fraqtal/agentic-dev
Template
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
14762d4ba0d534876dda3cd33aba3c70722e1485
agentic-dev/docs/library-decisions/2026-05-14-inversify.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

3.2 KiB
Raw Blame History

package, version, tier, decision, date, deciders, adr, lastRevalidated, is-sub-processor, processes-pii, filter-results, verification-commands, accepted-cves
package version tier decision date deciders adr lastRevalidated is-sub-processor processes-pii filter-results verification-commands accepted-cves
inversify ^6.2.0 feature approved 2026-05-14
Danijel Martinek
adr-002 null false false
license types maintenance boundary-fit shadow-check eu-residency cve-scan named-consumer socketRisk
MIT native active pass pass n/a clean pass clean
npm view inversify license
npm view inversify version
pnpm audit --audit-level=moderate

Filter: license

npm view inversify license returns MIT. MIT is on the allowlist.

Filter: types

inversify is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/inversify package is needed.

Filter: maintenance

Actively maintained; the 6.x line has seen recent releases addressing TypeScript compatibility improvements. Last release < 18 months, issue tracker shows ongoing engagement.

Filter: boundary-fit

ADR-002 explicitly mandates InversifyJS as the DI framework for all feature packages. The ESLint boundary rules (ADR-010) do not restrict inversify to any specific path — feature packages are the declared consumers.

Filter: shadow-check

inversify is the workspace-locked DI container per ADR-002. No parallel DI framework (tsyringe, awilix, etc.) is present or proposed.

Filter: eu-residency

inversify is a pure runtime library with no network communication, telemetry, or data transmission. EU residency does not apply.

Filter: cve-scan

pnpm audit --audit-level=moderate reports no advisories against inversify at the time of this trace.

Filter: named-consumer

All five feature packages — @repo/auth, @repo/blog, @repo/media, @repo/marketing-pages, @repo/navigation — depend on inversify for their per-feature DI containers (ADR-008). Concrete named consumers exist today.

Prompt: replaces

Manual composition root patterns considered during initial architecture setup. InversifyJS replaces ad-hoc factory chaining that would not scale beyond three or four services per feature. No parallel approach is running.

Prompt: migration-cost-out

Hard. InversifyJS container bindings, symbols, and decorator usage are scattered across every feature package's di/ layer. Migrating out would require replacing all @injectable() / @inject() decorators, SYMBOLS definitions, and container bind calls across five feature packages simultaneously. The interface boundaries (ADR-002) reduce the surface, but the volume of changes is substantial. The per-feature container pattern (ADR-008) limits blast radius to one package at a time.

Prompt: alternatives-considered

  1. tsyringe (Microsoft) — lighter API but fewer lifecycle options and weaker TypeScript inference at the time of evaluation.
  2. Manual composition root — zero dependency but does not scale past ~5 services without significant boilerplate and loses automatic dependency chain resolution.

See ADR-002 for the full decision rationale.