From 6b20ea4085a1b780afba860c894e95ff130646b5 Mon Sep 17 00:00:00 2001 From: Shinsuke Kagawa Date: Mon, 30 Mar 2026 23:23:18 +0900 Subject: [PATCH 1/2] chore: migrate circular dependency checker from madge to dpdm madge has stale indirect dependencies with known security vulnerabilities (brace-expansion ReDoS) that are not being addressed upstream. As a boilerplate, shipping an unmaintained tool with audit warnings is irresponsible. dpdm is actively maintained (last release 2026-01), uses TypeScript compiler API directly, and has a shallower dependency tree. - Remove madge and .madgerc configuration - Add dpdm with equivalent CLI options for check:deps - Remove unused check:deps:graph script (graph.svg was never generated) - Bump version to 1.19.1 Co-Authored-By: Claude Opus 4.6 (1M context) --- .madgerc | 14 -------------- package.json | 7 +++---- 2 files changed, 3 insertions(+), 18 deletions(-) delete mode 100644 .madgerc diff --git a/.madgerc b/.madgerc deleted file mode 100644 index 4af54c2..0000000 --- a/.madgerc +++ /dev/null @@ -1,14 +0,0 @@ -{ - "fileExtensions": ["ts"], - "excludeRegExp": [ - "__tests__", - "\\.test\\.ts$", - "\\.spec\\.ts$" - ], - "detectiveOptions": { - "ts": { - "skipTypeImports": true - } - }, - "tsConfig": "./tsconfig.json" -} \ No newline at end of file diff --git a/package.json b/package.json index 2f07779..446a64d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "create-ai-project", - "version": "1.19.0", + "version": "1.19.1", "packageManager": "npm@10.8.2", "description": "TypeScript boilerplate with skills and sub-agents for Claude Code. Prevents context exhaustion through role-based task splitting.", "keywords": [ @@ -50,8 +50,7 @@ "check": "biome check src", "check:fix": "biome check --write src", "check:unused": "knip --include exports", - "check:deps": "madge --circular --extensions ts src", - "check:deps:graph": "madge --extensions ts --image graph.svg src", + "check:deps": "dpdm --no-warning --no-tree --exit-code circular:1 --ext .ts --exclude \"__tests__|.test.ts$|.spec.ts$\" --tsconfig ./tsconfig.json -T \"src/**/*.ts\"", "check:code": "npm run check && npm run check:unused && npm run check:deps && npm run build", "check:all": "npm run check:code && npm run test", "cleanup:processes": "bash ./scripts/cleanup-test-processes.sh", @@ -71,7 +70,7 @@ "husky": "^9.1.7", "knip": "^5.0.0", "lint-staged": "^16.1.0", - "madge": "^8.0.0", + "dpdm": "^4.0.0", "tsc-alias": "^1.8.7", "tsx": "^4.19.4", "typescript": "^5.0.0", From 12b274b3c41e2bb7a576d3fd6d845b951c4a4611 Mon Sep 17 00:00:00 2001 From: Shinsuke Kagawa Date: Mon, 30 Mar 2026 23:24:06 +0900 Subject: [PATCH 2/2] docs: add v1.19.1 changelog entry for madge to dpdm migration Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96c1392..30608c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.19.1] - 2026-03-30 + +### Changed + +- Migrate circular dependency checker from madge to dpdm. madge has stale indirect dependencies with known security vulnerabilities (brace-expansion ReDoS) that are not being addressed upstream. dpdm is actively maintained and uses TypeScript compiler API directly with a shallower dependency tree. +- Remove `.madgerc` config file (settings migrated to dpdm CLI options) +- Remove unused `check:deps:graph` script + ## [1.19.0] - 2026-03-30 ### Changed