Skip to content

[Swup] For Swup's dev dependencies exclusion from our yarn.lock #2221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 28, 2024
Merged

[Swup] For Swup's dev dependencies exclusion from our yarn.lock #2221

merged 1 commit into from
Sep 28, 2024

Conversation

Kocal
Copy link
Member

@Kocal Kocal commented Sep 28, 2024

Q A
Bug fix? yes/no
New feature? yes/no
Issues Fix #...
License MIT

While working on #2219, I've noticed we had a very old Rollup version that we do not use at all.
The issue comes from Swup v3, which ship its building dependencies as prod dependencies, which means we install microbundle and all its dependencies:

microbundle@^0.15.1:
  version "0.15.1"
  resolved "https://registry.npmjs.org/microbundle/-/microbundle-0.15.1.tgz"
  integrity sha512-aAF+nwFbkSIJGfrJk+HyzmJOq3KFaimH6OIFBU6J2DPjQeg1jXIYlIyEv81Gyisb9moUkudn+wj7zLNYMOv75Q==
  dependencies:
    "@babel/core" "^7.12.10"
    "@babel/plugin-proposal-class-properties" "7.12.1"
    "@babel/plugin-syntax-import-meta" "^7.10.4"
    "@babel/plugin-syntax-jsx" "^7.12.1"
    "@babel/plugin-transform-flow-strip-types" "^7.12.10"
    "@babel/plugin-transform-react-jsx" "^7.12.11"
    "@babel/plugin-transform-regenerator" "^7.12.1"
    "@babel/preset-env" "^7.12.11"
    "@babel/preset-flow" "^7.12.1"
    "@babel/preset-react" "^7.12.10"
    "@rollup/plugin-alias" "^3.1.1"
    "@rollup/plugin-babel" "^5.2.2"
    "@rollup/plugin-commonjs" "^17.0.0"
    "@rollup/plugin-json" "^4.1.0"
    "@rollup/plugin-node-resolve" "^11.0.1"
    "@surma/rollup-plugin-off-main-thread" "^2.2.2"
    asyncro "^3.0.0"
    autoprefixer "^10.1.0"
    babel-plugin-macros "^3.0.1"
    babel-plugin-transform-async-to-promises "^0.8.18"
    babel-plugin-transform-replace-expressions "^0.2.0"
    brotli-size "^4.0.0"
    builtin-modules "^3.1.0"
    camelcase "^6.2.0"
    escape-string-regexp "^4.0.0"
    filesize "^6.1.0"
    gzip-size "^6.0.0"
    kleur "^4.1.3"
    lodash.merge "^4.6.2"
    postcss "^8.2.1"
    pretty-bytes "^5.4.1"
    rollup "^2.35.1"
    rollup-plugin-bundle-size "^1.0.3"
    rollup-plugin-postcss "^4.0.0"
    rollup-plugin-terser "^7.0.2"
    rollup-plugin-typescript2 "^0.32.0"
    rollup-plugin-visualizer "^5.6.0"
    sade "^1.7.4"
    terser "^5.7.0"
    tiny-glob "^0.2.8"
    tslib "^2.0.3"
    typescript "^4.1.3"

This PR won't impact developers, it's only for our yarn.lock which contains a bunch of useless dependencies, and some of them are vulnerable too (listed on https://github.com/symfony/ux/security/dependabot)

@carsonbot carsonbot added Bug Bug Fix Feature New Feature Swup Status: Needs Review Needs to be reviewed labels Sep 28, 2024
@Kocal Kocal force-pushed the imp-swup-remove-their-dev-dependencies branch from 3c7ecaa to ae52ae5 Compare September 28, 2024 06:40
Kocal
Kocal commented Sep 28, 2024
View reviewed changes
package.json
Comment on lines +31 to +36
"@swup/prettier-config": "link:node_modules/.cache/null",
"@swup/browserslist-config": "link:node_modules/.cache/null",
"microbundle": "link:node_modules/.cache/null",
"prettier": "link:node_modules/.cache/null",
"shelljs": "link:node_modules/.cache/null",
"shelljs-live": "link:node_modules/.cache/null"
Copy link
Member Author

@Kocal Kocal Sep 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to configure Yarn resolutions to be more precise about what dependencies I want to remove, something like "@swup/plugin/microbundle": "link:node_modules/.cache/null".
Do to that, I think we must upgrade to Yarn Berry

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#2222 :)

@Kocal Kocal removed Feature New Feature Bug Bug Fix labels Sep 28, 2024
@Kocal Kocal merged commit 1720a47 into symfony:2.x Sep 28, 2024
54 of 56 checks passed
@Kocal Kocal deleted the imp-swup-remove-their-dev-dependencies branch September 28, 2024 08:16
@smnandre
Copy link
Member

Thanks a lot @Kocal 😃

@Kocal Kocal mentioned this pull request Jul 21, 2025
Merged
Kocal added a commit that referenced this pull request Jul 21, 2025
@Kocal
minor #2932 Replace Yarn Berry by PNPM (Kocal)
b096ecc 
This PR was merged into the 2.x branch.

Discussion
----------

Replace Yarn Berry by PNPM

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | no <!-- please update src/**/CHANGELOG.md files -->
| Docs?         | no <!-- required for new features -->
| Issues        | Fix #... <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License       | MIT

<!--
Replace this notice by a description of your feature/bugfix.
This will help reviewers and should be a good start for the documentation.

Additionally (see https://symfony.com/releases):
 - Always add tests and ensure they pass.
 - For new features, provide some code snippets to help understand usage.
 - Features and deprecations must be submitted against branch main.
 - Update/add documentation as required (we can help!)
 - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
 - Never break backward compatibility (see https://symfony.com/bc).
-->

Purely internal, this PR replaces Yarn by PNPM for the following reasons:
- when working on #2222, I tried to use PNPM instead but it was not possible to not install [Swup "dev"-dependencies](#2221), this is now possible
- it is [more efficient and performant](https://pnpm.io/benchmarks), and better for your disk
- it has more [features](https://pnpm.io/feature-comparison), better Workspaces support and [Catalogs](https://pnpm.io/catalogs) 🤩
- commands to release packages on npm are simpler

For developers working on UX, [pnpm can be installed with Corepack](https://pnpm.io/installation#using-corepack)

Note: the ~26k lines changed are mainly about lock files

Commits
-------

17a4bb7 Replace Yarn Berry by PNPM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Needs Review Needs to be reviewed Swup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kocal @smnandre @carsonbot