-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce dependencies where prudent #6658
Comments
honestly we could also make rimraf an optional dep, it's exclusively used for That being said, what is the primary motivation for this? All of these only affect code size of the CLI and we don't update them ever. |
I assume it's motivated by the recent malicious takeover of the popular package |
Could we replace |
Sure, but if we're not updating them and we're not currently exposed, then it seems like a lot of work for no immediate need. If this is our concern, I think it might make more sense to institute some harsher check on bringing in/updating dependencies rather than going to remove our existing ones before we need to for example. EDIT: Or pinning our dependencies more strictly, etc |
Sorry, should have put more of a scope on this. More dependencies aren't necessarily a negative, but they definitely aren't a positive. If we can reduce the number of dependencies while maintaining the features we want and not creating pain in development or maintenance, that's a good thing.
Testing it out, the main thing that we'd need to fix to match master would be manually bolding the question text and overriding their ctrl-c handler (which is stomping on ours in the timeout case). I think arguably |
Gotcha! Scope makes more sense now thanks! :) |
@brendankenny I maintain enquirer and would be happy to help or answer questions. FWIW, both of the things you mentioned should be easy to do with Enquirer. We should be able to override the ctrl-c handler by setting a custom action name on the |
Just noticed the |
I wouldn't remove rimraf, it has some nifty retry mechanism for windows... If there is another on that does the same, feel free to switch. |
this is also an issue that could live eternally. Let's close and going forward I'll try to focus my unease on specific ideas :) |
It's been a while since we've audited these :)
https://npm.anvaka.com/#/view/2d/lighthouse
Our biggest win would be to get rid of
update-notifier
. It brings in 52 indirect dependencies. Yarn just does this check themselves, or we could just not do it. Removingupdate-notifier
would bring us from 174 deps to 122.Next would be
inquirer
, which we use just for the prompt on if we can use Sentry on first run of the CLI. Not sure what happened in that community, but there's basically a reimplementation with an almost exact API match inenquirer
, and it only has one dep. This would bring us from 122 deps down to 92.Replacing
yargs
withcommander
would remove 15 dependencies.Moving
chrome-launcher
's@types
deps to dependency deps would remove 4 dependenciesAfter that comes
configstore
(12 deps)rimraf
(12 deps)raven
(9 deps)Though I'm not sure if we can do much about
configstore
andraven
, and the competitors torimraf
tend to also use its only dependency,glob
, so have the same or more dependencies.The text was updated successfully, but these errors were encountered: