search

ModClean / modclean

Remove unwanted files and directories from your node_modules folder
MIT License
400 stars 15 forks source link

Many good things #21

Closed jehy closed 6 years ago

jehy commented 6 years ago

I made many changes to use modclean in production environment, those are separated to commits and I hope you will include some.

  1. update deps - I updated dpendencies.
  2. removed test script - there is no mocha and there is no test.js, so test script is meaningless
  3. added jehy to contributors - self descriptive :)
  4. use bundled dependencies - modclean adds 123 packages and weights 9.4 MB - I think it is too much, so I bundled packages with webpack.
  5. remove update notifier - update notifier is very heavy (1MB) and I don't think it is quite neccessary
  6. use exact version of modclean-patterns-default - see https://github.com/ModClean/modclean/issues/20
  7. bump to major version - self descriptive : )

Now module installs only 7 dependencies and weights less then 950KB.

jehy commented 6 years ago

Oops, I had to rollback empty-dir to 0.2.1 because with new version somehow all node_modules were deleted...

KyleRoss commented 6 years ago

Thanks for submitting this! After going through your changes, I have one concern:

I'm not a fan of bundling a module with webpack since it makes it more difficult to maintain and debug going forward, especially in a production environment. It also makes security audits more difficult and raises code complexity. I appreciate the idea, but I believe it's time for me to rethink some of the aspects of modclean for version 3.0, including the number of dependencies it has. With that, I will also remove update-notifier and write my own or remove it altogether.

I will utilize some of your ideas here for the next version and once I have something to show, I'd like to have you jump in also and give feedback or submit pull requests for anything else that should change.

Thanks again for this!

jehy commented 6 years ago

Yup, building with webpack may seem frightening at first, but...

  1. Audit on your side is not a very big issue - you should only check if new code is identical with the code that you generate yourself locally. And you can build module on prepublish - it will ensure that no harmful code can even appear in repo or on npmjs.
  2. Audit on developer's side, however, really becomes more complex. But auditing ~120 dependencies is not much easier : ) By the way, you can remove code obfuscation for simpler audit - it will still be efficient because bundle will only contain required code. Also, it will be even easier to audit.
  3. Also, debugging does not become more difficult because of using sourcemaps - any error stack is shown in original code.

But those are pretty hard questions, I agree. I would be glad to jump in for the next version :)