You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Updating dependencies is necessary for patching vulnerabilities quickly, but...
Updating dependencies manually is a big effort because it means navigating to a dozen directories (root, api, sentinel, webapp, admin, and all shared-libs) and doing an npm install. It's inevitable that we get inconsistencies with some dependencies being updated and some not.
Automatic updating through dependabot isn't working well because it does one directory at a time so you get a dozen PRs every time lodash updates.
Node services are packaged very crudely by just including all shared libs rather than just those that are needed for that service. This is not a big deal because if the code doesn't run then it shouldn't be exploitable, and it doesn't contribute much to image size.
Finally this continues to get worse as we add more and more shared libs
Describe the improvement you'd like
The way monorepos should work is all common dependencies (and maybe all dependencies) are defined at the root level. This works fine for bundled apps (admin and webapp) because the bundler pulls in only needed code. But we don't have a good solution for node services. This should be solvable by npm pack with bundledDependencies.
Describe alternatives you've considered
Bundling service code (eg: TS) but that adds another step to the dev build that I'd rather avoid.
The text was updated successfully, but these errors were encountered:
Describe the issue
Updating dependencies is necessary for patching vulnerabilities quickly, but...
Describe the improvement you'd like
The way monorepos should work is all common dependencies (and maybe all dependencies) are defined at the root level. This works fine for bundled apps (admin and webapp) because the bundler pulls in only needed code. But we don't have a good solution for node services. This should be solvable by
npm pack
withbundledDependencies
.Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: