From 7208291f2e5a68aa0d63e3ba2e20f326b8275351 Mon Sep 17 00:00:00 2001
From: Miki <miki@amazon.com>
Date: Wed, 30 Aug 2023 11:20:59 -0700
Subject: [PATCH] Remove examples and other unwanted artifacts from installed
 dependencies

Signed-off-by: Miki <miki@amazon.com>
---
 CHANGELOG.md           |  1 +
 package.json           |  1 +
 scripts/postinstall.js | 41 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 scripts/postinstall.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 86bfda90100c..dfd72fabda36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Bump `node-sass` to a version that uses a newer `libsass` ([#4649](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4649))
 - [CVE-2019-11358] Bump version of tinygradient from 0.4.3 to 1.1.5 ([#4742](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4742))
 - [CVE-2021-3520] Bump `lmdb` from `2.8.0` to `2.8.5` ([#4804](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4804))
+- Remove examples and other unwanted artifacts from installed dependencies ([#4896](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4896))
 
 ### 📈 Features/Enhancements
 
diff --git a/package.json b/package.json
index 392e919c077c..003b3d8993b4 100644
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
   "author": "opensearch-project",
   "scripts": {
     "preinstall": "scripts/use_node ./preinstall_check",
+    "postinstall": "scripts/use_node scripts/postinstall",
     "osd": "scripts/use_node scripts/osd",
     "opensearch": "scripts/use_node scripts/opensearch",
     "test": "grunt test",
diff --git a/scripts/postinstall.js b/scripts/postinstall.js
new file mode 100644
index 000000000000..e84ee6b38ac8
--- /dev/null
+++ b/scripts/postinstall.js
@@ -0,0 +1,41 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* eslint no-restricted-syntax: 0 */
+
+const fs = require('fs/promises');
+
+/**
+ * Some libraries pack their demos and examples into their release artifacts.
+ * This unwanted content makes our release artifacts larger but more importantly,
+ * some contain in-browser references to outdated and vulnerable versions of
+ * libraries that are not even mentioned in the dependency tree. This is a
+ * problem when vulnerability scanners point them out, and we have no way to fix
+ * them. This function looks for folders that are unwanted and deletes them.
+ */
+const removeUnwantedFolders = async (root, unwantedNames) => {
+  const items = await fs.readdir(root, { withFileTypes: true });
+  const promises = [];
+  for (const item of items) {
+    if (!item.isDirectory()) continue;
+
+    if (unwantedNames.includes(item.name)) {
+      promises.push(fs.rm(`${root}/${item.name}`, { recursive: true, force: true }));
+    } else {
+      promises.push(...(await removeUnwantedFolders(`${root}/${item.name}`, unwantedNames)));
+    }
+  }
+
+  return promises;
+};
+const run = async () => {
+  const promises = await removeUnwantedFolders('node_modules', ['demo', 'example', 'examples']);
+  await Promise.all(promises);
+};
+
+run().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});