node-argon2 icon indicating copy to clipboard operation
node-argon2 copied to clipboard

Published 20 hours ago verified publisher icon ranisalt

[WIP] Low dependency example

Open mohe2015 opened this issue 3 years ago • 4 comments

Hello,

I don't know if you want to keep this open but I tried to reduce the dependencies of this (in light of recent supply chain attacks) and maybe this is of use for somebody else. This could definitely not be merged as is as it requires manual work currently to install the package (you need to know the include path for nodejs). Also it doesn't use prebuilt binaries any more obviously and I don't intend to change that.

(Just ignore the commits, the diff is the most relevant)

Kind regards Moritz

mohe2015 avatar Mar 22 '22 22:03 mohe2015

Well, considering how much this hurts usability I think this goes the wrong way.

One of our runtime dependencies, node-addon-api is a must so we can't drop that, but it comes from Node.js itself and contains no dependencies. @phc/format also pulls no dependencies but is a contender for being interned because we do not require 100% of it and could live with a subset of functionalities. @mapbox/node-pre-gyp pulls the most dependencies and I would of course like to not depend on it.

Maybe a better approach would be to prune dependencies down the tree, in popular packages such as prettier and mocha. It really bugs me that our dev dependencies pull babel even though we do not need it at all, for example.

Interesting how this led to a substantial increase in yarn.lock packages though 🤔 try yarn upgrade to see if it helps.

ranisalt avatar Mar 23 '22 10:03 ranisalt

Well, considering how much this hurts usability I think this goes the wrong way.

Yeah that's the reason I don't intend to want to get this merged the current way. Just some people may consider the fewer dependencies (especially non-dev dependencies) more important than the loss of usability.

What I also found annoying is that it seems no distribution ships a pkgconfig file for nodejs which would probably make this at least a little better to autoconfigure. Though all the nvm stuff probably would still have been a problem so probably the current way node is packaged in distributions is just not nice.

One of our runtime dependencies, node-addon-api is a must so we can't drop that, but it comes from Node.js itself and contains no dependencies. @phc/format also pulls no dependencies but is a contender for being interned because we do not require 100% of it and could live with a subset of functionalities.

Yeah I kept these two and don't want to remove them as they have no dependencies themselves and seem pretty required.

@mapbox/node-pre-gyp pulls the most dependencies and I would of course like to not depend on it.

That was the main one that I didn't like and removed. Another possibility would be to switch to node-gyp and not provide pre-built binaries which I tried before and which worked quite well but still has quite a few dependencies.

Maybe a better approach would be to prune dependencies down the tree, in popular packages such as prettier and mocha. It really bugs me that our dev dependencies pull babel even though we do not need it at all, for example.

That's another thing that would be great in the long-term but for now I didn't touch the dev packages (except updating them to the latest versions).

Interesting how this led to a substantial increase in yarn.lock packages though thinking try yarn upgrade to see if it helps.

I just removed the yarn.lock and added package-lock.json because that's what I'm using so I'm not sure if you mislooked or tried using yarn locally.

Thanks for still looking at this though.

mohe2015 avatar Mar 23 '22 10:03 mohe2015

That was the main one that I didn't like and removed. Another possibility would be to switch to node-gyp and not provide pre-built binaries which I tried before and which worked quite well but still has quite a few dependencies.

In the past we only used node-gyp and changed specifically because of the prebuild binaries 😆 it may be a possibility to split the library between argon2 and argon2-prebuilt or something like that.

I just removed the yarn.lock and added package-lock.json because that's what I'm using so I'm not sure if you mislooked or tried using yarn locally.

Indeed, my bad. Why though? 🤔

ranisalt avatar Mar 23 '22 10:03 ranisalt

I just removed the yarn.lock and added package-lock.json because that's what I'm using so I'm not sure if you mislooked or tried using yarn locally.

Indeed, my bad. Why though? thinking

Just because this is a draft and I'm not using yarn so I couldn't update yarn.lock anyways. Another thing that shows why this is a draft.

mohe2015 avatar Mar 23 '22 11:03 mohe2015