You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
minor #2221 [Swup] For Swup's dev dependencies exclusion from our yarn.lock (Kocal)
This PR was merged into the 2.x branch.
Discussion
----------
[Swup] For Swup's dev dependencies exclusion from our yarn.lock
| Q | A
| ------------- | ---
| Bug fix? | yes/no
| New feature? | yes/no <!-- please update src/**/CHANGELOG.md files -->
| Issues | Fix #... <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
<!--
Replace this notice by a description of your feature/bugfix.
This will help reviewers and should be a good start for the documentation.
Additionally (see https://symfony.com/releases):
- Always add tests and ensure they pass.
- For new features, provide some code snippets to help understand usage.
- Features and deprecations must be submitted against branch main.
- Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
- Never break backward compatibility (see https://symfony.com/bc).
-->
While working on #2219, I've noticed we had a very old Rollup version that we do not use at all.
The issue comes from Swup v3, which ship its **building** dependencies as **prod** dependencies, which means we install `microbundle` and all its dependencies:
```
microbundle@^0.15.1:
version "0.15.1"
resolved "https://registry.npmjs.org/microbundle/-/microbundle-0.15.1.tgz"
integrity sha512-aAF+nwFbkSIJGfrJk+HyzmJOq3KFaimH6OIFBU6J2DPjQeg1jXIYlIyEv81Gyisb9moUkudn+wj7zLNYMOv75Q==
dependencies:
"`@babel`/core" "^7.12.10"
"`@babel`/plugin-proposal-class-properties" "7.12.1"
"`@babel`/plugin-syntax-import-meta" "^7.10.4"
"`@babel`/plugin-syntax-jsx" "^7.12.1"
"`@babel`/plugin-transform-flow-strip-types" "^7.12.10"
"`@babel`/plugin-transform-react-jsx" "^7.12.11"
"`@babel`/plugin-transform-regenerator" "^7.12.1"
"`@babel`/preset-env" "^7.12.11"
"`@babel`/preset-flow" "^7.12.1"
"`@babel`/preset-react" "^7.12.10"
"`@rollup`/plugin-alias" "^3.1.1"
"`@rollup`/plugin-babel" "^5.2.2"
"`@rollup`/plugin-commonjs" "^17.0.0"
"`@rollup`/plugin-json" "^4.1.0"
"`@rollup`/plugin-node-resolve" "^11.0.1"
"`@surma`/rollup-plugin-off-main-thread" "^2.2.2"
asyncro "^3.0.0"
autoprefixer "^10.1.0"
babel-plugin-macros "^3.0.1"
babel-plugin-transform-async-to-promises "^0.8.18"
babel-plugin-transform-replace-expressions "^0.2.0"
brotli-size "^4.0.0"
builtin-modules "^3.1.0"
camelcase "^6.2.0"
escape-string-regexp "^4.0.0"
filesize "^6.1.0"
gzip-size "^6.0.0"
kleur "^4.1.3"
lodash.merge "^4.6.2"
postcss "^8.2.1"
pretty-bytes "^5.4.1"
rollup "^2.35.1"
rollup-plugin-bundle-size "^1.0.3"
rollup-plugin-postcss "^4.0.0"
rollup-plugin-terser "^7.0.2"
rollup-plugin-typescript2 "^0.32.0"
rollup-plugin-visualizer "^5.6.0"
sade "^1.7.4"
terser "^5.7.0"
tiny-glob "^0.2.8"
tslib "^2.0.3"
typescript "^4.1.3"
```
This PR won't impact developers, it's only for our `yarn.lock` which contains a bunch of useless dependencies, and some of them are vulnerable too (listed on https://github.com/symfony/ux/security/dependabot)
Commits
-------
ae52ae5 [Swup] For Swup's dev dependencies exclusion from our yarn.lock
0 commit comments