Huge increase in install size
XhmikosR opened this issue · comments
https://packagephobia.now.sh/result?p=netlify-cli
v2.12.0: 79.7 MB
v2.13.0: 117 MB
Also, you guys even have husky listed in dependencies which results to errors when installing via npm. Not sure if there are even more devDependencies listed wrongfully in dependencies.
There's definitely more devDependencies wrongfully listed in dependencies after v2.12.0.
v2.12.0...v2.13.0#diff-b9cfc7f2cdf78a7f4b91a753d10865a2R61-R134
lint-staged, mocha, chai probably too.
As of 2.30.0 it seems to be 151.3M, the largest dependency in our project by a factor of 5. Any plans on shrinking it down?
v2.41.0 was 219MB 😛 https://packagephobia.now.sh/result?p=netlify-cli@2.41.0
TBH this is a very serious situation security-wise also. The more packages one depends on, the bigger the potential risk all people who use the netlify-cli package are put into.
We want to be minimal with dependencies and package size but compared to other issues this one is not a priority right now. We understand that this is not optimal. And since this is an open-source project, we would invite you (the community) to help us fix it. If you can create a PR to optimize dependencies or reduce package size in general. We would gladly accept it.
An increase happened again recently :/
https://packagephobia.com/result?p=netlify-cli
There are plenty of unmet dependencies, vulnerable ones etc. This issue should be higher priority for sure.
Thank @XhmikosR, the latest bump is probably due to #1469.
Don't think that's a major concern at the moment as the binary files (which are contributing to the size increase) are optionalDependencies so you'd only get the one that matches your platform.
For vulnerable ones we have #1497 which we are currently looking into as a part of netlify/netlify-plugin-edge-handlers#97.
If you know of more can you please open specific issues for those?
I opened 2 issues regarding unmet and deprecated ones:
#1527
#1528
TBH at this point I care about the size. 231MB and counting. With so many dependencies, the chances of something going wrong are too many. It's just so many bytes wasted, it takes minutes to install on my VM. It's just not a a good sign for the package.
Also, https://lgtm.com/projects/g/netlify/cli?mode=list. Personally I'd add CodeQL too.
3.4.3 | Publish Size: 575 kB | Install Size: 236 MB | Publish Date: 2021-01-26 | Publish Files: 287 | Install Files: 22761
And the size keeps increasing. With every release, more packages are added, the bigger the size and the risk something goes wrong in one of the dependencies...
Hi @XhmikosR. Can you share some more details about any limitation you're experiencing? We haven't added any new dependencies in a while, and when we do, we're very rigorous about the vetting process to ensure code quality and good security practices.
If you have any additional concerns, or you have suggestions about a specific aspect of the codebase or any dependency we're using, feel free to reopen the issue or create a new one. Until then, I'll close this one.
Thanks for your input!
Well, I can't reopen the issue myself since you closed it...
There's nothing more to add to the issue itself; netlify-cli is ~236MB, needs ~22.7K files to install, it takes a long time to do so (more than 90s on a Windows 10 machine with an NVMe disk), and poses a pretty big security risk due to the number of dependencies.
Now, you may choose to close the issue, but the gist remains the same.
In November 2023 it's 281 MB and 48,028 files