fraqtal/agentic-dev
Template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
14762d4ba0d534876dda3cd33aba3c70722e1485
agentic-dev/docs/library-decisions/2026-05-14-superjson.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

89 lines
2.8 KiB
Markdown
Raw Blame History

---
package: superjson
version: "^2.2.1"
tier: core
decision: approved
date: 2026-05-14
deciders: [Danijel Martinek]
adr: null
lastRevalidated: null
is-sub-processor: false
processes-pii: false
filter-results:
license: MIT
types: native
maintenance: active
boundary-fit: pass
shadow-check: pass
eu-residency: n/a
cve-scan: clean
named-consumer: pass
socketRisk: clean
verification-commands:
- npm view superjson license
- npm view superjson version
- pnpm audit --audit-level=moderate
accepted-cves: []
---
## Filter: license
<!-- Result: MIT -->
`npm view superjson license` returns `MIT`. MIT is on the allowlist.
## Filter: types
<!-- Result: native -->
superjson is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/superjson` package is needed.
## Filter: maintenance
<!-- Result: active -->
Actively maintained. Last release < 18 months. Used widely in the tRPC and Next.js ecosystem.
## Filter: boundary-fit
<!-- Result: pass -->
superjson is the serialization transformer used by the tRPC layer (`@repo/core-shared`) to handle non-JSON-serializable types (Dates, Maps, Sets) over the wire. `core-testing` uses it for mock tRPC client setup. No boundary rules restrict superjson to a specific tier.
## Filter: shadow-check
<!-- Result: pass -->
superjson is the sole tRPC-compatible serialization transformer in the workspace. No competing serializer (devalue, msgpackr, etc.) is present.
## Filter: eu-residency
<!-- Result: n/a -->
superjson is a pure serialization library with no network communication, telemetry, or data transmission. EU residency does not apply.
## Filter: cve-scan
<!-- Result: clean -->
`pnpm audit --audit-level=moderate` reports no advisories against `superjson` at the time of this trace.
## Filter: named-consumer
<!-- Result: pass -->
`@repo/core-shared` uses superjson as the tRPC transformer. `@repo/core-testing` uses superjson for mock tRPC client configuration. Named, non-hypothetical consumers exist today.
## Prompt: replaces
superjson replaces the default JSON-only serialization in tRPC, which would fail silently when Date objects or other non-JSON types are passed through procedure calls.
## Prompt: migration-cost-out
Low. superjson is used as the `transformer` option in the tRPC router and client configuration — two call sites in `core-shared`. Replacing it requires swapping the transformer and ensuring the replacement handles the same non-JSON types. No feature package references superjson directly.
## Prompt: alternatives-considered
1. **devalue** — Supports more types but is less mature in the tRPC ecosystem; superjson is the de-facto tRPC transformer standard.
2. **JSON-only (no transformer)** — Rejected because it silently loses type fidelity for Dates and breaks any use case that returns or receives a `Date` value.
Reference in New Issue View Git Blame Copy Permalink