manypkg icon indicating copy to clipboard operation
manypkg copied to clipboard
verified publisher icon Thinkmill

Large dependency graph

Open kachkaev opened this issue 1 year ago • 9 comments

:wave: folks! I’ve just tried manypkg instead of check-dependency-version-consistency – looks great!

There is a minor internal issue I would like to bring up. Installing @manypkg/[email protected] adds quite a lot of transient dependencies some of which are quite dated. An example would be [email protected] that has not been updated for six years.

Because of that, the lock file gets quite polluted. Here is my diff after swapping check-dependency-version-consistency with @manypkg/cli (quite a lot of new stuff):

Screenshot 2024-09-01 at 11 35 27

Because the new dependency graph is quite big and parts of it are dated, there is a risk of bumping into security advisories that will be hard to address. It’d be great if the number of deps could be made smaller and libraries like spawndamnit could be replaced with something else, if possible.

Despite this small concern, great tool folks! I really like the simplicity of the DX you’ve created!

kachkaev avatar Sep 01 '24 20:09 kachkaev

We could accept a PR swapping this dependency for a lighter alternative. I'm not sure what that alternative would be though.

Andarist avatar Sep 01 '24 22:09 Andarist

@Andarist I will open a PR with some replacements - some obvious candidates that jump out to me looking at the dependency graph https://npmgraph.js.org/?q=%40manypkg%2Fcli

  • upgrading package-json will remove 21 deps
  • chalk -> picocolors
  • fast-glob -> tinyglobby
  • fs-extra is easy to remove

VanTanev avatar Oct 12 '24 16:10 VanTanev

Please just make sure that you don't change the required node version in the process.

Andarist avatar Oct 12 '24 16:10 Andarist

Current node version requirement seems to be 14.18.0. Is this the version that should be targeted? It went EoL in the beginning of 2023, but if that's the minimum requirement, I'll maintain it.

VanTanev avatar Oct 12 '24 17:10 VanTanev

I think it's preferred to maintain it within the current major line. It would be a braking change to change it. We can consider releasing a new major too but I don't quite have time to focus on it so it would be better to just keep the status quo for the time being.

Andarist avatar Oct 12 '24 17:10 Andarist

Hey @Andarist, do you prefer one big PR that removes/replaces all packages, or separate PRs per package?

VanTanev avatar Oct 13 '24 06:10 VanTanev

Separate

Andarist avatar Oct 13 '24 10:10 Andarist

There is also js-yaml who is big for find-root package.

riderx avatar Oct 15 '24 09:10 riderx

Found also fs/promises who is not required i think in nodejs 14

riderx avatar Oct 15 '24 09:10 riderx

Is there anything else we need to do for this issue? Seems like based on the PR links above, the graph had shrunk down a lot.

About js-yaml, I don't see a smaller alternative, or a way to avoid the dependency.

bluwy avatar Apr 26 '25 14:04 bluwy