galvez
commented
5 years ago Bonus point: fewer network calls during a fresh install.
Closed galvez closed 3 years ago
galvez
commented
5 years ago Bonus point: fewer network calls during a fresh install.
galvez
commented
5 years ago Basically we want a script that parses out yarn.lock, downloads distributions and builds a new package with them.
pi0
commented
5 years ago I think this just a matter of locking dependency versions and not using the range if such security is important. Making nuxt zero dependencies would be a good approach but bundling webpack related deps is not practical (at least easily).
Extra point: This is how NPM ecosystem works indeed. It is healthy and fresh because of sub-packages being implicitly updated on fresh installs and ranged deps.
pi0
commented
5 years ago Also see yarn offline mirror if interested keeping local version of tarballs from lock file: https://yarnpkg.com/blog/2016/11/24/offline-mirror
Facebook internally keeps a copy file packages for faster CI.
pi0
commented
3 years ago Clarification: We did this experiment for nuxt3 by using vercel/nft but final result wasn't shiny since it produces a really big npm tarball, requirement of manually creating zip instead of npm publish (since npm ignores node_modules for adding to package) and other workarounds which makes less compatibility with npm ecosystem...
Also from nuxt@2.15 (currently via nuxt-edge) we support pnp package managers out of the box which allows zero install usage but it also means it is less possible to inline/pre-pack all dependencies
pi0
commented
8 months ago 2024 - I am thinking about it, now!
Idea: Create a @nuxt/deps package with locally distributed cached versions of all Nuxt's dependencies. This way, if a Nuxt dependency gets compromised with a patch release on NPM, Nuxt users won't be immediately vulnerable.
We would need to write a script to update and cache the distributions.