Skip to content

refactor: hoist all devDeps to root #3032

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

refactor: hoist all devDeps to root #3032

wants to merge 6 commits into from

Conversation

@overbalance
Copy link
Contributor

@overbalance overbalance commented Sep 10, 2025
edited
Loading

What this does

Hoists all build devDependencies to the root package.json.

  • 14 fewer packages in node_modules (1.13% reduction)
  • 878 fewer in dependency tree (11.39% reduction)
  • 304 fewer packages added by npm ci (10.44% reduction)

Key changes

Test fixes

  • Updated karma configs to load plugins from root after dependency hoisting
  • Fixed webpack process polyfill path for ESM compatibility
  • Updated expect import syntax for socket.io tests
  • Updated AWS SDK mock response Content-Length headers

Dependencies

  • All build devDependencies moved to root package.json
  • Removed unused jQuery dependencies

Configuration

  • Converted root .mocharc.yml to .mocharc.json
  • Fixed axios import syntax in express example (namespace import → default import)

Package-specific changes

@opentelemetry/instrumentation-socket.io

  • Changed import * as expect to import expect (expect v29 uses default export)

@opentelemetry/instrumentation-dns

@opentelemetry/instrumentation-aws-sdk

  • Updated Bedrock mock response Content-Length headers

Browser packages (propagator-aws-xray, propagator-instana, instrumentation-user-interaction, instrumentation-long-task)

  • Updated karma.conf.js to load plugins from root package.json

@trentm trentm mentioned this pull request Oct 17, 2025
Closed
@overbalance overbalance force-pushed the overbalance/hoist-all-shared-deps branch 3 times, most recently from 99cc06d to 324495b Compare October 21, 2025 20:36
@overbalance overbalance force-pushed the overbalance/hoist-all-shared-deps branch 2 times, most recently from 469663e to 9cb3aef Compare October 29, 2025 15:24
trentm pushed a commit that referenced this pull request Oct 29, 2025
@overbalance
chore(ci): limit npm installs to 10 minutes (#3197)
28598fe 
... because we are seeing hangs in `npm ci` on #3032.
@overbalance overbalance force-pushed the overbalance/hoist-all-shared-deps branch 4 times, most recently from 6fce51c to 6e7f06f Compare October 30, 2025 05:12
@overbalance
Copy link
Contributor Author

overbalance commented Oct 30, 2025

@trentm I repaired the lockfile and this is finally 🟢. Thanks for your help.

trentm
trentm reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

@trentm trentm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple smaller Qs left.

@overbalance overbalance requested a review from trentm November 3, 2025 02:11
@overbalance overbalance force-pushed the overbalance/hoist-all-shared-deps branch 2 times, most recently from 79da445 to 57d2922 Compare November 4, 2025 16:28
@trentm
Copy link
Contributor

trentm commented Nov 5, 2025

Unhelpful npm rant

I want to try to care about reviewing package-lock changes, but ... npm, I don't even. This latest update:

  1. updates a bunch of other packages, because the only reasonable way I know of (and probably what you did) was completely regenerate the package-lock file by deleting and re-running npm install.
  2. Loses all the 'integrity' and 'resolved' fields, e.g.:
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
-      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",

So basically those fields are just useless noise from npm in lock files. What a waste. The package-lock.json tooling design is ...poor.

trentm
trentm requested changes Nov 5, 2025
View reviewed changes
package-lock.json
Copy link
Contributor

@trentm trentm Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has the "package-lock has lost all the platform-specific optionalDependencies except the one platform" problem again, described at https://cloud-native.slack.com/archives/C08T7MZTV8W/p1761781178575799?thread_ts=1761762353.429559&cid=C08T7MZTV8W

You'll need to manually re-add them, or do some voodoo process under a full moon something like the following to correctly re-gen the lock file:

rm package-lock.json
rm -rf node_modules
npm i

Copy link
Contributor

@trentm trentm Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unforunately in the latest update a number of deps in package-lock.json were incorrectly marked with "peer": true due to a bug in npm.

For example, here is a subset of them (this is partial output of running https://github.com/trentm/npm-tools/blob/main/bin/package-lock-diff):

- node_modules/react: 17.0.2 (dev)
+ node_modules/react: 17.0.2 (dev, peer)
- node_modules/reflect-metadata: 0.2.2 (dev)
+ node_modules/reflect-metadata: 0.2.2 (dev, peer)
- node_modules/rollup: 4.52.5 (dev)
+ node_modules/rollup: 4.52.5 (dev, peer)
- node_modules/rxjs: 7.8.2 (dev)
+ node_modules/rxjs: 7.8.2 (dev, peer)
- node_modules/schema-utils/node_modules/ajv: 8.17.1 (dev)
+ node_modules/schema-utils/node_modules/ajv: 8.17.1 (dev, peer)
- node_modules/ts-node: 10.9.2 (dev)
+ node_modules/ts-node: 10.9.2 (dev, peer)
- node_modules/typescript: 5.0.4 (dev)
+ node_modules/typescript: 5.0.4 (dev, peer)
- node_modules/webpack: 5.102.0 (dev)
+ node_modules/webpack: 5.102.0 (dev, peer)
- node_modules/webpack-cli: 6.0.1 (dev)
+ node_modules/webpack-cli: 6.0.1 (dev, peer)

My guess is that you regenerated the package-lock file using npm@11.6.1 or npm@11.6.2 -- both of which are broken. The expectation is that this will be fixed by npm/cli#8645 which should be in the npm 11.6.3 release.

