Skip to content

feat!: modernizar toolchain (tsdown, vitest 4) e elevar piso para Node 22 — v4.0.0#33

Merged
andrenfe merged 1 commit into
masterfrom
chore/modernize-build-toolchain
Jun 13, 2026
Merged

feat!: modernizar toolchain (tsdown, vitest 4) e elevar piso para Node 22 — v4.0.0#33
andrenfe merged 1 commit into
masterfrom
chore/modernize-build-toolchain

Conversation

@andrenfe

@andrenfe andrenfe commented Jun 13, 2026

Copy link
Copy Markdown
Member

Resumo

Parte 2 de 2 do plano de segurança da #31 — fecha os 2 alertas do Dependabot (vitest crítica + esbuild baixa) modernizando o toolchain, e prepara a release v4.0.0.

⚠️ Breaking change

Node.js ≥ 22 (Node 18 e 20 estão EOL). Zero mudanças de API — todo código v3 funciona sem alterações. Documentado no CHANGELOG e na nova seção v3→v4 do MIGRATION.md.

Segurança

Alerta Severidade Resolução
Dependabot #34vitest (GHSA-5xrq-8626-4rwp) 🔴 Crítica vitest 3.2.4 → 4.1.8
Dependabot #35esbuild (GHSA-g7r4-m6w7-qqqr) 🟡 Baixa tsup → tsdown (Rolldown, sem esbuild); esbuild residual via tsx já é 0.28.1 (corrigido)

npm audit: 0 vulnerabilidades.

Toolchain

  • tsup → tsdown: mesmo output dual ESM/CJS (outExtensions preserva index.js/index.cjs), target node22
  • Bônus: exports com types por condição (index.d.ts ESM / index.d.cts CJS) + sideEffects: falsepublint "All good!" e attw "No problems found" (corrige o "Masquerading as ESM" que a v3 publicada tinha)
  • vitest.config.ts: corrigida opção inexistente testMatchinclude; thresholds no formato do vitest 4; tests/ excluído do coverage
  • @types/node ^20 → ^22

CI/CD

Skill

  • nfeio-sdknfeio-node-sdk (convenção cross-SDK para o skills.sh); corrige o path quebrado do agents.skills no package.json; requisito Node 22+

Verificação

  • npm test -- --run650 testes passando no vitest 4 (sem mudanças nos testes)
  • npm run test:coverage — thresholds 80% ok (branches 80.64%)
  • npm run builddist/index.js + index.cjs + index.d.ts + index.d.cts, banner preservado
  • ✅ Smoke CJS (require) e ESM (import) — named + default exports + instanciação
  • publint All good! · attw --pack No problems found 🌟
  • npm run lint (0 erros) e npm run typecheck
  • npm ls esbuild → somente 0.28.1 · npm audit → 0 vulnerabilidades

Closes #31

@andrenfe
feat!: modernizar toolchain (tsdown, vitest 4) e elevar piso para Nod…
062edba 
…e 22

BREAKING CHANGE: Node.js >= 22 obrigatorio (Node 18 e 20 estao EOL).
Nenhuma mudanca de API - todo codigo v3 funciona sem alteracoes.

Seguranca (fecha os 2 alertas do Dependabot):
- vitest 3.2.4 -> 4.1.8: corrige GHSA-5xrq-8626-4rwp (critica)
- tsup -> tsdown (Rolldown): remove esbuild do pipeline de build;
  o esbuild residual (via tsx 4.22.4) ja usa 0.28.1, corrigindo
  GHSA-g7r4-m6w7-qqqr (baixa)
- npm audit: 0 vulnerabilidades

Toolchain:
- tsdown.config.ts substitui tsup.config.ts (mesmo output dual
  ESM/CJS, target node22, outExtensions preserva index.js/index.cjs)
- exports do package.json com types por condicao (index.d.ts ESM,
  index.d.cts CJS) - publint e attw 100% verdes (corrige o
  "masquerading as ESM" que existia na v3)
- sideEffects: false para tree-shaking
- vitest.config.ts: corrige opcao inexistente testMatch -> include;
  thresholds achatados; tests/ excluido do coverage
- @types/node ^20 -> ^22

CI/CD:
- matriz de testes Node 22/24 (antes 18/20/22); jobs em 24.x
- actions atualizadas para majors Node 24-ready: checkout@v6,
  setup-node@v6, upload-artifact@v7, github-script@v9, codecov@v7
  (runners executam actions em Node 24 a partir de 16/06/2026)

Skill:
- renomeada nfeio-sdk -> nfeio-node-sdk (convencao cross-SDK para
  publicacao no skills.sh); corrige path quebrado no agents.skills;
  requisito atualizado para Node.js 22+

Versao 4.0.0 (package.json + VERSION) + CHANGELOG + MIGRATION v3->v4.

Refs #31
@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown

📋 OpenAPI Spec Validation

✅ All specs validated and types generated successfully

Specs processed:

  • calculo-impostos-v1.yaml - 27.90 KB, 853 lines
  • consulta-cnpj.yaml - 34.28 KB, 1128 lines
  • consulta-cpf.yaml - 3.39 KB, 83 lines
  • consulta-cte-v2.yaml - 18.33 KB, 578 lines
  • consulta-endereco.yaml - 11.17 KB, 343 lines
  • consulta-nf-consumidor.yaml - 43.41 KB, 1279 lines
  • consulta-nf.yaml - 137.87 KB, 3119 lines
  • consulta-nfe-distribuicao-v1.yaml - 53.07 KB, 1775 lines
  • nf-consumidor-v2.yaml - 293.87 KB, 7609 lines
  • nf-produto-v2.yaml - 309.41 KB, 8204 lines
  • nf-servico-v1.yaml - 257.42 KB, 6252 lines
  • nfeio.yaml - 15.86 KB, 630 lines

Generated types available as artifact in src/generated/.

@andrenfe andrenfe self-assigned this Jun 13, 2026
@andrenfe andrenfe mentioned this pull request Jun 13, 2026
Closed
10 tasks
@andrenfe andrenfe merged commit 0ec88ca into master Jun 13, 2026
13 checks passed
@andrenfe andrenfe deleted the chore/modernize-build-toolchain branch June 13, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@andrenfe andrenfe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🔒 Zerar alertas de segurança (Dependabot + Code Scanning) e modernizar toolchain → v4.0.0

1 participant

@andrenfe