Skip to content

Make webpack-dev-server optional #1336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2024
Merged

Make webpack-dev-server optional #1336

merged 1 commit into from
Sep 10, 2024

Conversation

Kocal
Copy link
Member

@Kocal Kocal commented Sep 8, 2024

As discussed with @stof, we want to make the webpack-dev-server an optional peer dependency:

JavaScript dependencies are problematic, depending on many sub-dependencies, which in turn depend on more sub-dependencies, and so on... Welcome to the dependency hell!

Even if the dev-server functionality isn't used, the dependency tree is immensely more complex (over 300 additional dependencies), but this is an open door to security holes present in “discrete” (say “little-known”), but over-used dependencies.

In recent months, a sort of “witch-hunt” has been set up by some people in the JavaScript ecosystem, to replace sub-dependencies with lighter alternatives (either another dependency, or a native version) in popular project. I've started doing this on Encore for a few dependencies, and making the webpack-dev-server optional is a big win.

Package size report
===================

Package info for "@symfony/webpack-encore@4.7.0": 61 MB
  Released: 2024-08-29 16:26:01.762 +0000 UTC (1w3d ago)
  Downloads last week: 19,232 (11.57%)
  Estimated traffic last week: 1.2 TB
  Subdependencies: 626

Removed dependencies:
  - webpack-dev-server@4.15.2: 29 MB (47.60%)
    Downloads last week: 2,605,016 (N/A% from 4.15.2)
    Downloads last week from "@symfony/webpack-encore@4.7.0": 19,232 (N/A%)
    Traffic last week: N/A
    Traffic from "@symfony/webpack-encore@4.7.0": 1.2 TB (N/A%)
    Subdependencies: 283 (45.20%)

Estimated new statistics:
  Package size: 61 MB → 43 MB (69.83%)
  Subdependencies: 626 → 295 (-331)
  Traffic with last week's downloads:
    For current version: 1.2 TB → 823 GB (355 GB saved)
    For all versions: 10 TB → 7.1 TB (3.1 TB saved)

When upgrading Encore to v5, end-users will have to install the webpack-dev-server back to use it again.

@Kocal Kocal added this to the 5.0 milestone Sep 8, 2024
Kocal
Kocal commented Sep 8, 2024
View reviewed changes
bin/encore.js
Comment on lines +60 to +65
try {
featuresHelper.ensurePackagesExistAndAreCorrectVersion('webpack-dev-server', 'the webpack Development Server');
} catch (e) {
console.log(e);
process.exit(1);
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could have used isPackageInstalled(), but I would have to rewrite a lot of logic here to enforce the version, generate the good command, etc...

Adding method parameter to featuresHelper.ensurePackagesExistAndAreCorrectVersion was a lot easier and clean.

@Kocal Kocal force-pushed the move-webpack-dev-server-to-peer-dependency branch from 1196ea9 to fd49f7d Compare September 8, 2024 19:11
stof
stof reviewed Sep 8, 2024
View reviewed changes
Copy link
Member

@stof stof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

types relying on import('webpack-dev-server').Configuration need to be changed to use object instead, as our type declarations cannot depend on optional dependencies

@Kocal Kocal force-pushed the move-webpack-dev-server-to-peer-dependency branch from fd49f7d to c7dee41 Compare September 8, 2024 19:28
@Kocal
Copy link
Member Author

Kocal commented Sep 8, 2024

types relying on import('webpack-dev-server').Configuration need to be changed to use object instead, as our type declarations cannot depend on optional dependencies

You think so? I kept webpack-dev-server as a dev dependency, and it looks like fine

@Kocal Kocal force-pushed the move-webpack-dev-server-to-peer-dependency branch 2 times, most recently from f51585a to ca0bf2f Compare September 8, 2024 19:45
@stof
Copy link
Member

stof commented Sep 8, 2024

@Kocal as long as we use types for ourselves, the dev dependency is indeed enough. But this would block #816 which was the primary reason to add more precise types. Types shipped in the package cannot use dev dependencies.

@Kocal
Copy link
Member Author

Kocal commented Sep 8, 2024
edited
Loading

Ah, I didn't think about that, I will change that, thanks

@Kocal Kocal force-pushed the move-webpack-dev-server-to-peer-dependency branch 5 times, most recently from f4cce95 to 34588b4 Compare September 8, 2024 21:59
@Kocal Kocal force-pushed the move-webpack-dev-server-to-peer-dependency branch from 34588b4 to 600c943 Compare September 8, 2024 22:18
@Kocal Kocal requested a review from stof September 8, 2024 22:37
@Kocal
Copy link
Member Author

Kocal commented Sep 8, 2024
edited
Loading

Checks are finally green.

@Kocal Kocal merged commit 7436a0d into symfony:main Sep 10, 2024
28 checks passed
@Kocal Kocal deleted the move-webpack-dev-server-to-peer-dependency branch September 10, 2024 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof Awaiting requested review from stof

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@Kocal @stof