perf!: modernized and removed commonjs support

* fix formatting issues
* remove build step from ci
* fix: passwordless npm publishing

BREAKING CHANGE: remove commonjs support, use esm instead.
The package now exclusively supports ESM.

Author: jwerre

.github/PULL_REQUEST_TEMPLATE.md

@@ -22,6 +22,7 @@ Please describe the tests that you ran to verify your changes. Provide instructi
 ## Checklist:
 
 - [ ] `npm run spell`
+- [ ] `npm run format`
 - [ ] `npm run lint`
 - [ ] `npm audit`
-- [ ] `npm test`
+- [ ] `npm test`

.github/workflows/release.yml

@@ -1,45 +1,50 @@
 name: Secrets
 
 on:
-    - push
-    - pull_request
+  - push
+  - pull_request
 
 jobs:
-    verify:
-        runs-on: ubuntu-latest
+  verify:
+    runs-on: ubuntu-latest
 
-        concurrency:
-            group: ${{ github.ref }}
-            cancel-in-progress: true
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write # Required for passwordless npm publishing
 
-        steps:
-            - uses: actions/checkout@v4
+    concurrency:
+      group: ${{ github.ref }}
+      cancel-in-progress: true
 
-            - uses: actions/setup-node@v3
-              with:
-                  node-version: 22
+    steps:
+      - uses: actions/checkout@v6
 
-            - name: Install packages
-              run: |
-                  npm ci --ignore-scripts
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24
 
-            - name: Security audit
-              run: npm audit --audit-level=moderate --omit=dev
+      - name: Install packages
+        run: |
+          npm ci --ignore-scripts
 
-            - name: Lint check
-              run: npm run lint
+      - name: Security audit
+        run: npm audit --audit-level=moderate --omit=dev
 
-            - name: Spell check
-              run: npm run spell
+      - name: Format check
+        run: npm run format
 
-            # - name: Test (tests can only be run with valid AWS API key)
-            #   run: npm test
+      - name: Lint check
+        run: npm run lint
 
-            - name: Build dist directory
-              run: npm run build
+      - name: Spell check
+        run: npm run spell
 
-            - name: Release
-              run: npm run release
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Test
+        run: npm run test:ci
+
+      - name: Release
+        run: npm run release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.npmignore

@@ -1,14 +1,3 @@
-# Source files (dist is built from these)
-lib/
-rollup.config.js
-
-# Development files
-test
-eslint.config.mjs
-.github/
-.cspell.json
-.releaserc.yaml
-
 # Documentation files that aren't needed in the package
 *.md
 !README.md
@@ -30,11 +19,19 @@ yarn-error.log*
 .npm
 
 # Development dependencies
-node_modules/
+.cspell.json
+.github/
 .nyc_output
+.prettierignore
+.prettierrc
+.releaserc.yaml
 coverage/
-rollup.config.mjs
-eslint.config.mjs
+eslint.config.js
+node_modules/
+package-lock.json
+test
+tsconfig.json
+vitest.config.ts
 
 # Git files
 .git

.prettierignore

@@ -0,0 +1,8 @@
+# Dependencies
+node_modules
+
+# Build output
+dist
+
+# Other
+*.log

.prettierrc

@@ -0,0 +1,9 @@
+{
+	"useTabs": true,
+	"tabWidth": 2,
+	"semi": true,
+	"singleQuote": true,
+	"trailingComma": "es5",
+	"printWidth": 100,
+	"endOfLine": "lf"
+}

.releaserc.yaml

@@ -1,17 +1,12 @@
 branches:
-    - master
-    - next
-    - next-major
-    - name: beta
-      prerelease: true
-    - name: alpha
-      prerelease: true
+  - master
+  - name: beta
+    prerelease: true
+  - name: alpha
+    prerelease: true
 plugins:
-    - '@semantic-release/commit-analyzer'
-    - '@semantic-release/release-notes-generator'
-    - - '@semantic-release/npm'
-      - pkgRoot: '.'
-    - - '@semantic-release/github'
-      - assets:
-          - path: 'dist/**/*'
-            label: 'Distribution files'
+  - '@semantic-release/commit-analyzer'
+  - - '@semantic-release/npm'
+    - pkgRoot: '.'
+  - - '@semantic-release/github'
+    - assets: []

