consider removing update-notifier?

[jimmywarting]

... to reduce dependencies and increase speed

Considering all the kind of packages that is being installed for just getting update notification is not so much worth it IMO.
https://npm.anvaka.com/#/view/2d/update-notifier

quite a few have have dependa bot or similar in there workflow and use of ^, * and ~ to makes it less important
also every time a ci workflow happens it needs to download all this packages in vain.

Time to install only update-notifier in a empty project:

• created 1 461 708 byte (3,2 MB on drive) for 703 files
• npm added 91 packages, and audited 92 packages in 17s

This is not something everyone wants to have in there workflow/pipeline. it's non essential

More afraid that any of this 91 sub dependencies gets a vulnerability (like it already did once: #2182)

└─┬ update-notifier@5.1.0
  ├─┬ boxen@5.0.1
  │ ├─┬ ansi-align@3.0.0
  │ │ └─┬ string-width@3.1.0
  │ │   ├── emoji-regex@7.0.3
  │ │   ├── is-fullwidth-code-point@2.0.0
  │ │   └─┬ strip-ansi@5.2.0
  │ │     └── ansi-regex@4.1.0
  │ ├── camelcase@6.2.0
  │ ├── chalk@4.1.1 deduped
  │ ├── cli-boxes@2.2.1
  │ ├─┬ string-width@4.2.2
  │ │ ├── emoji-regex@8.0.0
  │ │ ├── is-fullwidth-code-point@3.0.0
  │ │ └─┬ strip-ansi@6.0.0
  │ │   └── ansi-regex@5.0.0
  │ ├── type-fest@0.20.2
  │ ├─┬ widest-line@3.1.0
  │ │ └── string-width@4.2.2 deduped
  │ └─┬ wrap-ansi@7.0.0
  │   ├── ansi-styles@4.3.0 deduped
  │   ├── string-width@4.2.2 deduped
  │   └── strip-ansi@6.0.0 deduped
  ├─┬ chalk@4.1.1
  │ ├─┬ ansi-styles@4.3.0
  │ │ └─┬ color-convert@2.0.1
  │ │   └── color-name@1.1.4
  │ └─┬ supports-color@7.2.0
  │   └── has-flag@4.0.0
  ├─┬ configstore@5.0.1
  │ ├─┬ dot-prop@5.3.0
  │ │ └── is-obj@2.0.0
  │ ├── graceful-fs@4.2.6
  │ ├─┬ make-dir@3.1.0
  │ │ └── semver@6.3.0
  │ ├─┬ unique-string@2.0.0
  │ │ └── crypto-random-string@2.0.0
  │ ├─┬ write-file-atomic@3.0.3
  │ │ ├── imurmurhash@0.1.4
  │ │ ├── is-typedarray@1.0.0
  │ │ ├── signal-exit@3.0.3
  │ │ └─┬ typedarray-to-buffer@3.1.5
  │ │   └── is-typedarray@1.0.0 deduped
  │ └── xdg-basedir@4.0.0 deduped
  ├── has-yarn@2.1.0
  ├── import-lazy@2.1.0
  ├─┬ is-ci@2.0.0
  │ └── ci-info@2.0.0
  ├─┬ is-installed-globally@0.4.0
  │ ├─┬ global-dirs@3.0.0
  │ │ └── ini@2.0.0
  │ └── is-path-inside@3.0.3
  ├── is-npm@5.0.0
  ├── is-yarn-global@0.3.0
  ├─┬ latest-version@5.1.0
  │ └─┬ package-json@6.5.0
  │   ├─┬ got@9.6.0
  │   │ ├── @sindresorhus/is@0.14.0
  │   │ ├─┬ @szmarczak/http-timer@1.1.2
  │   │ │ └── defer-to-connect@1.1.3
  │   │ ├─┬ cacheable-request@6.1.0
  │   │ │ ├─┬ clone-response@1.0.2
  │   │ │ │ └── mimic-response@1.0.1 deduped
  │   │ │ ├─┬ get-stream@5.2.0
  │   │ │ │ └── pump@3.0.0 deduped
  │   │ │ ├── http-cache-semantics@4.1.0
  │   │ │ ├─┬ keyv@3.1.0
  │   │ │ │ └── json-buffer@3.0.0
  │   │ │ ├── lowercase-keys@2.0.0
  │   │ │ ├── normalize-url@4.5.1
  │   │ │ └─┬ responselike@1.0.2
  │   │ │   └── lowercase-keys@1.0.1 deduped
  │   │ ├─┬ decompress-response@3.3.0
  │   │ │ └── mimic-response@1.0.1 deduped
  │   │ ├── duplexer3@0.1.4
  │   │ ├─┬ get-stream@4.1.0
  │   │ │ └─┬ pump@3.0.0
  │   │ │   ├─┬ end-of-stream@1.4.4
  │   │ │   │ └── once@1.4.0 deduped
  │   │ │   └─┬ once@1.4.0
  │   │ │     └── wrappy@1.0.2
  │   │ ├── lowercase-keys@1.0.1
  │   │ ├── mimic-response@1.0.1
  │   │ ├── p-cancelable@1.1.0
  │   │ ├── to-readable-stream@1.0.0
  │   │ └─┬ url-parse-lax@3.0.0
  │   │   └── prepend-http@2.0.0
  │   ├─┬ registry-auth-token@4.2.1
  │   │ └─┬ rc@1.2.8
  │   │   ├── deep-extend@0.6.0
  │   │   ├── ini@1.3.8
  │   │   ├── minimist@1.2.5
  │   │   └── strip-json-comments@2.0.1
  │   ├─┬ registry-url@5.1.0
  │   │ └── rc@1.2.8 deduped
  │   └── semver@6.3.0
  ├─┬ pupa@2.1.1
  │ └── escape-goat@2.1.1
  ├─┬ semver-diff@3.1.1
  │ └── semver@6.3.0
  ├─┬ semver@7.3.5
  │ └─┬ lru-cache@6.0.0
  │   └── yallist@4.0.0
  └── xdg-basedir@4.0.0

[novemberborn]

Thanks for the feedback. Minimizing (transitive) dependencies is not a goal of this project. We do want people to upgrade, especially within teams where folks should remain on the same point release to avoid compatibility issues.

[Siilwyn]

Please consider this! I'm currently looking into switching away from Ava because of this. Updating the dependency should not be the responsibility of the dependency itself.

For anybody also looking around this awesome list seems to contain some interesting options: https://github.com/talentlessguy/awesome-node-esm#testing

[novemberborn]

@Siilwyn I reckon that when update-notifier was introduced, the recommendation was to install AVA globally. We no longer recommend that, so yea you're point about letting developers update their project dependencies without prompting is well taken.

@sindresorhus what do you think?

[sindresorhus]

@sindresorhus what do you think?

👍

[novemberborn]

@Siilwyn would you like to submit a PR to remove this?

[jimmywarting]

#2775

[Siilwyn]

Awesome!