VisCommandsvis init

vis init

Initialize vis.config.ts with best-practice security defaults

vis init

Initialize a vis.config.ts configuration file with best-practice security defaults. In interactive mode, guides you through setting up supply-chain providers (Socket.dev and/or deps.dev), build script approval, git hooks, and PM config sync.

Usage

vis init [options]

Examples

# Interactive setup wizard
vis init

# Create minimal config without prompts
vis init --no-interactive

# Overwrite existing config
vis init --force

# Also sync to native PM config files
vis init --sync-native

# Print the workspace-relative $schema refs to paste into project.json / vis.config.ts
vis init --schema

Options

OptionDefaultDescription
--forcefalseOverwrite existing config file
--no-interactivefalseSkip interactive prompts
--sync-nativefalseSync settings to native PM config files
--schemafalsePrint workspace-relative $schema paths for project.json and vis.config.ts, then exit

Interactive Wizard

The wizard walks through:

  1. Socket.dev — Enable supply-chain security scanning (Basic-auth token; opt-in)
  2. deps.dev — Enable Google's OpenSSF Scorecard + GHSA advisory provider (no auth; opt-in). Can run alongside Socket — the two providers merge results, deduped by alert id.
  3. Build scripts — Scan and approve packages with build scripts
  4. Minimum release age — Optionally block freshly-published versions. Defaults to 2880 minutes (2 days) when accepted.
  5. Git hooks — Set up pre-commit hooks with lint-staged
  6. PM sync — Sync security settings (allowBuilds + minimumReleaseAge) into the native PM config files (pnpm pnpm-workspace.yaml, bun bunfig.toml/package.json, npm .npmrc, yarn berry .yarnrc.yml)
  7. Migration detection — Detect competing monorepo tools (Nx, Turbo) and offer migration

Static (non-interactive) defaults

vis init --no-interactive writes a config with security.minimumReleaseAge: 2880 plus the secure defaults applied automatically by defineConfig(). When combined with --sync-native the value is also mirrored into the active package manager's native config.

  • vis security sync — re-push the current vis.config values to the PM-native config after editing.
  • vis security list — inspect the build-script triage and the drift report.
Edit on GitHub

On this page

vis initUsageExamplesOptionsInteractive WizardStatic (non-interactive) defaultsRelated
Support

Contribute to our work and keep us going

Community is the heart of open source. The success of our packages wouldn't be possible without the incredible contributions of users, testers, and developers who collaborate with us every day.Want to get involved? Here are some tips on how you can make a meaningful impact on our open source projects.

Ready to help us out?

Be sure to check out the package's contribution guidelines first. They'll walk you through the process on how to properly submit an issue or pull request to our repositories.

Submit a pull request

Found something to improve? Fork the repo, make your changes, and open a PR. We review every contribution and provide feedback to help you get merged.

Good first issues

Simple issues suited for people new to open source development, and often a good place to start working on a package.
View good first issues