moleculerjs/moleculer

Reduce dependencies

Open

#433 opened on Dec 9, 2018

View on GitHub
 (48 comments) (9 reactions) (0 assignees)JavaScript (588 forks)batch import
Module: CoreType: Enhancementhelp wanted

Repository metrics

Stars
 (5,919 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Due to the recent event-stream vulnerability issue, I'm thinking to reduce the used NPM dependencies in the Moleculer core. Currently it is the current dependency tree (29 modules):

`-- moleculer@0.13.4
  +-- args@5.0.0
  | +-- camelcase@5.0.0
  | +-- chalk@2.4.1 deduped
  | +-- leven@2.1.0
  | `-- mri@1.1.1
  +-- bluebird@3.5.2
  +-- chalk@2.4.1
  | +-- ansi-styles@3.2.1
  | | `-- color-convert@1.9.3
  | |   `-- color-name@1.1.3
  | +-- escape-string-regexp@1.0.5
  | `-- supports-color@5.5.0
  |   `-- has-flag@3.0.0
  +-- es6-error@4.1.1
  +-- eventemitter2@5.0.1
  +-- fastest-validator@0.6.12
  +-- glob@7.1.3
  | +-- fs.realpath@1.0.0
  | +-- inflight@1.0.6
  | | +-- once@1.4.0 deduped
  | | `-- wrappy@1.0.2
  | +-- inherits@2.0.3
  | +-- minimatch@3.0.4
  | | `-- brace-expansion@1.1.11
  | |   +-- balanced-match@1.0.0
  | |   `-- concat-map@0.0.1
  | +-- once@1.4.0
  | | `-- wrappy@1.0.2 deduped
  | `-- path-is-absolute@1.0.1
  +-- ipaddr.js@1.8.1
  `-- lodash@4.17.11

There are 3 libs which have too much dependencies:

  1. args (4 other deps) It is used in Moleculer Runner to parse arguments
  2. chalk (6 other deps) It is used to coloring some log messages
  3. glob (12(!) other deps) It is used in Moleculer Runner & ServiceBroker to load services from folders.
  4. vorpal It's a dev dependency but it is not maintained & contains some vulnerabilities.

Possible alternatives:

Important to keep the current functionality, so the changes don't cause breaking changes!

args

chalk

glob

vorpal

  • ?

Contributor guide