tl;dr:
Is there a way to configure webpack (out-of-the-box or via some plugin?) to flag/raise a warning if the code getting bundled (for a production bundle) requires / imports any dev dependencies? (either directly via devDependencies
, or indirectly via dev: true
in package-lock.json
)?
Context
We are configuring dependabot to only scan packages declared in dependencies
(this is achievable by using dependabot's allow
config option).
However, in order for this to be a reliable security process (as we are relying on dependabot's security vulnerability scanning), we need to have an automated process that ensure packages are correctly placed either in dependencies
or devDependencies
. One way to do this would be to have webpack
emit a warning if any bundled code includes a devDependency
.
Some further potentially relevant info:
This is for a monorepo managed by nx
with
- a single
package.json
at the root - two apps (
apps/frontend
andapps/backend
) - a few shared libraries (in
libs/*
)
CodePudding user response:
No. There is no Webpack plugin that can do this for you. There are some other dependency graph traversal modules/CLI tools that can generate these stats. The depcheck is one such module that I often use.
It can tell you about unused and missing modules, but not exactly what you seek. In general, it is hard to find that out. It may happen that what you declared as a devDependency
may also be an actual dependency
for some transitive package. Also, mandatory peer dependencies are also declared as dev dependencies which further complicate things. Finally, you may also have scripts which are meant only for development purpose and in those scripts, you may also import those dev dependencies.