Skip to content
This repository has been archived by the owner on Jan 6, 2021. It is now read-only.

remove is-windows dependency #207

Merged
merged 1 commit into from
Aug 31, 2019
Merged

remove is-windows dependency #207

merged 1 commit into from
Aug 31, 2019

Conversation

crebier-corentin
Copy link
Contributor

What: Removed "is-windows" from package.json and replace it by a one-liner function

Why: The actual function of is-windows is very and short and simple, it contains only one line (https://github.com/jonschlinkert/is-windows/blob/master/index.js#L25).

When downloading is-windows from npm, npm/yarn also downloads the LISCENCE and package.json file which are much bigger than the actual wanted code, as such it's much better to directly include the function in the code than to pull in a package.

Also more packages means more risk, here's an article talking about it :
I’m harvesting credit card numbers and passwords from your site. Here’s how.

An incident has already happened this year with the package event-stream :
Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months

How: removed the dependency from package.json and added the one liner to is-windows.js, modified the tests to make it work with the new file

Checklist:

  • Documentation N/A
  • Tests
  • Ready to be merged
  • Added myself to contributors table

I had trouble making the tests work, I feel like having is-windows be a function instead of constant not ideal but it's mandatory if the tests want to mock the OS (unless there is a way to mock a constant)

@codecov
Copy link

codecov bot commented Aug 31, 2019

Codecov Report

Merging #207 into master will not change coverage.
The diff coverage is 100%.

Impacted file tree graph

@@          Coverage Diff          @@
##           master   #207   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           3      4    +1     
  Lines          68     69    +1     
  Branches       17     18    +1     
=====================================
+ Hits           68     69    +1
Impacted Files Coverage Δ
src/command.js 100% <ø> (ø) ⬆️
src/variable.js 100% <ø> (ø) ⬆️
src/is-windows.js 100% <100%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4889923...00966cb. Read the comment docs.

1 similar comment
@codecov
Copy link

codecov bot commented Aug 31, 2019

Codecov Report

Merging #207 into master will not change coverage.
The diff coverage is 100%.

Impacted file tree graph

@@          Coverage Diff          @@
##           master   #207   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           3      4    +1     
  Lines          68     69    +1     
  Branches       17     18    +1     
=====================================
+ Hits           68     69    +1
Impacted Files Coverage Δ
src/command.js 100% <ø> (ø) ⬆️
src/variable.js 100% <ø> (ø) ⬆️
src/is-windows.js 100% <100%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4889923...00966cb. Read the comment docs.

Copy link
Owner

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems legit. Thanks!

@kentcdodds kentcdodds merged commit a75fd0e into kentcdodds:master Aug 31, 2019
@MeLlamoPablo
Copy link

Recently there has been a lot of controversy within the community with these one-liner packages which depend on each other and fill our node_modules. I just wanted to thank you both for actively try to fight this situation!

@crebier-corentin
Copy link
Contributor Author

crebier-corentin commented Sep 2, 2019

No problem, it was very easy.
I was working on one of my projects when I opened yarn.lock and discovered that cross-env was depending on is-windows, I forked the project, replaced the dependency with a one line function and submitted a PR.

Yesterday I submitted a PR to remove shebang-regex from another package which is an even bigger offender than is-windows (the regex is only 9 bytes while the packages is in total 2 828 bytes, 314 times bigger).
kevva/shebang-command#4

Hopefully with the next standard library proposal more and more of these packages will disappear and be replaced by the standard library .

@MeLlamoPablo
Copy link

Hopefully yes. The big problem is when maintainers disagree with inlining one-liners and actively fight against it (see moxystudio/node-cross-spawn#102).

In that case, the only course of action left is to fork the offending package, inline the dependencies, release it and build trust, and then convince the dependants to switch over the fork. Which is simply too much effort, so we're left in the current state.

@crebier-corentin
Copy link
Contributor Author

crebier-corentin commented Sep 2, 2019

Looks like nice-try and semver were removed.
moxystudio/node-cross-spawn#123
moxystudio/node-cross-spawn#125

But the package has not been updated on npm yet.
https://www.npmjs.com/package/cross-spawn

Soon cross-env will depend on two less sub-dependencies which is a good thing !

This was referenced Sep 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants