this post was submitted on 01 Mar 2024
18 points (95.0% liked)

JavaScript

1700 readers
5 users here now

founded 2 years ago
MODERATORS
 

Official docs say it's for

Packages that are only needed for local development and testing.

Umm, okay. Not 100% clear there. Some articles mention things like ESLint or Jest (k, I'm onboard there) but others mention Babel or WebPack. I get that you don't need WebPack libraries to be loaded in the browser but how the hell do you bundle up your code without it? When you use npm ci or npm install you'll get all dependencies but isn't it good practice (in a CICD environment) to use --omit=dev or --only=prod?

you are viewing a single comment's thread
view the rest of the comments
[–] hperrin 13 points 9 months ago* (last edited 9 months ago) (1 children)

If you’re bundling code, you’re doing development work, and you’d have devDependencies installed:

For a library, once you’ve shipped your code, someone using it wouldn’t need your bundler/testing libraries/dependency types/compilers/etc installed, so they wouldn’t install your devDependencies.

For an application, if you’re building it on the server, you’re probably doing it wrong, but in that case you would want to install devDependencies. If you’ve built it locally or in a pipeline and you’re running it on the server from your artifact, then you probably don’t need devDependencies, as those are only useful during dev and build.

[–] BrianTheeBiscuiteer 3 points 9 months ago (1 children)

Good points. I never build libraries, only websites, so it didn't really occur to me that the dependency types we're mostly intended for that use case.

I use a pipeline to build and right now there's one stage that just installs everything, then I have separate build and test jobs. The two main issues I'm trying to correct are the fact that npm takes ages to install dependencies (even with npm ci) and that I'm subject to security scans and I don't want to be held up because of a vulnerability in my testing tools.

[–] foobaz 1 points 9 months ago
  • pnpm and yarn are usually faster, also bun
  • you should cache restored packages in your ci