smithki
commented
4 years ago Unfortunately, snyk is required to be a dependency (not dev dependency) because it needs to auto-patch security vulnerabilities via a postinstall hook. We rely on snyk for continuous security audits, which are very important to a project such as this.
I regret that there are so many dependencies required to download, though I’m curious why this is worrisome beyond the initial yarn install? It does not affect deliverable bundle size, which is still quite manageable: https://bundlephobia.com/result?p=magic-sdk@1.3.5
The peer dependency warnings you see are related to react-native-webview. I think there’s a valid action item to address there, somewhat related to #39. I’m not sure the best approach to address it yet. We keep it a dependency (instead of peer/optional) because it is simply easier to bundle in mobile dependencies to ensure compatibility. Mobile troubleshooting is difficult and I have less experience with it than some others on the Magic SDK team.
Then again, we do not externalize react-native-webview (It gets bundled in by Webpack), so perhaps the argument can be made that it belongs as a dev dependency after all.
oles
✅ Prerequisites
magic-sdk)?✨ Feature Request
This is a neat product. I went ahead and tried it out, and then I got to the step of installing it via NPM.
On a new project, this was the result of
npm install magic-sdk:515 packages added. Warnings (useless and irrelevant, but still there). 4 vulnerabilities (most likely nothing, but still). Deprecation notice.
The lovely image you built up with simplicity, security, and professionalism, faded more and more the longer installation log got.
I'm not sure what causes it. You only have 3 direct dependencies. Seems like
snykis the one causing the ruckus? Perhaps it should be a devDependency, if at all?