifyJS's decorator-based binding — there is no alternative polyfill to retire.

Prompt: migration-cost-out

Mechanical, but coupled to inversify removal. If InversifyJS is ever replaced with a DI approach that does not rely on the Reflect API (e.g., a factory-only approach), reflect-metadata can be removed by deleting one import per feature entry point. The removal is straightforward once the parent dependency (inversify) is gone.

Prompt: alternatives-considered

  1. No polyfill / TC39 native — The TC39 Metadata Reflection API is not yet at Stage 4; native support is not available in target runtimes. Not viable.
  2. core-js reflect subset — Does not provide the complete Reflect.metadata API surface required by inversify. Not a functional alternative.