Skip to content

[Swup] For Swup's dev dependencies exclusion from our yarn.lock #2221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 28, 2024
Merged

[Swup] For Swup's dev dependencies exclusion from our yarn.lock #2221

merged 1 commit into from
Sep 28, 2024

Conversation

Kocal
Copy link
Member

@Kocal Kocal commented Sep 28, 2024

Q A
Bug fix? yes/no
New feature? yes/no
Issues Fix #...
License MIT

While working on #2219, I've noticed we had a very old Rollup version that we do not use at all.
The issue comes from Swup v3, which ship its building dependencies as prod dependencies, which means we install microbundle and all its dependencies:

microbundle@^0.15.1:
  version "0.15.1"
  resolved "https://registry.npmjs.org/microbundle/-/microbundle-0.15.1.tgz"
  integrity sha512-aAF+nwFbkSIJGfrJk+HyzmJOq3KFaimH6OIFBU6J2DPjQeg1jXIYlIyEv81Gyisb9moUkudn+wj7zLNYMOv75Q==
  dependencies:
    "@babel/core" "^7.12.10"
    "@babel/plugin-proposal-class-properties" "7.12.1"
    "@babel/plugin-syntax-import-meta" "^7.10.4"
    "@babel/plugin-syntax-jsx" "^7.12.1"
    "@babel/plugin-transform-flow-strip-types" "^7.12.10"
    "@babel/plugin-transform-react-jsx" "^7.12.11"
    "@babel/plugin-transform-regenerator" "^7.12.1"
    "@babel/preset-env" "^7.12.11"
    "@babel/preset-flow" "^7.12.1"
    "@babel/preset-react" "^7.12.10"
    "@rollup/plugin-alias" "^3.1.1"
    "@rollup/plugin-babel" "^5.2.2"
    "@rollup/plugin-commonjs" "^17.0.0"
    "@rollup/plugin-json" "^4.1.0"
    "@rollup/plugin-node-resolve" "^11.0.1"
    "@surma/rollup-plugin-off-main-thread" "^2.2.2"
    asyncro "^3.0.0"
    autoprefixer "^10.1.0"
    babel-plugin-macros "^3.0.1"
    babel-plugin-transform-async-to-promises "^0.8.18"
    babel-plugin-transform-replace-expressions "^0.2.0"
    brotli-size "^4.0.0"
    builtin-modules "^3.1.0"
    camelcase "^6.2.0"
    escape-string-regexp "^4.0.0"
    filesize "^6.1.0"
    gzip-size "^6.0.0"
    kleur "^4.1.3"
    lodash.merge "^4.6.2"
    postcss "^8.2.1"
    pretty-bytes "^5.4.1"
    rollup "^2.35.1"
    rollup-plugin-bundle-size "^1.0.3"
    rollup-plugin-postcss "^4.0.0"
    rollup-plugin-terser "^7.0.2"
    rollup-plugin-typescript2 "^0.32.0"
    rollup-plugin-visualizer "^5.6.0"
    sade "^1.7.4"
    terser "^5.7.0"
    tiny-glob "^0.2.8"
    tslib "^2.0.3"
    typescript "^4.1.3"

This PR won't impact developers, it's only for our yarn.lock which contains a bunch of useless dependencies, and some of them are vulnerable too (listed on https://github.com/symfony/ux/security/dependabot)

@carsonbot carsonbot added Bug Bug Fix Feature New Feature Swup Status: Needs Review Needs to be reviewed labels Sep 28, 2024
@Kocal Kocal force-pushed the imp-swup-remove-their-dev-dependencies branch from 3c7ecaa to ae52ae5 Compare September 28, 2024 06:40
Kocal
Kocal commented Sep 28, 2024
View reviewed changes
package.json
Comment on lines +31 to +36
"@swup/prettier-config": "link:node_modules/.cache/null",
"@swup/browserslist-config": "link:node_modules/.cache/null",
"microbundle": "link:node_modules/.cache/null",
"prettier": "link:node_modules/.cache/null",
"shelljs": "link:node_modules/.cache/null",
"shelljs-live": "link:node_modules/.cache/null"
Copy link
Member Author

@Kocal Kocal Sep 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to configure Yarn resolutions to be more precise about what dependencies I want to remove, something like "@swup/plugin/microbundle": "link:node_modules/.cache/null".
Do to that, I think we must upgrade to Yarn Berry

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#2222 :)

@Kocal Kocal removed Feature New Feature Bug Bug Fix labels Sep 28, 2024
@Kocal Kocal merged commit 1720a47 into symfony:2.x Sep 28, 2024
54 of 56 checks passed
@Kocal Kocal deleted the imp-swup-remove-their-dev-dependencies branch September 28, 2024 08:16
@smnandre
Copy link
Member

Thanks a lot @Kocal 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Needs Review Needs to be reviewed Swup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kocal @smnandre @carsonbot