enterprise
enterprise copied to clipboard
infor-design
ids-enterprise declares a lot of dependencies since 4.67
Describe the bug
While scanning for vulnurable and non-compliant (license) packages, we found that ids-enterprise declares a lot of dependencies since version 4.67.
To Reproduce
Output from npm info [email protected]:
[email protected] | Apache-2.0 | deps: 5 | versions: 865
Infor Design System (IDS) Enterprise Components for the web
https://github.com/infor-design/enterprise
[...]
dependencies:
d3: ^5.16.0 fsevents: * ids-identity: 4.11.11 jquery: ^3.6.0 promise-polyfill: ^8.2.3
[...]
Output from npm info [email protected]:
[email protected] | Apache-2.0 | deps: 52 | versions: 865
Infor Design System (IDS) Enterprise Components for the web
https://github.com/infor-design/enterprise
[...]
dependencies:
@wordpress/jest-puppeteer-axe: ^3.1.0 check-node-version: ^4.2.1 eslint-plugin-jasmine-jquery: ^1.0.0 highlight.js: ^11.5.1
archiver: ^5.3.1 d3: ^5.16.0 eslint-plugin-jasmine: ^4.1.2 html-loader: ^1.1.0
axe-core: ^4.3.3 eslint-config-airbnb-base: ^14.2.1 eslint: ^7.32.0 ids-css: ^1.5.0
axe-webdriverjs: ^2.3.0 eslint-plugin-babel: ^5.3.1 front-matter: ^4.0.2 ids-identity: 4.11.11
babel-eslint: ^10.1.0 eslint-plugin-compat: 3.13.0 fsevents: * jquery: ^3.6.0
browserstack-local: ^1.5.1 eslint-plugin-import: ^2.24.2 handlebars: ^4.7.7 promise-polyfill: ^8.2.3
(...and 28 more.)
[...]
Additional context https://jira.infor.com/browse/LIME-8572
@anhallbe I think i ran into this it was the optionalDependencies we started to use. I was able to fix it by editing the package-lock.json so that it has them all removed.
"ids-enterprise": {
"version": "4.67.2",
"resolved": "https://registry.npmjs.org/ids-enterprise/-/ids-enterprise-4.67.2.tgz",
"integrity": "sha512-1auTWGCmhHjsHFE6/DnOtP1ot3z9acF877gvPZbDSSN0bQkORVj04fnMflA6N0tUe+CCKtOJ5ZoBh/sgsB1b1w==",
"requires": {
"d3": "^5.16.0",
"ids-identity": "4.11.11",
"jquery": "^3.6.0",
"promise-polyfill": "^8.2.3"
}
},
Or alternatively you can try npm ci --no-optional
I'm wondering if we should pull this out tho? Put them back as devDependencies again. The idea with these are they are for the doc site deployment not development.
I can see why they were added as optionalDependencies. However I don't think you're using them as intended, at least not based on this description.
Using --no-optional works, but I still don't think it's a good idea to have dev dependencies in there, as the default for NPM is to always try to install optionalDependencies.
I'm not sure how the doc site deployment works so I don't have a better solution in mind, but if it's possible to achieve without including stuff in dependencies or optionalDependencies that would be great ❤️
Yeah the use case we have of lowering the amount installed via npm ci --no-optional probably isn't more important than the problem when this is deployed as a lib and i didn't see that coming. We really just wanted a way to install the dependencies in 3 configurations (end user, dev, and web site)
