Open novemberborn opened 3 days ago
@novemberborn 👋 Our own @bcomnes just suggested this same feature request this morning! We currently do a light pass over lock files to detect packages being used. This would require a more thorough pass over the lock files which is totally doable just a bit more work. My concern is that some folks may use dev deps to be bundles/built into a final dist and this would miss those. Though an option to skip devDependencies is a good thing.
I've run
npx @socketsecurity/cli optimize
on https://github.com/avajs/ava and it of course finds a whole bunch of things to optimize (yay!), however I reckon most of these are in dev dependencies. For example:I'm not sure I'd want to bloat the
package.json
to include all those overrides.Specifically for packages (not application code / services) it may be useful to be able to avoid optimizing dev dependencies?