Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bundle production dependencies

See original GitHub issue

ESLint is used only in development environment. It is a popular tool with well maintained tests suit. As such, I think it would benefit from using NPM bundledDependencies package.json property. Specifically, this would make the install time of ESLint a lot faster and would lift restrictions of the modularisation.

The build process can be automated to include all production dependencies. A simple NPM script can be used to streamline the process:

{
    "bundle-dependencies": "bundled-dependencies",
    "bundle-prepare": "npm run bundle-dependencies; git commit -m 'Updated bundle dependencies.' ./package.json; rm -fr ./node_modules; npm install --production; npm publish; npm install;"
}

An example of a package using bundledDependecies is canonical. To experience the benefits, try to install canonical version that is using bundledDependecies (3.0.0+) and compare it against a version that is not using it (2.5.0). Here are the test results on my machine:

npm install canonical@3.0.1

10.81s user
4.45s system
110% cpu
13.790 total

npm install canonical@2.5.0

13.17s user
2.77s system
27% cpu
58.136 total

<bountysource-plugin>

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource. </bountysource-plugin>

Issue Analytics

State:
Created 8 years ago
Comments:25 (24 by maintainers)

Top GitHub Comments

2reactions

BYKcommented, Mar 24, 2016

it’s starting to seem like this is the right choice for keeping our users safe.

I’m not sure if I really agree with this. If our users are relying on NPM to download us, then bundling dependencies is only a partial solution where the real problem resides in NPM itself. I think this is something NPM should resolve, not us. Unless people complain about this kind of events more I’m 👎 for this proposal.

2reactions

nzakascommented, Mar 24, 2016

Given recent events (http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/), I think we should strongly consider doing this. It would scratch two itches:

Locking down dependencies so the ones we use while publishing are the ones people get
Preventing deletion of a dependency from breaking our users

It looks like there are some unclear perf implications to this, but even so, it’s starting to seem like this is the right choice for keeping our users safe.

@eslint/eslint-team other thoughts?

Top Results From Across the Web

Do devDependencies affect bundle size? - Stack Overflow

A browser app built by webpack has no runtime node dependencies, and thus all frontend dependencies should be listed as devDependencies. The ...

devDependencies should not be bundled in production #7001

When bundling an application to send it in production, the NPM modules are bundled. The problem I'm having is the dependencies are there, ......

How webpack decides what to bundle - Jakob Lind

Your project have many installed dependencies in the node_modules folder that should not be included in your client-side JavaScript production bundle.

Do npm dependencies and devDependencies effect your ...

A definitive guide on the differences between you dev dependencies and regular dependencies in your package.json file and how they effect ...

Dependency Pre-Bundling - Vite

Dependency pre-bundling only applies in development mode, and uses esbuild to convert dependencies to ESM. In production builds, @rollup/plugin-commonjs is ...