-
Notifications
You must be signed in to change notification settings - Fork 3k
-
Notifications
You must be signed in to change notification settings - Fork 3k
Any way to separate production from dev dependencies in node_modules in npm 3? #9674
Comments
Just realised we're going to run into the same issue with our |
(unless we ignore the entire |
Would the |
@bcomnes right, but we check our production deps into git – which means during development (when we just do a regular |
@mhart generally, i ignore the entire |
@ashleygwilliams – yeah, a number of reasons. Even though this is a bit too strongly worded, I agree with a bunch of it: https://gist.github.com/sukima/3854887#doesnt-checking-in-node_modules-create-a-lot-of-noise-in-the-source-tree-that-isnt-related-to-my-app Also, even though npm has gotten more reliable over the years, reducing deployment dependencies on it has its advantages. Especially if you have your git repo accessible internally, then you're not relying on any external services to be up and fully functioning when deploying. Plus it's sooooo much faster than npm installing. We use shrinkwrap on some projects, so I'm not totally averse to moving over our other projects and just having to rely on npm, but I'd like to explore whether it's possible to avoid first. Same with the docker issue, yeah, it can be done and it'll increase our Docker build time, etc, etc, but then we're bending to npm's will – I'm trying to explore whether there's ways we don't have to do that. Being able to divide between production and development modules seems to be something that will pop up in a number of circumstances – like, I dunno, let's say I just want to delete my dev deps – how do I do that? Maybe there's a command to help with that already? If there is, then I could use that! |
(reading that blog post again makes me chuckle, I wonder if @mikeal still feels the same way... "All you people who added node_modules to your gitignore, remove that shit, today, it’s an artifact of an era we’re all too happy to leave behind." 😸 ) |
@mhart, i think you are right that splitting between dev and prod modules is something that will come up again. i'm looking at looks like you could autogenerate them with this: https://www.npmjs.com/package/bundled-dependencies |
This is definitely still true. The rest I'm not so sure about, I haven't had enough time to mess with npm3 to be able to tell. If you don't have native module dependencies I still think that checking them into git is easier and less error prone than other solutions, but it gets nasty with native modules because people checkin build artifacts which then cause git conflicts down the road on production machines. It's hard to call any solution which inevitably requires you to ssh in to production machines and manually resolve conflicts "simple." |
@ashleygwilliams so something like that, and then I've also just discovered |
Hmm, there is overlap unfortunately (eg, |
@mikeal native modules seem to be ok – but unless you're happy checking in all your dev deps as well as your production deps, then you might not be a happy camper with npm 3 + git at this stage. |
What about running |
@othiym23 during development it's not just the act of updating |
@othiym23 but that certainly does answer the question of how you delete dev deps, thanks! |
So... this command will at least give me a list of dev deps that don't overlap with prod deps... I think: diff -U 10000 <(npm ls --dev --parseable | sort) <(npm ls --prod --parseable | sort) | grep '^-' | sed 's/^-//g' So I can copy/paste the output of that (with some modifications to get rid of sub-deps) into my Seems... hmmm, ugly though (cause that's still a 400 line gitignore...) |
This is now on the road map (hence the |
Excellent news! 👍 |
nice! 📦 🎉 |
I don't know if this is the write place to put this so please let me know if not. But along with separating dev and prod dependencies, npm should also separate primary and secondary dependencies. It is a cluster now to open up node_modules on any sizable project. way too many folders!
cc @johnpapa |
After a bit of discussion, the CLI team has an idea of how this might be made to work. This is a candidate implementation which only requires a few small changes to npm that would also be useful in other contexts:
There are a lot of (relatively small) tweaks that need to happen here to get this landed, but they're all things that would be useful on their own. We'll work on getting to this in the next year, because this is an important workflow to support, but if people want to tackle some or all aspects of the problem above, patches are very very welcome (very). |
I know that this is being taken into consideration, which is great. But I haven't seen anyone mention private, corporate and enterprise NPM as reasons for needing this. We have a corporate NPM account and have to ship an absolute ton of JS up to Docker because we have no good way to send only what we need. We're unwilling to script an Hence, even if we wanted to run |
to tack on to what @xealot said, we have a private NPM so that we can have a central repo for common components. Our company delivers code to customers who then build the code on their systems; the issue is that they won't be able to install those common components since they only reside in our private NPM. The way we've gotten around it up until now is to use Bower for the common components, but I think that's going the way of the dinosaur and would love to use NPM for everything. |
anybody happen to know if there is a difference between:
and
? |
Just FYI, another approach one could take would be to write your This results in a file with the following structure:
I think this is a simple and effective approach, if a bit inelegant. Also, it should result in a smaller |
@thomshouse that works with npm@2, but the problem is, in npm@3 with a flattened hierarchy, you don't know what to ignore and what not to. How do you know that a particular package is being used by a prod dep? |
@mhart I'm on npm 3.5.3 and it appears to me that |
@thomshouse er, I think I'm missing something – your comment was about a |
@thomshouse sorry, I thought in your original comment you were suggesting to just manually add your top-level prod deps in |
@mhart Correct! Sorry, I realize now that my suggestion was slightly off topic. Still, hopefully it's at least somewhat relevant to what people are trying to accomplish. And yes, I was suggesting a command-based approach. I hesitated to share the command I was using as it was somewhat of a quick hack, but here it is:
It expects to be run from a path containing a package.json file, i.e. the same directory containing the node_modules directory. I believe the way I'm running the |
@ORESoftware I am pretty sure that |
@legodude17 Do you have a citation for According to the documentation, |
@sonicdoe thanks for pointing that out! I was wrong about that. In that case, @ORESoftware they are the same. |
Since there are no commits linked to this issue, it doesn't seem like it's had much traction in the past year and a half. I'm migrating to npm3 and running into this workflow issue myself. What's the 'best' current alternative to either filter out dev dependencies or explicitly include production dependencies in an npm3 flat hierarchy? I'm on Windows (so tools/commands may need to be tweaked). |
You could take a look at the
While this doesn’t allow you to exclude development dependencies in a single line, it at least allows you to exclude them by listing the direct dependencies in |
We currently check in our production dependencies to git (which allows us to git checkout a full working version of our app on our production machines), and we don't check in our dev dependencies.
Until npm@3 we've been able to specify our dev dependency directories in our
.gitignore
:There's a duplication here with what's listed in package.json and ideally there'd be a single line we could ignore (eg
node_modules_dev
or something), but up until npm@3 it wasn't too bad.The issue under npm@3 is we have literally hundreds of packages at the top level that need to be ignored – and worse, I worry that we may ignore some only to have them needed for a production dependency down the track.
Etc...
Is there anything we can do about this? Any npm command that I might be missing that will help us out? Any way to separate production from dev dependencies?
The text was updated successfully, but these errors were encountered: