Identity PF/PJ fields + complete v2 transactions coverage (plus toolchain modernization: pnpm 11, TS 6, jest 30, eslint flat config)#160
Open
cernadasjuan wants to merge 19 commits into
Open
Conversation
Mirror the Identity additions on the API side (pluggy-api PR #1659 / @pluggyai/commons 6.39.0). All new fields are optional — existing consumers keep working unchanged. IdentityResponse gains: - socialName, sex, maritalStatus, nationality, otherDocuments, passport (PF, from the Open Finance natural-person registrations endpoint) - incorporationDate, parties, businessOtherDocuments (PJ, from the business registrations endpoint) - companiesCnpj (shared) PhoneNumber gains countryCallingCode / areaCode / extension / additionalInfo. Address gains district / ibgeTownCode / countryCode / geographicCoordinates. Qualifications gains occupationDescription, economicActivities and informedRevenue; InformedPatrimony gains an optional `date` (PJ business path returns a full date instead of a year). FinancialRelationships gains productsServicesTypeAdditionalInfo, portabilitiesReceived and paychecksBankLink. Procurator gains the documentNumber + documentType pair (cpfNumber is preserved for backward compat — for business procurators it may carry a CNPJ). DeserializedIdentityResponse also omits the new `incorporationDate` field since it arrives as a string over the wire, matching the existing convention for `birthDate`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Replace npm with pnpm 11 (corepack-managed via packageManager field). - Add pnpm-workspace.yaml with minimumReleaseAge=14d, trustPolicy=no-downgrade, blockExoticSubdeps, engineStrict, exact pinning via savePrefix="". Rules are documented inline. - Declare engines.node=">=12.0.0" (the real floor enforced by jsonwebtoken, unchanged from prior behaviour) and devEngines.runtime=">=24.0.0" for contributors. No breaking change for consumers — prior published versions did not declare engines. - Bump jsonwebtoken 9.0.2 -> 9.0.3 to pull in patched jws@4 and resolve the HMAC verification advisory (GHSA-869p-cjfg-cm3x) on the runtime path. - CI (release + integration-tests) now uses corepack + Node 24 with pnpm cache, pnpm install --frozen-lockfile, and an audit step scoped to prod deps + signatures (--prod --audit-level=high) so dev-dep noise does not block releases. - Drop legacy .npmrc and package-lock.json. Block them via .gitignore so accidental npm/yarn installs cannot create a second lockfile. Note: no preinstall audit hook is used — for a public package those scripts run on consumer machines via npm/yarn and would break installs. The audit runs in CI instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- actions/checkout v4 -> v6.0.2 - actions/setup-node v4 -> v6.4.0 Both pinned to exact tags so workflow behaviour is reproducible across runs. v5/v6 require runner v2.327.1+ which GitHub-hosted ubuntu-latest already satisfies. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- semantic-release 22.0.12 -> 25.0.3 - @semantic-release/commit-analyzer 9.0.2 -> 13.0.1 - @semantic-release/github 9.2.5 -> 12.0.6 - @semantic-release/npm 11.0.3 -> 13.1.5 - @semantic-release/release-notes-generator 12.1.0 -> 14.1.0 - devEngines.runtime now >=24.10.0 (required by semantic-release v25) Resolves the lodash / lodash-es high-severity advisories that were pulled in via the older semantic-release plugin tree (audit goes from 4 high + 12 moderate + 2 low to 3 high + 9 moderate + 2 low; remaining findings come from jest / typescript-eslint and ts-node and will be addressed in follow-up upgrades). Versions are pinned to releases >=14d old to satisfy pnpm-workspace.yaml's minimumReleaseAge (12.0.7/8 and 14.1.1 are deliberately skipped, will roll forward once they age in). No release config changes required: we use the inline `release` field in package.json (cosmiconfig file-relocation BC of v23 does not apply) and default plugin configuration (commit-analyzer/release-notes-generator v11/v14 preset BC does not apply). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ts-node was declared at root but nothing actually used it: no script invokes it, jest.config.js is JS (so jest does not need ts-node to load its config), and TypeScript test files are transformed by ts-jest, which is unrelated to ts-node. jest-config lists ts-node as an optional peer dep — only needed for jest.config.ts. Removing it also eliminates the GHSA-73rr-hh4g-fpgx (diff@4.0.x DoS) finding from the audit, which only reached us through the unused ts-node tree. The example/ workspace keeps its own ts-node@^10.9.1 since example scripts run via ts-node; that is untouched. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- jest 29.7.0 -> 30.3.0 - ts-jest 29.2.4 -> 29.4.9 - @types/jest 29.5.12 -> 30.0.0 - @types/node 16.18.78 -> 22.19.17 - typescript 4.6.2 -> 6.0.3 Resolves the lodash / brace-expansion / micromatch advisories that were reaching us via the older jest 29 tree (audit reduces to 3 high + 9 moderate + 1 low, all in remaining dev tools and not on the runtime path). Tsconfig adjustments required by TypeScript 6: - Adopt Microsoft's Node 12 recommended target/module/lib config (target/lib ES2019, module/moduleResolution node16) per https://github.com/microsoft/TypeScript/wiki/Node-Target-Mapping. module=node16 here refers to TS's Node-16 resolution algorithm; the emitted output is still CommonJS because the package has no `"type": "module"`, so Node 12 consumers are unaffected. - strict: false preserves the previous compile semantics (TS 6 flipped strict to true by default); enabling strict surfaces real but unrelated null-handling work that belongs in a separate PR. - esModuleInterop + isolatedModules required by module=node16 and the ts-jest hybrid-module warning. - Split into tsconfig.json (IDE + ts-jest, includes src + tests, noEmit) and tsconfig.build.json (emits only src to dist). This fixes the editor "Cannot find name 'describe'" errors on test files and keeps the build output free of test artefacts. Source adjustments: - tests/{auth,transactions}.test.ts and tests/utils.ts: switch from `import * as nock` to `import nock` (TS 6 rejects calling a namespace import, which is what nock's CommonJS export required). src/* is unchanged — verified that with strict: false no source changes were needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Migrate .eslintrc.js -> eslint.config.js (flat config; required by eslint 9+). .eslintignore is replaced by the `ignores` block. - @typescript-eslint/eslint-plugin 2.16.0 -> 8.59.2 - @typescript-eslint/parser 2.16.0 -> 8.59.2 - eslint 10.0.3 -> 10.3.0 - New: @eslint/js 10.0.1, typescript-eslint 8.59.2 (flat-config helper), globals 17.6.0 (replaces the env: node sugar removed in flat config). - Lint script: drop the legacy --ext .ts flag; flat config matches TS files via the files patterns in eslint.config.js. No rule changes intended. Preserves the v2 recommended-preset behaviour by explicitly turning off two rules whose v8 surface area is genuinely new (not just stricter detection within an existing rule): - @typescript-eslint/no-require-imports (net-new in v8 recommended; replaces the older v2 no-var-requires with a stricter check). - @typescript-eslint/no-unused-vars (existed in v2 but v8 now flags const arrays consumed only by `typeof X[number]` type aliases — a pattern used widely in src/types/* for status/enum constants). Also linterOptions.reportUnusedDisableDirectives: false, matching the v9 default (eslint 10 flipped it on). unrs-resolver (transitive of jest@30 via jest-resolve) is added to pnpm-workspace.yaml's allowBuilds as `false`: the platform binary ships via optionalDependencies, so its postinstall script is not required for the package to work. Resolves all advisories that were reaching us via the old @typescript-eslint v2 tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- @types/node 22.19.17 -> 16.18.126 (closest match to engines.node
'>=12.0.0' that is still compatible with TypeScript 6 — the
@types/node@12 stream pre-dates TS 6 lib types and fails to build).
- Add eslint-plugin-n@17.24.0 with no-unsupported-features/{node,es}-builtins
rules scoped to src/**/*.ts. The plugin reads engines.node and flags
any Node built-in / ES global call that is not available in that
version range, so accidentally writing e.g. `fs.promises.cp(...)`
(Node 16.7+) is caught at lint time instead of slipping into a
published release.
This fills the gap left by the type system: @types/node@16 still
permits APIs added between Node 12 and Node 16; the lint rule cuts
that surface back to what engines.node actually promises.
