Email security@exodus.com. Do not file a public issue. See SECURITY.md for the disclosure policy.
yarn install --frozen-lockfile --ignore-scripts
yarn lint
yarn typescript
yarn test
yarn prepare # regenerates lib/ via bobSource lives in src/. The lib/ directory is a build artifact (gitignored) and is regenerated by yarn prepare before publishing.
Pin to an exact version (npm i pkg@x.y.z). The .npmrc/.yarnrc enforce this; do not relax it. New runtime dependencies require security review since this library is in the trusted-code path of host apps that load remote bundles.
- One concern per PR.
- Run
yarn preflightlocally before opening — it chainslint,typescript,test, andverify-pack(which diffs the npm tarball file list against.npm-tarball-allowlist). - Touching native code (
ios/,android/) or anything insrc/index.tsxrelated to the load path warrants extra scrutiny. - Conventional Commits are encouraged but not enforced by hook.
Releases are cut and published manually:
# 1. bump the version in package.json (semver as appropriate)
# 2. validate everything ships clean and only the expected files:
yarn preflight
# 3. publish (the package is scoped @exodus/ so --access public is needed)
npm publish --access public
# 4. tag and push:
git tag "v$(node -p 'require(\"./package.json\").version')"
git push --follow-tagsIf verify-pack fails because a legitimate new file was added, update .npm-tarball-allowlist in the same commit.