Closed AviVahl closed 12 months ago
How much space would such a move save. I would be a bit worried about unintended consequences.
In terms of raw size in kb? or percent of the published package? Those depend on which files/folders should be included.
I can guess that test
and .github
should probably stay out. I'm not certain about folders like node-gyp/gyp/tools/emacs
though.
oh, and tree
ignored dot files/folders... I'll update the list in OP with -a
.
How much space would such a move save
I was able to go from 2.1 MB with 146 files/folders, to 1.3 MB with 89 files/folders.
(There are still a lot of files which I'm not sure what they do, which I left alone. And that's not really tested for breakage yet, but it's about how much I expect we could save. Carefully deleting more gyp
generators would yield the most file size savings, if possible.)
In addition to @AviVahl's suggestions, there are also some generators as part of gyp
which we do not use in node-gyp
at the moment. The gyp
folder seems to be the heaviest part of the module. We could, for example, exclude the ninja
generator, and a few others (android
, cmake
perhaps).
We could do this selectively with .gitignore
(affects git
tracking) or .npmignore
(doesn't affect git
tracking).
Here are the folder contents by size on disk:
This is more than a space-saving move. An automated security audit tool found and flagged the presence of https://github.com/nodejs/node-gyp/blob/master/test/fixtures/server.key which, although probably harmless, creates noise for the auditor and makes for an awkward conversation. Is there an estimated time to remove these files from the build?
Here's my take: Tests etc. represent part of the documentation and are components of the complete project which we occasionally snapshot and publish as a version to npm. On that basis, packages in npm should include stand-alone snapshots of a project. I know this is not a view held by everyone who publises to npm and some want to obsessively remove everything except that which touches the execution path--which is arguably reasonable in a world of trivial dependencies that bloat our development folders. I just think maybe the problem of needless dependency tree bloat should be tackled with greater priority. So I'm personally not in favour of removing things from a publish unless we're dealing with unreasonably large items. 2Mb is not unreasonable for us to be able to ship a complete snapshot of the package. If we have extraneous things in the repo then we should be able to add them to .gitignore.
Re server.key, if this is a critical problem for you then perhaps you could help out by contributing a change that shuffles it out of view of low quality auto-audits? Either generate it as required for tests, or maybe more practically, embed it as a string in a test file that can be extracted and removed on each run? Alternatively find a better auditor that isn't upset by test fixtures?
Published npm package contains repo configuration/scripts, "test" folder, etc. May want to use the "files" field in
package.json
and specify only the actually used files/folders.