search

SocketDev / socket-cli-js

The Socket CLI tool
https://socket.dev/npm/package/socket
MIT License
107 stars 13 forks source link

Avoid optimizing dev dependencies? #233

Open novemberborn opened 3 days ago

novemberborn commented 3 days ago

I've run npx @socketsecurity/cli optimize on https://github.com/avajs/ava and it of course finds a whole bunch of things to optimize (yay!), however I reckon most of these are in dev dependencies. For example:

> npm ls which-typed-array
ava@6.1.3
└─┬ xo@0.59.3
  └─┬ eslint-plugin-import@2.29.1
    └─┬ array.prototype.findlastindex@1.2.5 overridden
      └─┬ es-abstract@1.23.3
        ├─┬ is-typed-array@1.1.13 overridden
        │ └── which-typed-array@1.1.15 deduped
        └── which-typed-array@1.1.15 overridden

I'm not sure I'd want to bloat the package.json to include all those overrides.

Specifically for packages (not application code / services) it may be useful to be able to avoid optimizing dev dependencies?

jdalton commented 3 days ago

@novemberborn 👋 Our own @bcomnes just suggested this same feature request this morning! We currently do a light pass over lock files to detect packages being used. This would require a more thorough pass over the lock files which is totally doable just a bit more work. My concern is that some folks may use dev deps to be bundles/built into a final dist and this would miss those. Though an option to skip devDependencies is a good thing.