README.md

@@ -13,17 +13,18 @@ npm install --save @jwerre/secrets
 ### Get all secrets
 
 ```js
-import {configSync} from '@jwerre/secrets';
+import { configSync } from '@jwerre/secrets';
 
 // Retrieve all secrets that begin with 'my-project/production/'
 const config = configSync({
 	region: 'us-east-1',
 	namespace: 'my-project',
-	env: 'production'
+	env: 'production',
 });
 ```
 
 #### Result:
+
 ```js
 {
 	name: 'My App'
@@ -48,30 +49,28 @@ const config = configSync({
 Loading _all_ your secrets may not always be the best option. It's much faster to load a single secret like this:
 
 ```js
-import {secretSync} from '@jwerre/secrets';
+import { secretSync } from '@jwerre/secrets';
 const dbCredentials = secretSync({ region: 'us-east-1', id: '/my-project/production/db' });
 ```
 
 #### Result:
+
 ```js
 {
 	username: 'admin',
 	password: 'Super$ercret!'
 }
 ```
 
-
 ### Asynchronously get all secrets
 
 In most cases, you'll want to get your configuration object synchronously before your application starts up. But, if you prefer, you can also get your secrets asynchronously like this.
 
 ```js
-import {config} from '@jwerre/secrets';
-
-( async function(){
+import { config } from '@jwerre/secrets';
 
