Consider removing dev dependencies before publishing a package.

Question

Consider removing dev dependencies before publishing a package.

springcomp opened this issue a year ago · 7 comments

Please, consider removing dev dependencies when publishing a package.
This will help reduce the vulnerabilities reported when installing a package to only those that can actually have an impact on our users.

Answer 1 · 2023-09-25T09:01:20.000Z

Installing the generator-license package will install only the application runtime code and the templates. No development dependencies are installed.

Answer 2 · 2023-09-25T09:18:39.000Z

I read that this was indeed the case but was never able to actually make it work.
Here is my repro case:

mkdir p
cd p/
npm init --yes
npm install yeoman-generator@5

added 318 packages, and audited 319 packages in 9s

40 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

npm install generator-license

added 582 packages, and audited 901 packages in 20s

75 packages are looking for funding
run npm fund for details

11 vulnerabilities (3 moderate, 3 high, 5 critical)

To address all issues, run:
npm audit fix

Run npm audit for details.

This does not happen after applying my suggested PR.
Can you point me what I’m doing wrong ?

Answer 3 · 2023-09-25T09:22:08.000Z

This is standard behaviour of npm. Use the --production flag when installing to exclude the dev dependencies.

Answer 4 · 2023-09-25T09:23:02.000Z

This is standard behaviour of npm. Use the --production flag when installing to exclude the dev dependencies.

This also happens, unfortunately, when using --production or --omit=dev flags.

Answer 5 · 2023-09-25T14:01:09.000Z

I think the correct way is to update the vulnerable dependencies and not to hide the fact that particular package was built or is using old packages.

Answer 6 · 2023-09-25T14:50:37.000Z

Please try v5.6.0 package.

Answer 7 · 2023-09-25T14:56:44.000Z

Please try v5.6.0 package.

Thank you that works.