For now, please regenerate the lock file using npm 11.6.0 or earlier.

@overbalance overbalance force-pushed the overbalance/hoist-all-shared-deps branch 2 times, most recently from 48f82c1 to bec6114 Compare November 5, 2025 18:02
@overbalance overbalance requested a review from trentm November 5, 2025 20:27
trentm
trentm requested changes Nov 5, 2025
View reviewed changes
package-lock.json
Copy link
Contributor

@trentm trentm Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unforunately in the latest update a number of deps in package-lock.json were incorrectly marked with "peer": true due to a bug in npm.

For example, here is a subset of them (this is partial output of running https://github.com/trentm/npm-tools/blob/main/bin/package-lock-diff):

- node_modules/react: 17.0.2 (dev)
+ node_modules/react: 17.0.2 (dev, peer)
- node_modules/reflect-metadata: 0.2.2 (dev)
+ node_modules/reflect-metadata: 0.2.2 (dev, peer)
- node_modules/rollup: 4.52.5 (dev)
+ node_modules/rollup: 4.52.5 (dev, peer)
- node_modules/rxjs: 7.8.2 (dev)
+ node_modules/rxjs: 7.8.2 (dev, peer)
- node_modules/schema-utils/node_modules/ajv: 8.17.1 (dev)
+ node_modules/schema-utils/node_modules/ajv: 8.17.1 (dev, peer)
- node_modules/ts-node: 10.9.2 (dev)
+ node_modules/ts-node: 10.9.2 (dev, peer)
- node_modules/typescript: 5.0.4 (dev)
+ node_modules/typescript: 5.0.4 (dev, peer)
- node_modules/webpack: 5.102.0 (dev)
+ node_modules/webpack: 5.102.0 (dev, peer)
- node_modules/webpack-cli: 6.0.1 (dev)
+ node_modules/webpack-cli: 6.0.1 (dev, peer)

My guess is that you regenerated the package-lock file using npm@11.6.1 or npm@11.6.2 -- both of which are broken. The expectation is that this will be fixed by npm/cli#8645 which should be in the npm 11.6.3 release.

For now, please regenerate the lock file using npm 11.6.0 or earlier.

@overbalance overbalance force-pushed the overbalance/hoist-all-shared-deps branch from bec6114 to 41c5ef5 Compare November 6, 2025 17:07
@trentm trentm mentioned this pull request Nov 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trentm trentm trentm requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@david-luna david-luna

@aabmass aabmass

@dyladan dyladan

@abhee11 abhee11

@d4nyll d4nyll

@blumamir blumamir

@JamieDanielson JamieDanielson

@hectorhdzg hectorhdzg

@JacksonWeber JacksonWeber

@jj22ee jj22ee

Labels

has:sponsor This package or feature has a sponsor that has volunteered to review PRs and respond to questions pkg:auto-configuration-propagators pkg:auto-instrumentations-node pkg:auto-instrumentations-web pkg:host-metrics pkg:id-generator-aws-xray pkg:instrumentation-amqplib pkg:instrumentation-aws-lambda pkg:instrumentation-aws-sdk pkg:instrumentation-bunyan pkg:instrumentation-cassandra-driver pkg:instrumentation-connect pkg:instrumentation-cucumber pkg:instrumentation-dataloader pkg:instrumentation-dns pkg:instrumentation-document-load pkg:instrumentation-express pkg:instrumentation-fastify pkg:instrumentation-fs pkg:instrumentation-generic-pool pkg:instrumentation-graphql pkg:instrumentation-hapi pkg:instrumentation-ioredis pkg:instrumentation-kafkajs pkg:instrumentation-knex pkg:instrumentation-koa pkg:instrumentation-long-task pkg:instrumentation-lru-memoizer pkg:instrumentation-memcached pkg:instrumentation-mongodb pkg:instrumentation-mongoose pkg:instrumentation-mysql pkg:instrumentation-mysql2 pkg:instrumentation-nestjs-core pkg:instrumentation-net pkg:instrumentation-openai pkg:instrumentation-oracledb pkg:instrumentation-pg pkg:instrumentation-pino pkg:instrumentation-redis pkg:instrumentation-restify pkg:instrumentation-router pkg:instrumentation-runtime-node pkg:instrumentation-socket.io pkg:instrumentation-tedious pkg:instrumentation-undici pkg:instrumentation-user-interaction pkg:instrumentation-winston pkg:plugin-react-load pkg:propagation-utils pkg:propagator-aws-xray pkg:propagator-aws-xray-lambda pkg:propagator-instana pkg:propagator-ot-trace pkg:redis-common pkg:resource-detector-alibaba-cloud pkg:resource-detector-aws pkg:resource-detector-azure pkg:resource-detector-container pkg:resource-detector-gcp pkg:resource-detector-github pkg:resource-detector-instana pkg:sampler-aws-xray pkg:sql-common pkg:test-utils pkg-status:unmaintained:autoclose-scheduled pkg-status:unmaintained This package is unmaintained. Only bugfixes may be acceped until a new owner has been found.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.