+(async function () {
 	const appConfig = await config(options);
-
 })();
 ```
 
@@ -90,10 +89,10 @@ import {config} from '@jwerre/secrets';
 
 Your secrets should be named appropriately so they can be parsed into a proper object. They should also have an environment like 'production' or 'development' so the secrets can be loaded into the correct environment. You may use a namespace but that\'s not required. The [example](#example) above was generated from secrets with the following names:
 
--   `acme-co/production/name`
--   `acme-co/production/db`
--   `acme-co/production/session`
--   `acme-co/production/apis/google`
+- `acme-co/production/name`
+- `acme-co/production/db`
+- `acme-co/production/session`
+- `acme-co/production/apis/google`
 
 ### Delimiters
 
@@ -108,10 +107,7 @@ You'll need to give your application or service permission to access your secret
 	"Version": "2012-10-17",
 	"Statement": [
 		{
-			"Action": [
-				"secretsmanager:ListSecrets",
-				"secretsmanager:GetSecretValue"
-			],
+			"Action": ["secretsmanager:ListSecrets", "secretsmanager:GetSecretValue"],
 			"Effect": "Allow",
 			"Resource": "*"
 		}
@@ -161,13 +157,13 @@ Create a new secret in AWS Secrets Manager. This method will automatically appen
 
 Retrieve a secret from AWS Secrets Manager
 
-| Option          | Type    | Description                                                                                                                                                                                |
-| --------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| id              | String  | The secret id.                                                                                                                                                                             |
-| version         | String  | The secret version.                                                                                                                                                                        |
-| stage           | String  | Staging label attached to the version.                                                                                                                                                     |
-| raw             | Boolean | Return the full response from AWS.                                                                                                                                                         |
-| maxBuffer=65536 | Number  | Largest amount of data in Bytes the secret can be (default: 65536 Bytes) which is the quota. See [Secret Manager quotas]( https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html#quotas). |
+| Option          | Type    | Description                                                                                                                                                                                                         |
+| --------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| id              | String  | The secret id.                                                                                                                                                                                                      |
+| version         | String  | The secret version.                                                                                                                                                                                                 |
+| stage           | String  | Staging label attached to the version.                                                                                                                                                                              |
+| raw             | Boolean | Return the full response from AWS.                                                                                                                                                                                  |
+| maxBuffer=65536 | Number  | Largest amount of data in Bytes the secret can be (default: 65536 Bytes) which is the quota. See [Secret Manager quotas](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html#quotas). |
 
 ##### getSecretSync({})
 

bin/create-secrets.mjs bin/create-secrets.jsbin/create-secrets.mjs renamed to bin/create-secrets.js

@@ -24,18 +24,10 @@ program
 		'The AWS Secrets Manager region',
 		process.env.AWS_REGION || REGION
 	)
-	.option(
-		'-e, --env <environment>',
-		'Which environment to use in the secret name',
-		ENV
-	)
+	.option('-e, --env <environment>', 'Which environment to use in the secret name', ENV)
 	.option('-k, --kms <keyId>', 'KMS key id to use for encryption')
 	.option('-n, --namespace <namespace>', 'Namespace of all parameters')
-	.option(
-		'-d, --delimiter <delimiter>',
-		'Delimiter to use for secret name',
-		DELIMITER
-	)
+	.option('-d, --delimiter <delimiter>', 'Delimiter to use for secret name', DELIMITER)
 	.option('-i, --in <file>', 'Input file path (alternative to argument)')
 	.parse(process.argv);
 
@@ -57,9 +49,7 @@ async function getConfig(path) {
 		await fs.access(path, F_OK | R_OK);
 	} catch (err) {
 		console.log(err);
-		return Promise.reject(
-			`${path} ${err.code === 'ENOENT' ? 'does not exist' : 'is read-only'}.`
-		);
+		return Promise.reject(`${path} ${err.code === 'ENOENT' ? 'does not exist' : 'is read-only'}.`);
 	}
 
 	try {
@@ -97,10 +87,7 @@ function parseSecrets(obj, current) {
 			// if it's the last nested object stop recursion
 			if (Object.prototype.toString.call(value) === '[object Object]') {
 				isEnumerable = Object.keys(value).some((key) => {
-					return (
-						Object.prototype.toString.call(value[key]) ===
-						'[object Object]'
-					);
+					return Object.prototype.toString.call(value[key]) === '[object Object]';
 				});
 			}
 
@@ -135,10 +122,7 @@ function createSecrets(list) {
 			SecretString: item.value,
 		};
 
-		if (
-			Object.prototype.toString.call(params.SecretString) !==
-			'[object String]'
-		) {
+		if (Object.prototype.toString.call(params.SecretString) !== '[object String]') {
 			try {
 				params.SecretString = JSON.stringify(params.SecretString);
 			} catch {

bin/delete-secrets.mjs bin/delete-secrets.jsbin/delete-secrets.mjs renamed to bin/delete-secrets.js

@@ -48,9 +48,7 @@ function prompt(question) {
 	return new Promise(function (resolve, reject) {
 		readln.question(question, function (answer) {
 			resolve(
-				(answer &&
-					answer.length &&
-					answer.trim().toLowerCase() === 'yes') ||
+				(answer && answer.length && answer.trim().toLowerCase() === 'yes') ||
 					answer.trim().toLowerCase() === 'y'
 			);
 		});
@@ -146,9 +144,7 @@ Secret Manager. Are you sure you want to continue? [y/N] `;
 		}
 
 		if (!abort) {
-			return Promise.reject(
-				'Aborting... Nothing was deleted your secrets are safe.'
-			);
+			return Promise.reject('Aborting... Nothing was deleted your secrets are safe.');
 		}
 	}
 

bin/get-config.mjs bin/get-config.jsbin/get-config.mjs renamed to bin/get-config.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
 import { Command } from 'commander';
-import Secrets from '../lib/secrets.mjs';
 import { inspect } from 'util';
+import Secrets from '../lib/secrets.js';
 
 const ENV = 'development';
 const REGION = 'us-west-2';
@@ -18,24 +18,13 @@ program
 		'The AWS Secrets Manager region',
 		process.env.AWS_REGION || REGION
 	)
-	.option(
-		'-e, --env <environment>',
-		'Which environment to use in the secret name',
-		ENV
-	)
+	.option('-e, --env <environment>', 'Which environment to use in the secret name', ENV)
 	.option('-d, --delimiter <delimiter>', 'Secret name delimiter', DELIMITER)
 	.option('-p, --pretty', 'Pretty output')
-	.option(
-		'-a, --all',
-		'Ignore the environment and retrieve all secrets',
-		false
-	)
+	.option('-a, --all', 'Ignore the environment and retrieve all secrets', false)
 	.option('-n, --namespace <namespace>', 'Namespace of all parameters')
 	.option('-t, --time', 'Display time it takes to retrieve config')
-	.option(
-		'-m, --maxBuffer <bytes>',
-		'Largest the entire config can be in bytes (default: 3 Mb)'
-	)
+	.option('-m, --maxBuffer <bytes>', 'Largest the entire config can be in bytes (default: 3 Mb)')
 	.parse(process.argv);
 
 const options = program.opts();