eslint-plugin-n v18 is ESM-only and incompatible with the CJS
eslint.config.js this repo uses, so we stay on v17.24.0. es-syntax
checks are not enabled here — `target: "ES2019"` in tsconfig.build.json
already transpiles anything newer down.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- @types/jsonwebtoken 8.5.4 -> 9.0.10 (aligns the types stream with jsonwebtoken@9 — the v8 types were paired with jsonwebtoken@8 and were merely tolerated because the typings stayed loose). - baseApi.isJwtExpired: narrow `decoded.payload` with an explicit `jwt.JwtPayload` assertion. The v9 types surface a `string | JwtPayload` union (a JWT payload can in principle be a raw string), but Pluggy-minted tokens always carry a JSON payload with `exp`, so the runtime behaviour is unchanged — the cast just teaches the compiler the invariant that v8 silently assumed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- nock 13.5.4 -> 14.0.15 (devDep; v14 drops Node <18, fine for our Node 24 dev environment; mocking API used in tests is unchanged). - dotenv 16.4.5 -> 17.4.2 (devDep). - tests/setupTests.ts: pass `quiet: true` to dotenv.config() so the v17 default runtime banner (`◇ injected env (N) from .env.test`) does not clutter Jest output. No behavioural change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…pm overrides @semantic-release/git@10.0.1 is unmaintained since 2021 and pulls in vulnerable copies of lodash, lodash-es, braces and micromatch through its dependency chain (shared with the rest of the @semantic-release tree). Use pnpm overrides to force each transitive to its patched version — all four are patch-level bumps within the same major, so the API surface is unchanged. Advisories resolved: - lodash / lodash-es GHSA-r5fr-rjxr-66jc (Code Injection via _.template, HIGH) - lodash / lodash-es GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset / _.omit, MODERATE) - braces GHSA-grv7-fg5c-xmjg (ReDoS, HIGH) - micromatch GHSA-952p-6rrq-rcjv (ReDoS, MODERATE) Audit count goes from 3 high + 9 moderate + 1 low to 0 high + 5 moderate + 1 low. All remaining findings are in the jest tree (@babel/helpers, js-yaml, brace-expansion) and do not reach the runtime path; `pnpm audit --prod --audit-level=high` is clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…exact versions Add overrides for the remaining advisories reaching us through the jest tree: @babel/helps, js-yaml, brace-expansion (one per major in active use). With these in place `pnpm audit` is fully clean — 0 critical / 0 high / 0 moderate / 0 low — and `pnpm audit signatures` verifies all 701 packages. While here, convert the existing @semantic-release overrides from range to exact pins to match the savePrefix: "" policy used for package.json deps. The previous range overrides had a subtle bug: `brace-expansion: '>=1.1.13'` causes pnpm to pick the *latest* matching version, which is 5.0.x — that broke semver against parents that declared `^1.1.7` (notably minimatch@3 -> brace-expansion). Exact pins side-step that and keep each major in its own lane. brace-expansion@5.0.6 is the patched release for GHSA-jxxr-4gwj-5jf2 but is 13 days old at the time of writing, so it is also added to minimumReleaseAgeExclude with a `Remove after 2026-05-22` note — once the 14-day window closes, the exclude can come back out. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Pluggy SDK does not depend on any `@pluggyai/*` packages, so the wildcard from the skill template was a no-op. Removing it tightens the whitelist to only the documented brace-expansion@5.0.6 CVE bypass which is scheduled to come back out after 2026-05-22. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Drop the `--prod --audit-level=high` scoping from both the release.yml step and the `audit:supply-chain` package.json script. CI now fails on any vulnerability at any level, including in dev dependencies and low/moderate severities. - Add the same audit step to integration-tests.yml so the daily scheduled run catches newly-disclosed advisories that land between releases (without needing a code change to trigger them). The override + minimumReleaseAge configuration in pnpm-workspace.yaml keeps the lockfile at 0 vulnerabilities today; this CI gate makes sure it stays that way. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ndpoint The GET /v2/transactions endpoint accepts two query parameters that were not surfaced by the SDK: - dateTo: upper bound on transaction date (counterpart to dateFrom). - ids: filter by an explicit list of transaction UUIDs, max 500 per request. The base HTTP layer already serializes string[] params as comma-separated values, so this is purely a type addition. Both fields are now part of TransactionCursorFilters, which means they automatically propagate to fetchTransactionsCursor and to fetchAllTransactions (via Omit<TransactionCursorFilters, 'after'>). