maorleger commented on issue #55: URL: https://github.com/apache/arrow-js/issues/55#issuecomment-4623884557
Hi folks - I was hoping to bump this issue. Several of the dependencies introduced here appear to be used only for development, build, or testing workflows, but are currently included as runtime dependencies. Moving those packages to `devDependencies` would reduce the install footprint for downstream consumers and shrink the runtime supply-chain surface area. I know the cli portion complicates this a bit but I think it's worth investing in. This is particularly relevant today given the increasing frequency of npm ecosystem supply-chain incidents. Even when a dependency is well-maintained, every unnecessary runtime dependency adds additional security review, update, and vulnerability management burden for consumers. Keeping the production dependency graph as small as possible provides benefits beyond package size: * Reduced supply-chain risk exposure * Faster installs * Fewer transitive vulnerability alerts * Clearer separation between runtime and development requirements It would be great to revisit these dependencies and determine which can safely be moved to `devDependencies`. You mentioned accepting contributions - what would you like to see as an acceptable outcome? I am less concerned with `@types` packages but I wonder how easy it might be to remove command-line-args, command-line-usage, and `@swc/helpers` and can help contribute given a little bit of context or agreement on the end-state Thanks for your consideration! Related: https://github.com/apache/arrow/pull/44517, https://github.com/apache/arrow-js/issues/52, -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
