Unused dependancy: brfs

[simon-paris]

Brfs is a very large module. Could it be moved to devDependancies if possible?

[devongovett]

The problem is that it's required for browserify builds. Moving it to devDependencies would require the user to know to install brfs along with fontkit, or whatever required fontkit.

[jahewson]

Perhaps it could be moved topeerDependencies? That way npm will print a message.

[Pomax]

note that if it's in devDependencies, it will still get automatically installed during an npm install run, unless the user explicitly runs npm install --production, which most people never do (but heroku etc. do)

[devongovett]

@Pomax only if you are running npm install in the fontkit folder. If you are installing something that has fontkit as a dependency (e.g. npm install pdfkit), devDependencies won't be installed.

[Pomax]

ah, right.

[devongovett]

For brotli.js I managed to get rid of brfs by writing a base64 JS string version of the binary file and using require instead of fs.readFileSync. e.g. module.exports="base64";. Maybe we can do something similar here. Currently the only file we need to read is the Unicode trie for the arabic shaper.

[awerlang]

Currently, not only brfs but also browserify-optional, from this module and also in restructure, unicode-properties. It would chop away 40% of node_modules.

[mclark-newvistas]

It would also help fix the npm audit warnings about security vulnerabilities for pdfmake. See also bpampuch/pdfmake#1639.

[RoelN]

All this talk about chopping off large chunks of depedencies makes me happy. It'd speed up Wakamai Fondue considerably. E.g. I'd only need Brotli to decompress fonts, not to compress them.

In other words, +1

[devongovett]

Unfortunately, all of those dependencies are still required. They are used for builds using browserify.

[Pomax]

@RoelN what part would it speed up, though? The runtime should not be noticably affected by the dependency.

[ghost]

Having real touble with this, npm install pdfkit --only=prod is kicking this back as a vulnerbility. From what I understand this shouldn't even be installed. Am I doing something wrong? Same issue on linebreak too.

[ghost]

@Pomax only if you are running npm install in the fontkit folder. If you are installing something that has fontkit as a dependency (e.g. npm install pdfkit), devDependencies won't be installed.

@devongovett Is this statement strictly true? I thought it depended upon the value of NODE_ENV. Please see my previous comment

[awerlang]

@GBayliss https://docs.npmjs.com/cli/install

[ghost]

@awerlang thanks, I read that and tried several permutations but I am still seeing this included when installing the downstream package (pdfkit). This fails npm audit with a vulnerability due to brfs being a primary dependency of the fontkit package as has previously been debated.

[RoelN]

@Pomax I meant in package size, reducing download time. I don't expect any real difference in runtime.