feat: add --production flag to skip devDependencies#238
Open
mcmxcdev wants to merge 1 commit into
Open
Conversation
Adds a --production boolean option to the analyze command that, when set, ignores devDependencies across all analyzers (core-js, dependency counts, and duplicate-dependency detection via BFS reachability from production roots). Closes e18e#193 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
commit: |
|
| 📦 Package | 📋 Versions |
|---|---|
| @ast-grep/napi | 2 versions
|
| @ast-grep/napi-darwin-arm64 | 2 versions
|
| @ast-grep/napi-darwin-x64 | 2 versions
|
| @ast-grep/napi-linux-arm64-gnu | 2 versions
|
| @ast-grep/napi-linux-arm64-musl | 2 versions
|
| @ast-grep/napi-linux-x64-gnu | 2 versions
|
| @ast-grep/napi-linux-x64-musl | 2 versions
|
| @ast-grep/napi-win32-arm64-msvc | 2 versions
|
| @ast-grep/napi-win32-ia32-msvc | 2 versions
|
| @ast-grep/napi-win32-x64-msvc | 2 versions
|
| eslint-visitor-keys | 2 versions
|
| @humanwhocodes/retry | 2 versions
|
| ignore | 2 versions
|
💡 To find out what depends on a specific package, run: npm ls example-package
📊 Dependency Size Changes
Warning
This PR adds 8.1 MB of new dependencies, which exceeds the threshold of 100 kB.
| 📦 Package | 📏 Size |
|---|---|
| @ast-grep/napi-linux-x64-gnu@0.43.0 | -7.8 MB |
| @ast-grep/napi-linux-x64-gnu@0.42.3 | 7.8 MB |
| @ast-grep/napi-linux-x64-gnu@0.40.5 | 7.7 MB |
| @ast-grep/napi@0.42.3 | 360.7 kB |
| @ast-grep/napi@0.43.0 | -360.7 kB |
| @ast-grep/napi@0.40.5 | 346.8 kB |
| gunshi@0.35.1 → gunshi@0.33.0 | -7.2 kB |
| @typescript-eslint/typescript-estree@8.61.0 → @typescript-eslint/typescript-estree@8.60.1 | -419 B |
| @e18e/web-features-codemods@0.2.2 → @e18e/web-features-codemods@0.2.0 | -159 B |
| semver@7.8.4 → semver@7.8.2 | -153 B |
| prettier@3.8.4 → prettier@3.8.3 | -138 B |
| eslint@10.5.0 → eslint@10.4.1 | -88 B |
| @typescript-eslint/eslint-plugin@8.61.0 → @typescript-eslint/eslint-plugin@8.60.1 | 47 B |
| @types/node@25.9.3 → @types/node@25.9.2 | -42 B |
| obug@2.1.3 → obug@2.1.2 | -24 B |
| @typescript-eslint/parser@8.61.0 → @typescript-eslint/parser@8.60.1 | 0 B |
| @typescript-eslint/project-service@8.61.0 → @typescript-eslint/project-service@8.60.1 | 0 B |
| @typescript-eslint/scope-manager@8.61.0 → @typescript-eslint/scope-manager@8.60.1 | 0 B |
| @typescript-eslint/tsconfig-utils@8.61.0 → @typescript-eslint/tsconfig-utils@8.60.1 | 0 B |
| @typescript-eslint/type-utils@8.61.0 → @typescript-eslint/type-utils@8.60.1 | 0 B |
| @typescript-eslint/types@8.61.0 → @typescript-eslint/types@8.60.1 | 0 B |
| @typescript-eslint/utils@8.61.0 → @typescript-eslint/utils@8.60.1 | 0 B |
| @typescript-eslint/visitor-keys@8.61.0 → @typescript-eslint/visitor-keys@8.60.1 | 0 B |
| module-replacements-codemods@2.0.1 → module-replacements-codemods@2.0.0 | 0 B |
| typescript-eslint@8.61.0 → typescript-eslint@8.60.1 | 0 B |
Total size change: 8.1 MB
⚠️ Package Trust Level Decreased
Caution
Decreased trust levels may indicate a higher risk of supply chain attacks. Please review these changes carefully.
| 📦 Package | 🔒 Before | 🔓 After |
|---|---|---|
| @e18e/web-features-codemods | stagedPublish | trustedPublisher |
dreyfus92
reviewed
Jun 19, 2026
| * Computes a map of package names to their unique versions using the lock file | ||
| * It returns just the packages with multiple versions | ||
| * @param lockfile | ||
| * @param filter when provided, only packages whose "name@version" key is in this set are considered |
Collaborator
There was a problem hiding this comment.
this is a bit misleading, the filter matches by identity, not by name@version key like the comment says (and it contradicts the note in collectProductionReachable). worth rewording to something like "only packages present in this set (by reference) are considered"
| expect(stats).toMatchSnapshot(); | ||
| }); | ||
|
|
||
| it('should exclude dev dependency parents when production flag is set', async () => { |
Collaborator
There was a problem hiding this comment.
these tests are alright, but they never run a real lockfile thru lockparse. that means they just validate filtering logic but would not catch a regression where lockparse stops sharing refs. it would be nice to have a fixture-based test that parses an actual lockfile with --production set, to pin the contract down.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--productionboolean CLI flag to theanalyzecommandcore-js/core-js-purein devDepsdevelopment: 0for the dependency count statresolveDuplicateDependenciesandcomputeParentsaccordingly--productionpathCloses #193
Test plan
npm test— all 87 tests pass--productionflag skips core-js in devDependencies--productionflag zeroes out the development dependency count--productionflag excludes duplicates only reachable through devDependency parents🤖 Generated with Claude Code