Do not bundle dependencies #80
Conversation
| import replace from "rollup-plugin-re"; | ||
|
|
||
| const pkg = require("./package.json"); | ||
|
|
||
| const makeExternalPredicate = externalArr => { |
There was a problem hiding this comment.
this handles things like 'colors/safe' automatically
|
See discussion here for context and rationale of bundling: #70 If that doesn't convince you, I'll reconsider sometime before 3rd PR for the same thing :) |
|
I hear your arguments, I'm just not convinced. My biggest concern (beside the duplication of code) is that the code's author and its origin is unobvious when debugging. Leftpad-like issues don't happen that often IMHO. Feel free to close this PR if you are still unconvinced (until 3rd PR 😉 ) |
|
Does recent es-lint infection change anything either way? On one hand baked dependencies would prevent things in my dependency chain from changing in unexpected ways, on the other if something makes it in, it will stay there until this package is unpublished itself. For bundled package to stay safe I will need to get lucky and not be infected at the time of publishing. For unbundled package, users will have to be lucky every time they do npm install. So more luck required in total, but that also can be fixed dynamically. |
|
I was considering filing a PR/issue for this as well until I saw this when searching if this was a mistake or intentional. While I can understand some reasoning behind dependency trust issues, bundling dependencies for this one package doesn't really fix an ecosystem-wide issue:
|
|
1 and 3 are good points. Re 2 I actually check dependency updates -- because they are bundled up, rollup throws away anything not used (which is most of the stuff) and diff for bundled source is reasonable. I haven't reviewed the whole source of all packages when I originally included them, but I did review every change that actually makes it into the bundle after that. Can't say how effective that review is, I'm basically making sure changes are reasonably looking and no fishy http requests and such, but such review won't be possible at all if dependencies are not bundled. For example check out differences here after a couple of dependent packages were updated: |
|
That said, I wouldn't mind a PR for a separate package with unbundled dependencies. I can publish them both for a while, and if most of usage switches to it, I can deprecate original one. |
While the intent of an "A/B test" like that sounds useful, realistically that's not actually an A/B test as it requires very deliberate opt-in. And the benefits aren't obvious either. Would need a pretty big, visible mention in the docs, which I think would be confusing and if this change is considered "controversial", so would that then. |
goes down from 12107 to 7877, but what's more important is that debugging problems is easier, because it's immediately obvious which code is which