fix: minimize production dependency tree#1244
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
dsanders11
left a comment
dsanders11
left a comment
There was a problem hiding this comment.
If the goal is just to drop "heavy" dependencies as in the title, I don't like several of these changes.
debugis small and only has one transitive dependency, but we're losing the richer functionality and consistency across our other packages that usedebugdetect-libcI could take or leave, but it's zero dependencyorais heavy and we should drop it, but there's zero dependency alternatives rather than rolling our own. We have multiple packages that currently use spinners (most useora), we should migrate them all to the same alternative rather than having each package roll its own implementation that will drift. Or even create@electron/spinner, if we're insistent on cutting third-party dependencies.- We specifically kept
graceful-fswhen we did the Node 22 migration, we should not drop it here.
|
Apologies @dsanders11 this was intended to be a draft PR, twas not ready for prime time
I'll rephrase the title, the objective is to drop as many dependencies as is reasonable regardless of weight
Agree on this, was chatting with @erickzhao we have a funky thing in here that confused some stuff.
It's a zero-dependency thing that was trivial to re-implement and avoid a supply-chain risk 🤷 Seems like a free win to inline it
Yeah this one I'm not sure about, tbh I think we should just remove the spinner. I don't think anyone actually uses the CLI anymore (it's just the hook for use in packager or forge).
I didn't have that context but on discussion with @erickzhao I don't see a reason to keep it in this module? The only heavy operations that could possible trigger EMFILE (as I understand it the only reason to use this module) are in the cache implementation and whilst both are unbounded neither are going to operate on enough files to trip that behavior. There are zero historical reports (even predating fs-extra) of EMFILE in this repo: ref and I don't think we should keep a dependency for basic fs operations out of FUD 🤔 |
MarshallOfSound
force-pushed
the
sam/reduce-dependencies
branch
from
b4ebcdb to
f43fb14
Compare
MarshallOfSound
changed the title
I'm fine with removing the spinner, and I'd prefer removing it all together over rolling our own here.
A bit more context here. For the usage in this particular repo we might be safe to remove it, but I do have a memory (can't find PR at the moment) of us getting bit on one package during the Node 22 transition where we restored it, which was part of the reason we opted to leave it in repos during that transition. Also, |
Yeah I saw that too, minimizing the tree is still important too me. If we have strong reason to believe something will break as a result of removing it I'm happy to put it back (it's also trivial to put back) but right now it seems like a branch we can snip off relatively easily I cleaned up the other removals and such, should be in a better spot now |
Replace several third-party dependencies with small inline implementations or Node.js builtins: - debug → minimal logger gated on DEBUG env var - detect-libc → process.report-based glibc/musl detection - got → native fetch - graceful-fs → node:fs (drop promisifiedGracefulFs wrapper) - ora → tiny TTY spinner using util.styleText - semver, tar, yargs → node builtins / simpler equivalents Also bumps node-gyp to ^12.2.0.
- Restore `debug` dependency for consistency with other @electron packages - Remove spinner entirely instead of inlining (CLI is primarily a packager/forge hook, not used directly) - Add `modules-found` lifecycle event so CLI can print all module names in one line before building starts
- Remove src/debug.ts wrapper, inline debug() per-file (restores the pattern on main, allows per-file namespace suffixes later) - Add TSDoc to detectLibcFamily documenting return values - Drop the copyright line from CLI help output
MarshallOfSound
force-pushed
the
sam/reduce-dependencies
branch
from
0ef17c7 to
a07793e
Compare
| cwd: clangDirPath, | ||
| }); | ||
| d('extracting clang'); | ||
| await spawn('tar', ['-xf', tarPath, '-C', clangDirPath], { stdio: 'ignore' }); |
There was a problem hiding this comment.
just noting here that this moves us from node-tar to relying on the system tar specifically for this one call, which is specifically used for the advanced useElectronClang option.
There was a problem hiding this comment.
Not gonna block on it, but we really shouldn't have these silly changes in these Claude PRs. This is literally just moving an import around to a different spot, one that makes less sense. Hopefully as part of the oxc.rs we can add more linting rules that enforce this stuff.
There was a problem hiding this comment.
Gonna need an explanation for why these changes are in this PR and why there's a new 'modules-found' lifecycle event being emitted.
There was a problem hiding this comment.
It looks like it's probably related to dropping ora, but I don't think we should have this kind of output change in this PR, as it's unrelated to the stated purpose of the PR.
There was a problem hiding this comment.
Gonna need an explanation for why these changes are in this PR and why there's a new 'modules-found' lifecycle event being emitted.
This isn't new, it was dropped ages ago in a bad refactor and this adds it back
There was a problem hiding this comment.
This isn't new, it was dropped ages ago in a bad refactor and this adds it back
I can't find any evidence of that, at least under the name 'modules-found'. Not gonna block on this, but not sure this is true.
There was a problem hiding this comment.
This isn't new, it was dropped ages ago in a bad refactor and this adds it back
I can't find any evidence of that, at least under the name 'modules-found'. Not gonna block on this, but not sure this is true.
MarshallOfSound
changed the title
|
🎉 This PR is included in version 4.0.4 🎉 The release is available on: Your semantic-release bot 📦🚀 |
3 participants
Summary
Shrinks the dependency tree by replacing several packages with small inline implementations or Node.js builtins:
debugsrc/debug.ts— minimal logger gated onDEBUGdetect-libcsrc/detect-libc.ts—process.report-based glibc/musl checkgotfetchgraceful-fsnode:fs/node:fs/promisesorasrc/spinner.ts— tiny TTY spinner viautil.styleTextsemver,tar,yargsAlso bumps
node-gypto^12.2.0and drops the now-unusedsrc/promisifiedGracefulFs.tswrapper along with associated@types/*devDeps.Test plan
yarn testpassesnode:fs