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The legacy GET /transactions page-based endpoint is being phased out in favour of the cursor-based GET /v2/transactions, which is more stable for long lists and exposes a richer filter set (dateTo, ids). Add a JSDoc @deprecated marker pointing callers at the modern replacements: - fetchTransactionsCursor for single-page reads - fetchAllTransactions for a full sweep across all pages The method itself is left intact for backward compatibility; the deprecation only surfaces in IDE tooling and in TS compiler output. Removal will be scheduled for the next major release. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…migrations - Lint footgun: surface that `pnpm run lint` runs `prettier --write` over src/ with pinned prettier@1.19.1, so anyone unaware would mass-reformat the codebase. Point at `pnpm exec eslint .` for the read-only path. - TypeScript & Build setup: document the two-tsconfig split (tsconfig.json for IDE/ts-jest, tsconfig.build.json for emit), the explicit `strict: false` and the Microsoft-recommended Node 12 target. - Supply-chain section: note the workspace-yaml rules and that the override block needs to be reviewed when parent deps are bumped. - Node version surface: document the engines/devEngines/@types/node split and the eslint-plugin-n guardrail. - Transactions row in the methods table: reflect that the v2 cursor endpoint is now the recommended path and fetchTransactions is @deprecated. - SDK Status: bump the "Last Updated" date and mention the identity PF/PJ fields plus the v2 cursor coverage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cernadasjuan
changed the title
pnpm resolves any unknown command against package.json scripts, so `pnpm <script>` is equivalent to `pnpm run <script>` for every script in this repo (build, lint, prettier-fix, lint:fix, lint:lockfile, audit:supply-chain, test:integration). Drop the prefix from package.json composite scripts, the CI workflows and CLAUDE.md documentation for a tighter, more idiomatic invocation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gabrielpanga
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the new Pluggy API 0.24 identity PF/PJ fields and modernizes the entire SDK toolchain. The runtime surface is backward-compatible for Node 12+ consumers (engines.node unchanged); everything else is dev/CI tooling, supply-chain hardening, or additive feature work. After this PR,
pnpm auditis fully clean (0/0/0/0) and CI fails on any vulnerability regression.Feature changes (consumer-visible)
Identity(this branch's original commit).fetchTransactionsCursor/fetchAllTransactionsfilters — exposedateToandids(max 500) onTransactionCursorFilters, matchingGET /v2/transactionsfully.fetchTransactionsis now@deprecated— IDEs will show the page-based method struck through and point callers at the cursor-based replacements. Method itself is retained for backward compatibility.engines.node: ">=12.0.0"— explicit floor (matches whatjsonwebtoken@9requires today, which was already the implicit minimum). No published version had declaredengines, so this is documenting reality, not narrowing support.jsonwebtoken9.0.2 → 9.0.3 — pulls in patchedjws@4and resolves a known advisory on the runtime path.Package manager: pnpm 11 + supply-chain hardening
packageManagerfield).pnpm-workspace.yamlenforces:minimumReleaseAge: 14d(versions younger than 14 days are rejected at resolve time; one short-term CVE bypass active until 2026-05-22).trustPolicy: no-downgradewith a 90-day expiration window.engineStrict: true,blockExoticSubdeps: true, exact pinning viasavePrefix: "".allowBuilds— postinstall scripts are denied by default; each one needs an explicit decision (unrs-resolveris documented asfalse).package-lock.jsonand.npmrcremoved;.gitignoreblocks npm/yarn lockfiles from creeping back in.TypeScript: 4.6.2 → 6.0.3 + tsconfig split
rootDir,moduleResolution: node10+ignoreDeprecations: "6.0",esModuleInterop: true,isolatedModules: true(needed by ts-jest withmodule: node16), and an explicitstrict: falseto preserve previous laxness (TS 6 flipped strict totrueby default — enabling it surfaces real but unrelated null-handling work).target: "ES2019",lib: ["ES2019"],module: "node16"— Microsoft-recommended config for Node 12 consumers. Output stays CommonJS because the package has no"type": "module".tsconfig.json— used by the IDE and ts-jest. Includessrc/andtests/,noEmit: true. Fixes editor "Cannot find name 'describe'" errors on test files.tsconfig.build.json— used bypnpm run build. Emits onlysrc/todist/.import * as nock from 'nock'→import nock from 'nock'(TS 6 rejects calling a namespace import).src/baseApi.tsadds a one-linedecoded.payload as jwt.JwtPayloadcast required by the stricter@types/jsonwebtoken@9types — Pluggy-minted JWTs always carry a JSON payload, so the cast just teaches the compiler the invariant that the v8 types silently assumed.Jest 30 + dev-dep modernization
