Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 124 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
name: Publish to npm

permissions: {}

on:
release:
types: [published]

jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8

- name: Use Node.js 24
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm

- name: Install dependencies
run: pnpm install --frozen-lockfile --ignore-scripts

- name: Lint code
run: pnpm lint:src

- name: Lint types
run: pnpm lint:types

- name: Run tests
run: pnpm test

- name: Build
run: pnpm build

- name: Lint exports (attw)
run: pnpm lint:exports

- name: Lint publish (publint)
run: pnpm lint:publish

build:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
tarball: ${{ steps.pack.outputs.tarball }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8

- name: Use Node.js 24
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm

- name: Install dependencies
run: pnpm install --frozen-lockfile --ignore-scripts

- name: Build
run: pnpm build

- name: Align package.json version with release tag
env:
TAG_NAME: ${{ github.ref_name }}
run: npm version "$TAG_NAME" --git-tag-version=false --allow-same-version

- name: Pack tarball
id: pack
run: |
TARBALL=$(npm pack)
echo "tarball=$TARBALL" >> "$GITHUB_OUTPUT"

- name: Upload tarball artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: tarball
path: ${{ steps.pack.outputs.tarball }}

publish:
needs:
- test
- build
runs-on: ubuntu-latest
permissions:
id-token: write
environment: publish
env:
TARBALL: ${{ needs.build.outputs.tarball }}
steps:
- name: Download tarball artifact
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
name: tarball

- name: Use Node.js 24
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
registry-url: "https://registry.npmjs.org"

- name: Publish to npm
env:
PRERELEASE: ${{ github.event.release.prerelease }}
run: |
if [ "$PRERELEASE" = "true" ]; then
npm publish --provenance --access public --tag next "$TARBALL"
else
npm publish --provenance --access public "$TARBALL"
fi
1 change: 0 additions & 1 deletion .npmrc

This file was deleted.

3 changes: 0 additions & 3 deletions .vscode/settings.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,6 @@
"typescript.tsdk": "node_modules/typescript/lib",
"editor.defaultFormatter": "oxc.oxc-vscode",
"editor.formatOnSave": true,
"files.associations": {
".npmrc": "ini"
},
"[json]": {
"editor.defaultFormatter": "oxc.oxc-vscode"
},
Expand Down
7 changes: 3 additions & 4 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,9 @@ welcome, from issue reports to PRs and documentation / write-ups.
Before you open a PR:

- In development, run `pnpm install` to setup the dependencies for the core
package and the demo. Dependency lifecycle scripts (`postinstall`, etc.)
are disabled via `.npmrc` for supply-chain safety — pnpm still runs the
workspace's own `prepare` script, so husky installs the git hooks
automatically.
package and the demo. Dependency install scripts are gated by pnpm's
[`allowBuilds`](./pnpm-workspace.yaml) whitelist for supply-chain safety;
husky's `prepare` script runs automatically on install.
- Run `pnpm dev` to build (and watch) the package source, as well as run the
demo project which can be viewed at http://localhost:5152.
- Please ensure all the examples work correctly after your change.
Expand Down
48 changes: 48 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Security Policy

## Supported Versions

`chakra-react-select` major versions track the major version of its peer
dependency, [`@chakra-ui/react`](https://github.com/chakra-ui/chakra-ui). The
two most recent majors receive security fixes; earlier majors are no longer
maintained.

| Version | Chakra UI peer | Supported |
| ------- | -------------- | ------------------ |
| 6.x | 3.x | :white_check_mark: |
| 5.x | 2.x | :white_check_mark: |
| 4.x | 2.x | :x: |
| < 4 | 1.x | :x: |

If you need a fix on an older line, please open a discussion describing the
constraint that prevents upgrading.

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues,
discussions, or pull requests.**

Report privately via
[GitHub Security Advisories](https://github.com/csandman/chakra-react-select/security/advisories/new).

Include as much of the following as you can:

- Affected version(s) of `chakra-react-select`
- A description of the issue and its impact
- Steps to reproduce, ideally with a minimal repro
- Any known mitigations or workarounds

You can expect an initial acknowledgement within a few days. Once the report
is triaged, we'll keep you updated as a fix is developed and coordinate a
disclosure timeline with you before publishing the advisory and patched
release.

### Out of scope

This package is a thin wrapper around
[`react-select`](https://github.com/JedWatson/react-select) styled with
[`@chakra-ui/react`](https://github.com/chakra-ui/chakra-ui). Issues that
originate in those upstream projects should be reported to them directly:

- react-select — https://github.com/JedWatson/react-select/security
- Chakra UI — https://github.com/chakra-ui/chakra-ui/security
2 changes: 1 addition & 1 deletion codemod/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
"devDependencies": {
"@types/is-git-clean": "^1.1.2",
"@types/jscodeshift": "^17.3.0",
"@types/node": "^25.7.0",
"@types/node": "^24.12.4",
"rimraf": "^6.1.3",
"typescript": "^6.0.3",
"vitest": "^4.1.6"
Expand Down
2 changes: 0 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,6 @@
"lint:types": "tsc",
"lint-fix": "oxlint -c .oxlintrc.json --fix",
"prepare": "husky",
"prepublishOnly": "pnpm build && pnpm lint && pnpm test",
"postpublish": "git push --follow-tags",
"lint:publish": "publint",
"test": "vitest run",
"test:watch": "vitest"
Expand Down
Loading
Loading