icebob
commented
5 years ago @lukeed do you have any awesome (fast & no deps) lib to replace the huge glob lib? :smile:
Open icebob opened 5 years ago
icebob
commented
5 years ago @lukeed do you have any awesome (fast & no deps) lib to replace the huge glob lib? :smile:
lukeed
commented
5 years ago Hey, haha, I helped work on tiny-glob. It's the one I use
tinchoz49
commented
5 years ago https://github.com/vadimdemedes/ink could be a replacement for vorpal
lukeed
commented
5 years ago Ink is good. I forgot to mention before that sade is also an option for your CLI builder. Its only dependency is mri, which is already in this list
joshmanders
commented
5 years ago Hello, we use Moleculer at my company and vorpal's vulnerabilities are a concern to us and we'd like to get this resolved. What can I do to help with this? I can fork and start a PR to replace vorpal with something else.
Thanks.
icebob
commented
5 years ago vorpal is more than the ink. It has a REPL mode with command & argument handling and autocomplete feature. Ink (as soon as I can see) is a react based GUI for console apps. The better option would be to fix vulnerable packages in vorpal. I've created a fork here
joshmanders
commented
5 years ago Yeah I was looking over alternatives and none really seem to do what moleculer uses vorpal for.
@icebob do you plan to utilize the fork in moleculer-repl by publishing a package or directly to the github repo in the package.json? I can start working on getting the vulnerabilities patched and submit a PR to the fork.
tinchoz49
commented
5 years ago This is another one more close to the vorpal concept: https://github.com/drew-y/cliffy
But I agree:
The better option would be to fix vulnerable packages in vorpal. I've created a fork here
icebob
commented
5 years ago @joshmanders good news. It would be good if you could fix it. I plan to publish the fixed vorpal under the org like: @moleculer/vorpal
icebob
commented
5 years ago @tinchoz49 great, yes, cliffy can be an alternative. Btw, I've starred it for a while :P
joshmanders
commented
5 years ago @joshmanders good news. It would be good if you could fix it. I plan to publish the fixed vorpal under the org like: @moleculer/vorpal
Excellent. I have a PR waiting right now, just have noticed some tests are timing out so I'm trying to figure that out.
GrosSacASac
commented
5 years ago I heard that bluebird is no longer needed
abdavid
commented
4 years ago @icebob Could we add lodash to the list of libraries that Moleculer could live without? I dissected the framework a while back while playing around with making it a first-class typescript citizen and noticed a lot of lodash usage that could be replaced by simple native js. The reason I particularly am mentioning this lib is because of the bad pratices like prototype pollution it often entails.
https://github.com/moleculerjs/moleculer/search?q=isObject&unscoped_q=isObject
abdavid
commented
4 years ago Latest tree btw
moleculer@0.14.6 /Users/davborre/Source/moleculer
├─┬ args@5.0.1
│ ├── camelcase@5.0.0
│ ├─┬ chalk@2.4.2
│ │ ├─┬ ansi-styles@3.2.1
│ │ │ └─┬ color-convert@1.9.1
│ │ │ └── color-name@1.1.3
│ │ ├── escape-string-regexp@1.0.5
│ │ └─┬ supports-color@5.4.0
│ │ └── has-flag@3.0.0
│ ├── leven@2.1.0
│ └── mri@1.1.4
├── es6-error@4.1.1
├── eventemitter2@6.4.0
├── fastest-validator@1.4.1
├── fn-args@5.0.0
├─┬ glob@7.1.6
│ ├── fs.realpath@1.0.0
│ ├─┬ inflight@1.0.6
│ │ ├── once@1.4.0 deduped
│ │ └── wrappy@1.0.2
│ ├── inherits@2.0.3
│ ├─┬ minimatch@3.0.4
│ │ └─┬ brace-expansion@1.1.11
│ │ ├── balanced-match@1.0.0
│ │ └── concat-map@0.0.1
│ ├─┬ once@1.4.0
│ │ └── wrappy@1.0.2 deduped
│ └── path-is-absolute@1.0.1
├── ipaddr.js@1.9.1
├── kleur@3.0.3
├── lodash@4.17.15
├─┬ lru-cache@5.1.1
│ └── yallist@3.0.3
└── node-fetch@2.6.0Yes, it would be good to drop lodash lib from the core repo. The most important method is the _.defaultsDeep. It is used in many places, so it's the most important to find an exact same implementation or copy out from the lodash.
joshmanders
commented
4 years ago Yes, it would be good to drop lodash lib from the core repo. The most important method is the
_.defaultsDeep. It is used in many places, so it's the most important to find an exact same implementation or copy out from the lodash.
Could just depend on lodash.defaultsDeep which is just the dependencies needed for that function.
icebob
commented
4 years ago Hmm, good idea!
icebob
commented
4 years ago By the way, I've just found cac which is same as args but no dependencies.
Only need to change the glob to avoid another big branch
abdavid
commented
4 years ago _.get used in the cacher implementation is pretty important aslo I believe. It would be great to firstly get an overview of all lodash deps to determine which could easily be switched out with vanilla js and which we need to consider keeping or replace. I’d be happy to contribute on some concrete issues like «replace usage of isObject» etc to we can gradually migrate lodash out.
- mai 2020 kl. 18:32 skrev Josh Manders notifications@github.com:
Yes, it would be good to drop lodash lib from the core repo. The most important method is the _.defaultsDeep. It is used in many places, so it's the most important to find an exact same implementation or copy out from the lodash.
