Closed sschuberth closed 4 months ago
This article seems to contain some good information on the matter: https://survivejs.com/webpack/optimizing/build-analysis/
FYI, Sonatype offers a Webpack plugin that does something similar to bundle sources of dependencies for upload to Nexus IQ.
I was told by team using Webpack that there is no general pool-proof way to detect if a project build uses Webpack. Which means we'd have no "trigger" for a potential Webpack analyzer.
So the new idea was to also create a Webpack plugin (similar to Sonatype's) that directly writes out an ORT analyzer result file, and ORT's built-in analyzer is not run at all.
Maybe leveraging https://github.com/webpack-contrib/webpack-bundle-analyzer is an option.
Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.
Webpack is a tool that creates minimized distribution bundles for JavaScript projects, in a sense similar to creating a "FatJar" / "ShadowJar" for Java projects. We already use Webpack ourselves in the WebApp reporter (again, similar to like we use shadow JARs for the ORT CLIs).
In order to bundle only used code, Webpack builds up its own dependency graph. So instead of looking at the underlying NPM / Yarn project, we probably could look at Webpack output to get the dependency graph for only what's being bundled / distributed.
The trigger for a Webpack analyzer probably could be the presence of the
webpack
underdevDependencies
, although that does not seem to cover all cases, like our very own WebApp reporter (which dependens onwebpack-event-plugin
) instead.