Replies: 5 comments
-
I have implemented this in userland https://github.com/Raynos/npm-bin-deps I can open an I am happy to join the |
Beta Was this translation helpful? Give feedback.
-
Reference to Open RFC meeting : https://www.youtube.com/watch?v=43JFgdJzakI&t=13m30s |
Beta Was this translation helpful? Give feedback.
-
Running I used
This is a really good point, I don't personally use a binary that I also use a library you can
These help with These do not help with exploring Also the cc @isaacs |
Beta Was this translation helpful? Give feedback.
-
The open RFC meeting mentioned I know https://pnpm.js.org/en/pnpmfile#hooks ; I have used the pnpm hook system to "fix" a nested dependency and to rewrite its package.json to actually depend on its unlisted dependencies, this would unblock me from waiting for the transient dependency to fix itself. Moving various transient dependencies into Moving transient dependencies into |
Beta Was this translation helpful? Give feedback.
-
A user of Based on this use case I am convinced that the author of |
Beta Was this translation helpful? Give feedback.
-
Motivation ("The Why")
When looking at the output of
npm ls
, reviewingpackage-lock.json
or openingnode_modules
in my text editor I would like to only see dependencies that Irequire
directly in my library or application.If I have a small library or application with 3-10 dependencies and
nyc
, then 95% of node_modules is transitive dependencies ofnyc
instead of code that I am actually using in my application / library.When building an application or a library I want to use certain dev dependencies that are only used as binaries in the
scripts
section of mypackage.json
; These dev dependencies are never used by arequire
statement.Examples:
typescript
,tslint
,standard
,nyc
,electron
,webpack
,testcafe
,browserify
, etc.A long time ago, we used to install these dependencies globally before npm added
./node_modules/.bin
to$PATH
in thescripts
section. An application developer was expected to have a copy ofnyc
andeslint
installed withnpm i nyc eslint -g
.Example
I have a library that uses
aws-sdk
&tape
for testing, But alsonyc
&tslint
for as binaries. The output ofnpm ls
andls node_modules
shows that there are 450 dependencies.If I move all the binaries to be globally installed
npm ls
andls node_modules
show that there are only 25 dependencies that are actually used by my library.It is frustrating for me to have to look at dependencies in
node_modules
that are not relevant to my library. I am willing to trust these binaries likenyc
andtslint
as black boxes.In other communities, like the go community, these binary only dependencies are installed as a single binary and are generally fetched in the Makefile. These binary only dependencies do not exist in the
vendor
directory since they are treated as single standalone binary blackboxes.How
Current Behaviour
Npm installs binary dependencies into
node_modules
and I add them todevDependencies
Desired Behaviour
Npm installs binary dependendencies somewhere else that is not
./node_modules
( Could be in$HOME/.npm/...
) and I add them tobinDependencies
References
I have implemented a prototype in userland https://github.com/Raynos/npm-bin-deps
This userland prototype is missing some features like
npm install tslint -B
; I have to hand edit thebinDependencies
declaration in my package.json$PATH
inscripts
; I currently runnpr standard
instead ofstandard
in scripts.Caveats
Is
tap
devDependencies or binDependencies ?tap
is both a library yourequire
and a binary dependency. It's not a good fit forbinDependencies
.Since a lot of
npm
users ( installers ) are not going to understand the nuance of this. One possible approach would be for the author oftap
&nyc
, etc to decide if their library is a dev dependency of a bin dependency. This could be a new field inpackage.json
likeisBinOnly: true
;Then the
npm
client when runningnpm install nyc --save-bin
would know that it isisBinOnly
and add it tobinDependencies
. Runningnpm install tap --save-bin
would know that it is notisBinOnly
and would add it todevDependencies
and warn the user thattap
cannot be a binDependencies.Adding the
isBinOnly
field actually makes the entirebinDependencies
functionality opt in based on package publishers.Reproducable tests in CI
By design of treating these binary only dev dependencies as a blackbox they do not show up in
package-lock.json
; This means I do not have to review hundreds of lines of changes when they get updated but I also do not have reproducible builds for testing since nested dependencies could change on re-install.For reproducible builds it might be useful to have an optional
bin-package-lock.json
; By having the binDependencies write into their own lock file I can easily chose to not review this file in code review since I know that these dependencies are not part of my app / library /./node_modules
The reason for a seperate lock file would be because the current
package-lock.json
is for./node_modules
and by designbinDependencies
are not installed innode_modules
but instead in some other location like$HOME/.npm
.Challenging to do printf debugging on binary dependencies
As a user of
npm-bin-deps
there have been a couple of times I wanted to fix a bug in a binary dependency and I had to manually open~/.config/npm-bin-deps/...
to do printf style debugging.This is a pretty rare use case and the best recommendation I have is to manually re-install the dependency as a dev dependency, do your printf debugging / bugfixes / forking / pull request and re-install as a bin dependency once stable.
Beta Was this translation helpful? Give feedback.
All reactions