MikeMcl / bignumber.js

A JavaScript library for arbitrary-precision decimal and non-decimal arithmetic
http://mikemcl.github.io/bignumber.js
MIT License
6.68k stars 742 forks source link

uglifyjs missing from package.json #295

Closed joepie91 closed 2 years ago

joepie91 commented 3 years ago

The build process for this library uses uglifyjs, but it's not listed in package.json as a dependency, apparently expecting it to exist system-wide.

Unfortunately this makes it difficult to reproduce the build (for eg. dependency auditing purposes) as it's not clear what version of UglifyJS was used to produce the minified version.

MikeMcl commented 3 years ago

The library does not require a build process and the minified version should not be used if dependency auditing.

I don't want to imply that a build is reproducible by stipulating a particular version of uglifyjs, or imply that the library is dependent on it by including it in the dependencies.

It's just an minified version provided for the convenience of having one online and directly available. It's created from the library and is not part of the library itself.

The build process is described in the README which states:

Build For Node, if uglify-js is installed npm install uglify-js -g then npm run build will create bignumber.min.js.

so there is no expectation that uglifyjs is already installed.

The above is meant just as an example of how the library can be minified to make it easy for users to do so. The particular minification tool, or version of, used is not important.

Most users probably minify the library themselves while bundling anyway.

Perhaps I should remove the bignumber.min.js file from the npm bundle, or remove it altogether as I did with big,js.

I will consider it further. Thanks for the feedback.

joepie91 commented 3 years ago

To clarify, with "build process" I'm just referring to the minification process in the case of this library. Unfortunately there's no option to not consider the minified version when auditing dependencies, because it is part of the npm package and therefore part of the dependency tree on disk, and so needs to go through the audit process.

Another way to resolve the issue is indeed to not ship a minified version in the package in the first place. In most cases, there's no real purpose to publishing a minified file to npm for the exact reason you've described - people will typically already have their own minification setup.

I don't want to imply that a build is reproducible by stipulating a particular version of uglifyjs, or imply that the library is dependent on it by including it in the dependencies.

It is a dependency for the development and publishing process, though, and therefore should be specified in devDependencies (unless the minified file is removed from the published package, anyway).

This is true for all development and build tools in JS in general, even those which (incorrectly) claim that you should globally install them. package.json should always specify the full set of dependencies needed for successfully running a build - and in fact, npm scripts will automatically use such 'locally-installed' binaries instead of globally-installed binaries when present.

MikeMcl commented 2 years ago

Minified version removed in v9.0.2. Thanks for your input.

joepie91 commented 2 years ago

Great to hear, thanks!