"@types/node" module is declared in dependencies.

[NurimOnsemiro]

Problem description

In the grpc-js package, "@types/node" module is declared in dependencies.

"dependencies": {
    "@grpc/proto-loader": "^0.6.4",
    "@types/node": ">=12.12.47"
  },

Wouldn't it be right to move "@types/node" module from "dependencies" to "devDependencies" in the grpc-js package?

[murgatroid99]

The @grpc/grpc-js package exports types that are derived from types in the @types/node package. So, users need the @types/node package to correctly handle those types when compiling using @grpc/grpc-js exported types.

[ericmorand]

@murgatroid99 , I'm not sure I understand. Can you please give us an actual example where this dependency is required? I have been using grpc-js for months and never had the need for those @types/node at runtime.

[murgatroid99]

It's not used at runtime. It is used when users of grpc-js compile TypeScript code that uses certain grpc-js types, particularly the streaming call types.

[ericmorand]

Well, dependencies must contain only runtime dependencies.

I see that there is also @grpc/proto-loader and @types/semver as depenencies. Are they used at runtime?

[murgatroid99]

Well, dependencies must contain only runtime dependencies.

Not according to the official package.json spec. The only guidance is that dependencies should not contain tools used during development like compilers and test frameworks. dependencies is for packages that dependent libraries will need when using the library. That can be both compile-time and runtime dependencies.

I see that there is also @grpc/proto-loader and @types/semver as depenencies. Are they used at runtime?

@grpc/proto-loader is used at runtime. @types/semver is not, because it is also a typescript types package. In fact, that one should be in devDependencies. It looks like it was added to dependencies by mistake.

[thernstig]

@murgatroid99 this installs @types/nodes in production. It increases install size, container size and download speed of container images. It also introduces security scanning problems, licenses problems for any serious organizations where any FOSS included in production gets scrutinized and requires extra work.

Do you need to re-export @types/node types? Could you not instead tell people to install @node/types as a development dependency if they use TypeScript and need to use those types to transpile the TS?

This is highly debated though, see microsoft/types-publisher#81. But I think for something like @node/types it'd be ok to leave that out as anyone interested in typings and using node should have that.

[ericmorand]

Do you need to re-export @types/node types? Could you not instead tell people to install @node/types as a development dependency if they use TypeScript and need to use those types to transpile the TS?

This. And basically, it is not possible to code anything in TypeScript that depends on one of node.js library without these types, so there is not even need to tell people to install @types/node: it is a requirement for every node.js development using TypeScript.