Should I install #vue/composition-api in package.json dependencies rather than in devDependencies?
I see on npm registry that it is in dependencies
Following the logic of vue-property-decorator or vue-class-component, this are installed as dependencies.
I would say this is actual dependency for your project once is build, so it is not a dev dependency.
Related
Trying to install a dev dependency but one of its dependencies is lodash: 4.17.20. When Snyk does a scan of my dependencies, it marks this dependency as a high security vulnerability.
How can we have this dev dependency try to resolve a different version of lodash for a dev dependency and pass the Snyk test?
Was thinking that in the yarn.lock file, it somehow needs to resolve a higher version of lodash for this dev dependency, so I've referred to https://classic.yarnpkg.com/en/docs/selective-version-resolutions/
Doing something in my package.json like
"resolutions": {
"**/lodash": "^4.17.20"
}
Or
"resolutions": {
"<that dev dependency>/lodash": "^4.17.20"
}
Seems like it hasn't quite worked, and the Yarn.lock hasn't updated the lodash dependency for that dev dependency. Wanted to see if this was possible without updating the yarn.lock manually as I could see it being re-overwritten in the future. This is done in a Lerna monorepo.
Update from the Snyk team, they do not have monorepo support with Lerna as of 04/05/21
If you have a project that depends on packageA and you yarn add packageA but packageA has a devDependency on packageB to build, shouldn't that cause packageA to not work for you? Since packageA won't be able to build unless its devDependencies are installed too?
I guess my main question is if a pacakge has a devDependency on a built tool like babel, how does it get built and work when it gets yarn added by a project? Shouldn't build tools like webpack be a normal dependency?
No, they shouldn't, because the package that is yarn added is already built in an environment where the devDependencies are available. For example, when a package needs babel or webpack to build, then during the publishing a built bundle is created in a CI/CD pipeline that is valid es5 code and that is what you pull from npm. No build required after that.
GOOD MORNING :)
If you are having dependency problems on your dependencies of package.json, it is very simple to solve =]
What happens is that the dependency modules that the modules of your project need (dependencies) must be installed in the global npm as a package node (module), that is:
npm install -g youPackageName
If you have already installed a module in other projects or in the current project and want to turn it into a global package, you can use the command:
npm link youPackageName
Does it make sense to put any modules into package.json dependencies when I use webpack?
When I want to develope a package, I use git clone <url> then npm install, then npm installs all dependencies and devDependencies from package.json file and it makes sense.
When I'm end-user and I just want to install some package into my node_modules to use it in my project, I run npm install package-name, then npm installs package-name with only its dependencies, and it makes sense too.
But does it make sense to put any modules into dependencies when I use webpack? The webpack will bundle all dependencies into eg. bundle.js, so, for me, there is no need to install dependencies then (while they're included into bundle.js file).
Let's assume that I put all neccessary modules into devDependencies (keep the dependencies object empty) for my project: my-project, bundle it with webpack and publish:
the developer-user will use git clone <url to my_project>, then run npm install, then npm will install devDependencies from package.json (and ommit empty dependencies object), then it is ready to develope.
the end-user will use npm install my-project, then npm will install my-project, do not install devDependencies (because this is for production) and do not install dependencies (because dependencies object in package.json remain empty). Putting anything into dependencies would double the dependencies: both the dependencies would be installed, and the same dependencies would be accessible in the bundle.js file.
Am I right?
You are correct that there may be no dependencies once it's been transpiled with webpack. However, some packages are multi-purpose and may be used in multiple ways, so in some circumstances dependencies may still be required.
If you look at the package.json specification, there are two possible entry points, 'main' and 'browser'. There is also the proposed 'module' entry point. It is currently under discussion about how to handle these in webpack and users seem to want webpack to prioritize them as module > browser > main, however browser is currently used by webpack first.
The idea behind prioritizing them in the order module > browser > main is presumably that browsers could use the pre-transpiled stuff directly in "browser", whereas another project calling require() or include() on your package would use non-transpiled code from the "module" entry. The "module" entry code could contain modern JavaScript with new features and the project/package requiring it could then transpile it to their own specifications, using "browserslist" for example.
I found this question because I was wondering the same thing...
I organize my development projects installing globally all the npm packages I need with:
npm -g install [package]
Then I simlink individually the dependencies I need for each project with:
npm link [package]
This way, I have to update manually each package.json file to add the dependency, and when I upgrade the global node_modules I have to go and update all the package.json projects.
For this first issue I tried npm link [package] --save but it doesn't add the dependency to package.json and if I use npm install [package] --save it installs the package locally, thing I don't want.
Is there any way to be able to not have to configure package.json manually and be able to have an updated configuration of package.json from many different projects in a easier way?
Yes you can install npm-check-updates, you can find the install and guide here:
https://www.npmjs.com/package/npm-check-updates
when running 'ncu' on the command-line in your root-folder where your package.json is, it will list the packages that can be updated and by running 'ncu -u' on the command-line it updates all the packages for you.
I just added a depedency to my project and did an npm install. However, I get 20 modules in my node_modules folder. Why is this happening? I only need one module.
In NPM 3, the dependency hierarchy is flat by default, so you are probably seeing your dependency's dependencies.