rpokorny
commented
3 years ago I haven't figured out a good way to accomplish this, and I'm also not sure it's a good idea.
Every file that this plugin copies is ostensibly one that is contributing to your output code bundle, and so is arguably a runtime dependency whether or not you have it marked as a devDependency in your package.json. Some files are certainly grey areas, like the webpack loaders. They are usually thought of as dev dependencies, but they do get included at least partially by this plugin, and they do, by their nature as code transformations, have the potential to add vulnerable code to your bundle. Of course, on the flip side, there are other dev dependencies which contribute code to the bundle which don't get picked up by this plugin, such as webpack plugins and webpack itself.
As far as the hurdles to adding this functionality to the plugin, the plugin would first need to figure out which package a given file belongs to. Aside from some messy logic looking for node_modules/<package_name> in the file's path, I'm not sure how to go about that. Then the harder task would be to figure out which packages are included only as or due to dev dependencies. For direct deps it wouldn't be too hard, just check the package.json. For transitive deps though I'd need something that can give information about the whole dependency tree. I'm not familiar enough with the node ecosystem to know how to programmatically get that information.
mDemianchuk
What are you trying to do? I like to copy only the dependencies, and not the devDependencies
What feature or behavior is this required for? For some cases we don't like to scan the devDependencies - although there are needed for running some tests
How could we solve this issue? (Not knowing is okay!) Have the setting:
devDependencies: falseAnything else?
Thanks!