carbon-components-vue icon indicating copy to clipboard operation
carbon-components-vue copied to clipboard

Published 20 hours ago verified publisher icon carbon-design-system

Remove @carbon/telemetry as production dependency

Open KJaspers opened this issue 4 years ago • 6 comments
trafficstars

With @carbon/vue v2.37.1 a new production dependency to @carbon/telemetry was introduced. This leads to A LOT of other new production dependencies which all need to be approved for our product. Since I don't see that we need the telemetry in our product, I would like that to be removed again. Is this possible? My solution for now is that I installed v2.37.0 and wait for this to be fixed.

KJaspers avatar Mar 12 '21 09:03 KJaspers

@joshblack are you able to comment here? Or would you prefer an issue raised on the monorepo?

lee-chase avatar Mar 23 '21 09:03 lee-chase

This is a great point, however, I'm not sure what can be done here. The telemetry package is included under dependencies since that would be the only way it would be installed for consumers. Unfortunately, we can't use things like devDependencies in this space to accomplish this.

We could definitely look into minimizing the number of dependencies that we bring on in the package if that would be helpful. Also happy to talk through this and explore other options here, as well!

joshblack avatar Mar 25 '21 17:03 joshblack

@joshblack Of course it would be helpful to minimize the number of dependencies for the telemetry package! But of course the best solution would be not to have it as a production dependency at all... Shall I open an issue in an other repository to track this?

KJaspers avatar Mar 26 '21 07:03 KJaspers

@KJaspers for context for the telemetry package, it's basically how we're able to understand how Carbon is being used at IBM (it only runs on GHE). Unfortunately, having it listed as a dependency is the only way we're able to consistently detect usage.

I think certain projects could use npx to drop it showing up in dependencies in a package.json (I think you had this idea, right, @lee-chase?) but effectively the package would still be there.

This telemetry can also be opt-out if you want to flag the dependencies as unused in the project, not sure if that would be helpful but figured I'd offer as many options as I can.

Let me know what you think, always happy to talk more about this too.

joshblack avatar Mar 31 '21 23:03 joshblack

@lee-chase Is it possible to do the npx thing for Carbon Vue.js? I think it would not matter that the package would still be there, because I do a npm prune production before scanning the dependencies...

@joshblack What exactly do you mean with "This telemetry can also be opt-out"? How can I flag dependencies as unused in the project?

KJaspers avatar Apr 01 '21 07:04 KJaspers

@KJaspers I just mean specifically if you have a way in your security/vulnerability system to flag dependencies as "unused" you can do that along with the CARBON_TELEMETRY_DISABLED=1 environment variable to turn it off.

joshblack avatar Apr 02 '21 18:04 joshblack