Closed dominykas closed 7 months ago
Thanks @dominykas for the issue.
For context, we started publishing shrinkwraps so that the forthcoming version of plugin-plugins (PR) can install plugins with locked dependencies.
Not sure what we'll do about your use case but we'd love any ideas that you might have
@dominykas After thinking this over a bit more, I don't think this is something that we're going to address. We need to ship shrinkwraps for our plugins so that plugins install
will install the plugins with the locked versions. So if you or others need to get rid of the devDependencies during your release, you can run npm prune --omit=dev
.
npm prune --omit=dev
also removes our own dev dependencies. This is not an issue for the final production release - we were already doing it. It is however a problem for e.g. various dependency vulnerability scanning tools (e.g. snyk
), because it starts complaining about old/vulnerable versions of mocha
in our dependency tree if we don't prune
, and if we do prune
- we lose insights into our direct dev dependencies.
And like I said, npm always had issues with shrinkwraps - it's riddled with bugs (and these are just the confirmed and open ones) and does not actually give you the guarantees you think you're getting in reality. It is ofc a confirmed bug on npm side that these dev dependencies are installed at all, but that does not change the fact that the results are unexpected on the end user side.
Edit: ironically, when you run npm prune
, you can actually end up with more packages than you had at the start 😁 but I'm not going to bother filing an issue for that...
Yet another case-in-point: an npm
sub-dependency (tar
) has a vulnerability. Installing just the base oclif
gives you a version that is a minor behind, but depending on which plugins you have installed - you could have three different versions, all of them vulnerable.
Surely there must be a better way?
Describe the bug
As of
3.0.13
, the dev dependencies of@oclif/plugin-warn-if-update-available
end up in the end user'snode_modules
To Reproduce
Expected behavior
Dev dependencies should not be installed
Screenshots
n/a
Environment (please complete the following information):
Additional context
FWIW, npm has never done a good job respecting the shrinkwraps included as part of dependencies - it does not work consistently or reliably (it can be ignored at times, pulling in latest dependencies, rather than what is pinned, etc).
Using a shrinkwrap also creates problems in deduplication, e.g.
@oclif/plugin-plugins
hasoclif@4.5.2
, but latest isoclif@4.5.4
and so you end up with two versions ofoclif
in your dependency tree.