Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only copy dependencies (and not devDependencies) #29

Open
304NotModified opened this issue Mar 1, 2021 · 3 comments
Open

Only copy dependencies (and not devDependencies) #29

304NotModified opened this issue Mar 1, 2021 · 3 comments

Comments

@304NotModified
Copy link
Contributor

304NotModified commented Mar 1, 2021
edited
Loading

  • What are you trying to do?
    I like to copy only the dependencies, and not the devDependencies

  • What feature or behavior is this required for?
    For some cases we don't like to scan the devDependencies - although there are needed for running some tests

  • How could we solve this issue? (Not knowing is okay!)
    Have the setting: devDependencies: false

  • Anything else?

Thanks!
@rpokorny
Copy link
Contributor

I haven't figured out a good way to accomplish this, and I'm also not sure it's a good idea.

Every file that this plugin copies is ostensibly one that is contributing to your output code bundle, and so is arguably a runtime dependency whether or not you have it marked as a devDependency in your package.json. Some files are certainly grey areas, like the webpack loaders. They are usually thought of as dev dependencies, but they do get included at least partially by this plugin, and they do, by their nature as code transformations, have the potential to add vulnerable code to your bundle. Of course, on the flip side, there are other dev dependencies which contribute code to the bundle which don't get picked up by this plugin, such as webpack plugins and webpack itself.

As far as the hurdles to adding this functionality to the plugin, the plugin would first need to figure out which package a given file belongs to. Aside from some messy logic looking for node_modules/<package_name> in the file's path, I'm not sure how to go about that. Then the harder task would be to figure out which packages are included only as or due to dev dependencies. For direct deps it wouldn't be too hard, just check the package.json. For transitive deps though I'd need something that can give information about the whole dependency tree. I'm not familiar enough with the node ecosystem to know how to programmatically get that information.

@mDemianchuk
Copy link

mDemianchuk commented Sep 15, 2021
edited
Loading

I like your suggestion, @304NotModified. However, you can achieve the same by only including this plugin for a desired environment:

plugins: process.env.NODE_ENV === 'production' ? [new CopyModulesPlugin({destination: 'webpack-modules'})] : []

@rpokorny
Copy link
Contributor

you can achieve the same by only including this plugin for a desired environment:

I don't believe that helps. Whether webpack is running in production mode and whether dev dependencies are involved are two separate questions. Webpack itself is a dev dependency, after all.

@304NotModified 304NotModified changed the title Only copy dependencies Only copy dependencies (and not devDependencies) Oct 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rpokorny @304NotModified @mDemianchuk