Closed TimothyJones closed 1 year ago
There must be a tool that can audit the dependencies and tell us if there are ones we don't need. I'll see if I can get that added to our CI setup, because manually reviewing this seems like something from the 90's.
It’s hard to do accurately, because maybe it’s not used in the source, but it might be used in the scripts- and there isn’t always a reliable way to tell (for example, binaries might have a different name to the package, and eslint configs aren’t invoked with exactly the same name as the package)
It looks like there are several dependencies that aren't used or could be removed. For example, in devDependencies, I don't think
enhanced-resolve
orjasmine-core
are used. In the main dependencies, I don't thinkpino-pretty
is used (if it's a peer-dep that's needed, it should be in pact-js-core). There are probably others - these are just the ones I noticed when fixing some lint issues.As a bonus, almost all uses of lodash and ramda can be replaced with native TS code now - both those libraries are unnecessarily large and were the source of many of the vulnerability warnings in the past.