jest29.7.0 → 30.3.0,ts-jest29.2.4 → 29.4.9,@types/jest29.5.12 → 30.0.0.@types/node16.18.78 → 16.18.126 (closest match toengines.nodethat compiles cleanly with TS 6 — the @types/node@12 stream pre-dates TS 6 lib types and fails to build).@types/jsonwebtoken8.5.4 → 9.0.10 (aligns withjsonwebtoken@9).nock13.5.4 → 14.0.15,dotenv16.4.5 → 17.4.2 (withquiet: trueinsetupTests.tsto suppress the v17 runtime banner).semantic-release22.0.12 → 25.0.3 plus all@semantic-release/*plugins to their current latest. Noreleaseconfig changes required (thereleaseblock inpackage.jsonuses defaults; cosmiconfig file-relocation BC of v23 does not apply, and v11 / v14 preset BC for commit-analyzer / release-notes-generator does not apply either).ts-nodefrom root devDeps (no script invokes it; jest.config.js is JS,ts-jestis unrelated to ts-node). Theexample/workspace keeps its own copy.devEngines.runtime.versionto>=24.10.0(required bypnpm@11.1.3andsemantic-release@25).ESLint: migrate to flat config + Node API guardrail
.eslintrc.js→eslint.config.js(required by eslint 9+).@typescript-eslint/eslint-pluginand@typescript-eslint/parser2.16.0 → 8.59.2;eslint10.0.3 → 10.3.0; new deps:typescript-eslint,@eslint/js,globals.recommendedpresets, plus targetedoffs forno-require-imports(net-new in v8 recommended) andno-unused-vars(v8 now flagsconstarrays consumed only bytypeof X[number], a pattern used throughoutsrc/types/*).eslint-plugin-nwithno-unsupported-features/{node,es}-builtinsscoped tosrc/**/*.ts. Readsengines.nodeand statically rejects any Node API call that is not available in the supported range (e.g.fs.promises.cpwould fail). Closes the gap left by@types/node(which describes a specific Node version and cannot truly constrain to Node 12).eslint-plugin-n@17.24.0chosen instead ofv18because v18 is ESM-only and incompatible with our CJSeslint.config.js.Supply-chain: dev-tree vulnerability cleanup
Patches transitive dev-dependency vulnerabilities reaching us through the
@semantic-release/*tree (notably the unmaintained@semantic-release/git@10.0.1) and thejesttree, plus one in the eslint tree. All patches are applied via pnpmoverridespinned to exact versions — range overrides like>=1.1.13cause pnpm to pick the latest matching version, which breaks semver against parents declaring^1.x. Affected dev-only deps includelodash,lodash-es,braces,micromatch,@babel/helpers,js-yaml,brace-expansion. The single runtime-path advisory is handled separately by thejsonwebtokenbump documented above.Final audit state:
pnpm auditreports 0 critical / 0 high / 0 moderate / 0 low, andpnpm audit signaturesverifies all 701 packages. One override (brace-expansion@5.0.6) is currently 13 days old and is allow-listed inminimumReleaseAgeExcludewith a# Remove after 2026-05-22note (the day the 14-day window closes on the fixed version).CI workflows
actions/checkout@v4→v6.0.2(pinned),actions/setup-node@v4→v6.4.0(pinned).npm citopnpm install --frozen-lockfile; pnpm activated viacorepack enablefollowed by a secondsetup-nodecall for thecache: 'pnpm'to find it.release.ymlnow runs the strict supply-chain audit step (pnpm audit && pnpm audit signatures) before the release. Any vulnerability at any severity fails the release.integration-tests.ymlnow runs the same audit step on its daily schedule, catching newly-disclosed advisories that land between releases.release.ymlusespnpm exec semantic-releaseinstead ofnpx.Documentation
README.mddeclares the minimum supported Node version (>=12.0.0).CLAUDE.mdrefreshed with:pnpm run lintreformatssrc/via prettier@1.19.1; usepnpm exec eslint .to lint without touching formatting).strict: falserationale, Node-12 target).Test plan
pnpm install --frozen-lockfilesucceeds on a clean checkout (Node 24+).pnpm run buildproduces a cleandist/(CJS, declarations, no test files).pnpm test— 11/11 passing locally.pnpm run audit:supply-chain—No known vulnerabilities foundand all 701 signatures verified.release.ymljob passes on this branch when merged to master (strict audit gate is the riskiest piece — if a new advisory drops before release, it will fail and need a follow-up override).integration-tests.ymlscheduled run passes.example/still build (they have their ownpackage.jsonand are untouched, but the SDK they import was rebuilt).Follow-ups (not in this PR)
brace-expansionfromminimumReleaseAgeExcludeafter 2026-05-22 (the patched version turns 14 days old).strict: true— would surface real null-handling work, especially aroundjwt.decodeand class member initialization. Belongs in a focused PR.eslint-plugin-n(currently only Node 24 is tested).🤖 Generated with Claude Code