search

laverdet / isolated-vm

Secure & isolated JS environments for nodejs
ISC License
2.19k stars 154 forks source link

Add node-gyp as peer dependency #489

Open DecathectZero opened 3 months ago

DecathectZero commented 3 months ago

This is a bit of an edge case, but we use yarn as our package manager, and it annoyingly has this code in it: https://github.com/yarnpkg/berry/blob/9c3dc22b7e3c2a2c0782ee1222b4cf9ac6a2846f/packages/plugin-npm/sources/NpmSemverResolver.ts#L144-L155

Basically it will always add node-gyp as a production dependency in the lock file:

"isolated-vm@npm:^5.0.1":
  version: 5.0.1
  resolution: "isolated-vm@npm:5.0.1"
  dependencies:
    node-gyp: "npm:latest"
    prebuild-install: "npm:^7.1.1"

This causes our production build, (with yarn workspaces focus --production or npm prune --production) which needs to be as small as possible, to also include the entire node-gyp package and all it's dependencies.

If you read the yarn code, as long as node-gyp gets listed as a peer dependency, it's good. I can add it as a dev dependency to my repo.

Hopefully this doesn't affect those using npm either - I understand node-gyp is just bundled in with npm anyways.

laverdet commented 3 months ago

If build size is important to you then you should be using a bundler like esbuild, webpack, etc.