Skip to content

chore: replace chalk with picocolors #2268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 26, 2025
Merged

chore: replace chalk with picocolors #2268

merged 5 commits into from
Jun 26, 2025

Conversation

yslpn
Copy link
Contributor

@yslpn yslpn commented Jun 18, 2025
edited
Loading

🎯 e18e initiative: ecosystem performance optimization

Replace heavy dependencies with lightweight alternatives

📊 Impact

Library Before After
Color chalk@4: 5 deps (95kb) picocolors: 0 deps (6kb)
Spinner ora: 17 deps (280kb) nanospinner: 1 dep (16kb)

🔄 Changes

- "chalk": "^4.1.0",
+ "picocolors": "^1.1.1",
- "ora": "^5.1.0",
+ "nanospinner": "^1.2.2",

✅ Benefits

  • Fewer dependencies
  • Smaller bundle size
  • Faster installs, reduced attack surface
  • Zero breaking changes

upd: updated the dependency data, initially I used the wrong tactics and tools for calculation

upd2: revert replace ora with nanospinner

@vercel Vercel
Copy link

vercel bot commented Jun 18, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
js-lingui ✅ Ready (Inspect) Visit Preview Jun 26, 2025 8:37am

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 18, 2025
edited
Loading

size-limit report 📦

Path Size
packages/core/dist/index.mjs 2.91 KB (0%)
packages/detect-locale/dist/index.mjs 618 B (0%)
packages/react/dist/index.mjs 1.35 KB (0%)

@yslpn yslpn mentioned this pull request Jun 18, 2025
Open
@yslpn yslpn changed the title Replace chalk with picocolors, ora with nanospinner chore: replace chalk with picocolors, ora with nanospinner Jun 18, 2025
vonovak
vonovak requested changes Jun 19, 2025
View reviewed changes
Copy link
Collaborator

@vonovak vonovak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather use ora than nanospinner which has far fewer downloads, stars, and contributors. picocolors looks good.

Security: Reduced attack surface with fewer dependencies

This can be misleading. Let's say that we replace popular, trusted dependency A with more lightweight B, which is controlled by one person, and they at some point introduce malicious code. That's a very real possibility.

vonovak
vonovak requested changes Jun 19, 2025
View reviewed changes
Copy link
Collaborator

@vonovak vonovak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather use ora than nanospinner which has far fewer downloads, stars, and contributors. picocolors looks good.

Security: Reduced attack surface with fewer dependencies

This can be misleading. Let's say that we replace popular, trusted dependency A with more lightweight B, which is controlled by one person, and they at some point introduce malicious code. That's a very real possibility.

@yslpn yslpn marked this pull request as draft June 19, 2025 11:36
@yslpn
Copy link
Contributor Author

yslpn commented Jun 19, 2025
edited
Loading

I'd rather use ora than nanospinner which has far fewer downloads, stars, and contributors. picocolors looks good.

Security: Reduced attack surface with fewer dependencies

This can be misleading. Let's say that we replace popular, trusted dependency A with more lightweight B, which is controlled by one person, and they at some point introduce malicious code. That's a very real possibility.

I agree and understand your skepticism. This could indeed be a problem if the author abandons support and/or becomes malicious. I respect your opinion, so I will roll back the replacement for nanospinner a bit later. To finish with merge picocolors

But I want to add a few objections that are worth thinking about.

  1. Not choosing a good library because it has hundreds of thousands of downloads, not millions, seems to me to be the wrong tactic.
  2. Before installing, reviewing the code of nanospinner for 5 minutes (100 lines of code) and one dependency of picocolors seems to be a safe strategy than analyzing everything that ora entails.
  3. Remember the situation with the faker library, which had millions of installations. Here you need to trust 17 people, instead of 1 person.

@yslpn yslpn marked this pull request as ready for review June 20, 2025 07:13
@yslpn yslpn changed the title chore: replace chalk with picocolors, ora with nanospinner chore: replace chalk with picocolors Jun 20, 2025
@yslpn yslpn requested a review from vonovak June 23, 2025 10:38
@vonovak vonovak requested a review from andrii-bodnar June 24, 2025 10:03
vonovak
vonovak approved these changes Jun 24, 2025
View reviewed changes
Copy link
Collaborator

@vonovak vonovak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me, this looks good but I'll defer to @andrii-bodnar

timofei-iatsenko
timofei-iatsenko approved these changes Jun 25, 2025
View reviewed changes
Copy link
Collaborator

@timofei-iatsenko timofei-iatsenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Also agree with @vonovak points about ora vs nanospiner

@codecov Codecov
Copy link

codecov bot commented Jun 26, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 46.15385% with 7 lines in your changes missing coverage. Please review.

Project coverage is 76.82%. Comparing base (6bb8983) to head (393b6c2).
Report is 198 commits behind head on main.

Files with missing lines Patch % Lines
packages/cli/src/lingui-extract.ts 0.00% 4 Missing ⚠️
packages/cli/src/lingui-compile.ts 50.00% 3 Missing ⚠️

❌ Your patch status has failed because the patch coverage (46.15%) is below the target coverage (70.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2268      +/-   ##
==========================================
- Coverage   77.05%   76.82%   -0.24%     
==========================================
  Files          84       89       +5     
  Lines        2157     2498     +341     
  Branches      555      650      +95     
==========================================
+ Hits         1662     1919     +257     
- Misses        382      463      +81     
- Partials      113      116       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@andrii-bodnar andrii-bodnar merged commit 73f867c into lingui:main Jun 26, 2025
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vonovak vonovak vonovak approved these changes

@timofei-iatsenko timofei-iatsenko timofei-iatsenko approved these changes

@andrii-bodnar andrii-bodnar Awaiting requested review from andrii-bodnar

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yslpn @vonovak @timofei-iatsenko @andrii-bodnar