move react-scripts & node-sass to devDependencies #6819
Conversation
|
Bundle difference
|
There was a problem hiding this comment.
Based on looking at the comment thread, the proposal, and the original pr that made the change to make it a dependency instead of a dev dependency, I don't really see an issue with this. The only thing I wish was explained better in there was why it being a dev dependency affects the promise polyfill being a runtime instead of build time dependency. I guess that'd be my concern, though given that IE11 is EOL next year, maybe it doesn't matter.
|
Also, that comment is from facebook/create-react-app, and AFAICT, we aren't using |
Last week, our builds started failing because of a vulnerability in `react-scripts` and `node-sass`, and we have a Danger rule to run `yarn audit` on the packages in the `dependencies` section. The vulnerabilities haven't been fixed yet, and so to allow us to merge PRs, we temporarily disabled the `checkYarnAudit` function in `dangerfile.ts`. While looking at the GitHub issues for these vulnerabilities that were linked in our SEV-4 incident Google Doc, I came across this [interesting comment](facebook/create-react-app#11092 (comment)) that says that in the `facebook/create-react-app` package, `react-scripts` should be listed in `devDependencies`, not `dependencies`. That got me thinking whether the packages in our `dependencies` section really belong there. AFAIK, sass is used in development and then gets compiled to CSS when the client is built. It doesn't get used at runtime. Similarly, `react-scripts` seems to be a development tool we use to run `yarn build | eject | start | test`. After putting both `node-sass` and `react-scripts` in `devDependencies`, I deployed the app using our review bot and everything seems fine. This allows us to turn the yarn audit check back on.
monfresh
force-pushed
the
mb-move-frontend-deps-to-dev-dependencies
branch
from
c7d8a84
to
699e032
Compare
monfresh
changed the title
Bundle difference
|
Description
Last week, our builds started failing because of a vulnerability in
react-scriptsandnode-sass, and we have a Danger rule to runyarn auditon the packages in thedependenciessection.The vulnerabilities haven't been fixed yet, and so to allow us to merge
PRs, we temporarily disabled the
checkYarnAuditfunction indangerfile.ts.While looking at the GitHub issues for these vulnerabilities that were
linked in our SEV-4 incident Google Doc, I came across this
interesting comment
that says that in the
facebook/create-react-apppackage,react-scriptsshould be listed indevDependencies, notdependencies.That got me thinking whether the packages in our
dependenciessectionreally belong there. AFAIK, sass is used in development and then gets
compiled to CSS when the client is built. It doesn't get used at
runtime. Similarly,
react-scriptsseems to be a development tool weuse to run
yarn build | eject | start | test.After putting both
node-sassandreact-scriptsindevDependencies,I deployed the app using our review bot and everything seems fine.
This allows us to turn the yarn audit check back on.
https://my-milmove-pr-6819.mymove.sandbox.truss.coffee
https://admin-milmove-pr-6819.mymove.sandbox.truss.coffee
https://office-milmove-pr-6819.mymove.sandbox.truss.coffee
Reviewer Notes
Is there anything you would like reviewers to give additional scrutiny?
Setup
Add any steps or code to run in this section to help others prepare to run your code:
Code Review Verification Steps
References
Screenshots
If this PR makes visible UI changes, an image of the finished UI can help reviewers and casual
observers understand the context of the changes. A before image is optional and
can be included at the submitter's discretion.
Consider using an animated image to show an entire workflow instead of using multiple images. You may want to use GIPHY CAPTURE for this! 📸
Please frame screenshots to show enough useful context but also highlight the affected regions.