devDependency or dependency?

Question

devDependency or dependency?

DanielRuf opened this issue 4 years ago · 5 comments

In the docs you sometimes use npm i @oktadev/schematics and sometimes npm i -D @oktadev/schematics`.

Is this a devDepndency in general or does it depend on the setup? Because this is not clear and currently @oktadev/schematics uses a dependency with vulnerabilities (ini 1.3.5, loaded by schematics-utilities 2.0.2).

See https://snyk.io/vuln/SNYK-JS-INI-1048974

Answer 1 · 2021-04-01T21:48:17.000Z

That's my fault. It should be a dev dependency (-D) in most cases. React has a philosophy of no dev dependencies, so that's why I might've missed it there.

Answer 2 · 2021-04-01T21:57:19.000Z

Ah ok, thanks for the clarification.

You might want to adjust the package.json file for the ng add command to not save the package to dependencies. See angular/angular-cli#15815

React has a philosophy of no dev dependencies

That is new to me. React itself is no devDependency, that is correct. But dependencies which are only needed during the build process, should be devDependencies. According to the docs the package is only needed for the schematics CLI to generate the code (once).

schematics @oktadev/schematics:add-auth

Answer 3 · 2021-04-01T22:28:05.000Z

@DanielRuf Can you please create a PR with this change? I'd be happy to add it!

Answer 4 · 2021-04-01T23:07:31.000Z

Done: #546

Answer 5 · 2021-04-12T14:40:15.000Z

Thanks for your contribution @DanielRuf!