Could just depend on lodash.defaultsDeep which is just the dependencies needed for that function.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
lukeed
commented
4 years ago cac has dependencies (including mri) – it's just all inlined into one big pre-built file, which prevents any cross-dep code reuse
icebob
commented
4 years ago Ohh, thanks @lukeed, I didn't see it.
lukeed
commented
4 years ago It's actually only mri - I thought there were more. This means cac basically the same as sade...good upgrade either way
icebob
commented
4 years ago @abdavid Here is a list about the used Lodash methods:
abdavid
commented
4 years ago Nice! I see a couple of low hanging ones. I think we can break them down pr function.
@icebob should we maybe create an epic and materialize tasks for each function? That way we will have the oppertunity to discuss replacements contextually. Like Josh commented we could just import the complex ones.
- mai 2020 kl. 18:37 skrev Icebob notifications@github.com:
@abdavid Here is a list about the used Lodash methods:
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
icebob
commented
4 years ago Ok, go ahead :)
abdavid
commented
4 years ago I do not have the necessary access to create anything like that. For github an epic equivalent would maybe be a project with multiple subtasks? #jiranerd
icebob
commented
4 years ago Here there are some native implementation: https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#quick-links
abdavid
commented
4 years ago Here there are some native implementation: https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#quick-links
Sweet! Nice find
abdavid
commented
4 years ago @icebob Do we have any docs / guides on performance testing? Would be necessary to have before and after measurements to ensure we keep things speedy
icebob
commented
4 years ago Yes, you can with npm run bench. It executes common performance benchmark tests, so you can measure before & after with it.
Wallacy
commented
4 years ago @icebob Another option to replace Vorpal: https://github.com/f/omelette
Has zero dependencies;
icebob
commented
4 years ago Thanks @Wallacy but I think it's not a replacement of vorpal. It's just a part of it.
AndreMaz
commented
4 years ago One possible replacement for vorpal in moleculer-repl is shargs.
Some features:
and @Yord is currently working on REPL mode and autocompletion
icebob
commented
4 years ago It sounds great. it has no dependency.
Yord
commented
4 years ago Hey all, shargs is meant to replace the command-line parser of another project of mine because it had way too many dependencies (27!). Seems our causes are aligned.
The REPL mode is still very fresh, but I am interested in spending more time.
icebob
commented
4 years ago @Yord Do you know vorpal? Are there any other missing parts in shargs? We are using it in our moleculer-repl
Yord
commented
4 years ago @icebob I have never worked with vorpal.
The command-line parser parts of shargs are almost at 1.0.0, error message ergonomy is left (and bash autocomplete).
As for REPLs, shargs has basic REPL functionality based on the Node REPL and autocomplete for commands. These two parts are not tested, yet.
I could imagine shargs REPL misses text colors and formatting (aka tables) unless the action output does that.
Is there anything apparent to vorpal users that I miss?
Edited to add: Shargs REPL misses pipes and prompts.
AndreMaz
commented
4 years ago I could imagine shargs REPL misses text colors and formatting (aka tables) unless the action output does that.
You are right, the coloring and formatting are done directly in action (e.g., service )
Edited to add: Shargs REPL misses pipes and prompts.
I think that we don't use either of those features. We only use "a small portion" of vorpal
icebob
commented
4 years ago Would be good to create a branch in moleculer-repl and trying to add Shargs instead of vorpal. @AndreMaz do you have some capacity to work on it? Maybe @Yord can help if something is missing :)
Yord
commented
4 years ago @icebob, @AndreMaz I will gladly ship in if I can be of help.
AndreMaz
commented
4 years ago @icebob I will look at it during weekend. In theory it shouldn't be very complex. I just need to find the equivalent for vorpal's syntax. E.g.:
vorpal
.command('foo <requiredArg> [optionalArg]')
.autocomplete({
data() {
return // Return autocomplete array
})
.option('-v, --verbose', 'Print foobar instead.')
.description('Outputs "bar".')
.alias('foosball')
.action(function(args, callback) {
if (args.options.verbose) {
this.log('foobar');
} else {
this.log('bar');
}
callback();
});@Yord do you have any tutorial for newbies? Your docs are very good but I didn't found any introductory tutorial.
Yord
commented
4 years ago @AndreMaz Fortunately I wrote one just yesterday:
https://github.com/Yord/shargs-tutorial-git/blob/master/README.md
AndreMaz
commented
4 years ago Sweet 😄 Thanks
Yord
commented
4 years ago @AndreMaz Just wanted to let you know I have incorporated recent updates into shargs-example-repl.
To elaborate on this: The API has only slight changes, the updates concern mainly autocomplete internals.
AndreMaz
commented
4 years ago @Yord thanks for the info. Can you add the changelog to your repos? It helps to track the changes
Yord
commented
4 years ago @AndreMaz Yes, I will do that. Sorry for the sloppy work. I usually start a changelog with the first stable version, but here, it definitely makes sense to start right now.
Changelogs:
gautaz
commented
1 year ago Hello, sorry to barge in but I think that what I raised here might be related to this issue.
My main concern is related to the fact that some of us (I have no idea how many) are using the Moleculer broker without the runner.
I was wondering if moving the broker to something like moleculer-core (or the runner to moleculer-runner) would be an acceptable solution.
The runner is great but it also comes with its cost in term of dependencies and I guess that part of the dependencies raised in this issue is in fact due to the runner (another batch is certainly due to the REPL). :warning: This last one is an assumption, I did no check the source code so I may be totally wrong (which would be far from being the first time :laughing:).
icebob
commented
1 year ago I plan to split this repo to multiple packages in v1.0 and release them under @moleculer/....
Due to the recent event-stream vulnerability issue, I'm thinking to reduce the used NPM dependencies in the Moleculer core. Currently it is the current dependency tree (29 modules):
There are 3 libs which have too much dependencies:
Possible alternatives:
Important to keep the current functionality, so the changes don't cause breaking changes!
argschalkglobvorpal