Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
89 lines
3.2 KiB
Markdown
89 lines
3.2 KiB
Markdown
---
|
|
package: reflect-metadata
|
|
version: "^0.2.2"
|
|
tier: feature
|
|
decision: approved
|
|
date: 2026-05-14
|
|
deciders: [Danijel Martinek]
|
|
adr: adr-002
|
|
lastRevalidated: null
|
|
is-sub-processor: false
|
|
processes-pii: false
|
|
filter-results:
|
|
license: Apache-2.0
|
|
types: native
|
|
maintenance: dormant
|
|
boundary-fit: pass
|
|
shadow-check: pass
|
|
eu-residency: n/a
|
|
cve-scan: clean
|
|
named-consumer: pass
|
|
socketRisk: clean
|
|
verification-commands:
|
|
- npm view reflect-metadata license
|
|
- npm view reflect-metadata version
|
|
- pnpm audit --audit-level=moderate
|
|
accepted-cves: []
|
|
---
|
|
|
|
## Filter: license
|
|
|
|
<!-- Result: Apache-2.0 -->
|
|
|
|
`npm view reflect-metadata license` returns `Apache-2.0`. Apache-2.0 is on the allowlist.
|
|
|
|
## Filter: types
|
|
|
|
<!-- Result: native -->
|
|
|
|
reflect-metadata ships its own `.d.ts` declaration files. Types are bundled with the package.
|
|
|
|
## Filter: maintenance
|
|
|
|
<!-- Result: dormant -->
|
|
|
|
reflect-metadata implements the TC39 Metadata Reflection API proposal polyfill. The library is intentionally stable; new releases are rare because the spec is frozen pending TC39 progress. `dormant` is the accurate classification for a finished polyfill — this is not a concern for a library at this maturity level.
|
|
|
|
## Filter: boundary-fit
|
|
|
|
<!-- Result: pass -->
|
|
|
|
reflect-metadata is a required peer of InversifyJS (ADR-002). Feature packages importing inversify are expected to also import `reflect-metadata` once at the entry point of each feature's DI layer. No boundary rule restricts it.
|
|
|
|
## Filter: shadow-check
|
|
|
|
<!-- Result: pass -->
|
|
|
|
reflect-metadata is the only metadata polyfill in the workspace. It is explicitly paired with inversify per ADR-002 and has no competing alternative present.
|
|
|
|
## Filter: eu-residency
|
|
|
|
<!-- Result: n/a -->
|
|
|
|
reflect-metadata is a pure runtime polyfill with no network communication, telemetry, or data transmission. EU residency does not apply.
|
|
|
|
## Filter: cve-scan
|
|
|
|
<!-- Result: clean -->
|
|
|
|
`pnpm audit --audit-level=moderate` reports no advisories against reflect-metadata at the time of this trace.
|
|
|
|
## Filter: named-consumer
|
|
|
|
<!-- Result: pass -->
|
|
|
|
All five feature packages — `@repo/auth`, `@repo/blog`, `@repo/media`, `@repo/marketing-pages`, `@repo/navigation` — list reflect-metadata as a runtime dependency. It is imported at each feature's DI entry point to activate the metadata polyfill required by inversify decorators.
|
|
|
|
## Prompt: replaces
|
|
|
|
No prior metadata polyfill was in use. reflect-metadata is a direct requirement of InversifyJS's decorator-based binding — there is no alternative polyfill to retire.
|
|
|
|
## Prompt: migration-cost-out
|
|
|
|
Mechanical, but coupled to inversify removal. If InversifyJS is ever replaced with a DI approach that does not rely on the Reflect API (e.g., a factory-only approach), reflect-metadata can be removed by deleting one import per feature entry point. The removal is straightforward once the parent dependency (inversify) is gone.
|
|
|
|
## Prompt: alternatives-considered
|
|
|
|
1. **No polyfill / TC39 native** — The TC39 Metadata Reflection API is not yet at Stage 4; native support is not available in target runtimes. Not viable.
|
|
2. **`core-js` reflect subset** — Does not provide the complete `Reflect.metadata` API surface required by inversify. Not a functional alternative.
|