Skip to content

fix(deps)!: add missing peerDependencies entries #630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps)!: add missing peerDependencies entries #630

wants to merge 1 commit into from

Conversation

boneskull
Copy link

BREAKING CHANGE: Adds missing peerDependencies.

This adds peerDependencies entries for @swc/core and esbuild at the same versions specified in devDependencies.

Per the npm documentation, the contents of peerDependenciesMeta will be ignored unless those packages also appear in the peerDependencies field. For a development environment, these two optional packages will be installed anyway due to their appearance in devDependencies.

This PR contains a:

  • bugfix
  • new feature
  • code refactor
  • test update
  • typo fix
  • metadata update

Motivation / Use-Case

I would have expected optional peer dependencies to be installed when I wanted them to be installed

Breaking Changes

This is a breaking change for users of npm prior to v7.0.0. Prior to v7.0.0, peer dependencies are not automatically installed by default and the peerDependenciesMeta field is unrecognized.

Additional Info

Note that:

  • Node.js v10.13.0 (the lowest Node.js version supported by this package) thru Node.js v14.x install npm v6.x by default
  • npm v7.0.0 was released in 2020

I would suggest adding npm v7.0.0 to engines (or ideally dropping support for Node.js v10.x and 12.x), but it's a breaking change either way.

@boneskull
fix(deps)!: add missing peerDependencies entries
b67a22d 
BREAKING CHANGE: Adds missing `peerDependencies`.

This adds `peerDependencies` entries for `@swc/core` and `esbuild` at the same versions specified in `devDependencies`.

Per the [npm documentation](https://docs.npmjs.com/cli/v9/configuring-npm/package-json\#peerdependenciesmeta), the contents of `peerDependenciesMeta` will be ignored unless those packages also appear in the `peerDependencies` field.  For a development environment, these two optional packages will be installed _anyway_ due to their appearance in `devDependencies`.
@boneskull boneskull force-pushed the boneskull/peer-dependencies branch from 60a7a62 to b67a22d Compare May 16, 2025 23:41
@alexander-akait
Copy link
Member

We already have it -

terser-webpack-plugin/package.json

Line 52 in b67a22d

"peerDependenciesMeta": {

@alexander-akait
Copy link
Member

For a development environment, these two optional packages will be installed anyway due to their appearance in devDependencies.

No

@boneskull
Copy link
Author

boneskull commented May 21, 2025
edited
Loading

For a development environment, these two optional packages will be installed anyway due to their appearance in devDependencies.

No

...what?

  • The packages need to be listed in peerDependencies or they will not be installed automatically by npm@v7+.
  • npm@v6 ignores this field entirely; thus peerDependenciesMeta is useless on its own.
  • If omitted from peerDependenciesMeta, then the dependencies should be listed in optionalDependencies instead.
  • npm install in a fresh working copy of this repo will automatically install @swc/core and esbuild, due to their presence in devDependencies.

@alexander-akait
Copy link
Member

Sorry, no, we don't want to install extra dependencies and increase size of a package, also esbuild and @swc/core install binaries for a specific platform which can be a problem at some CI/servers

The packages need to be listed in peerDependencies or they will not be installed automatically by npm@v7+.
If omitted from peerDependenciesMeta, then the dependencies should be listed in optionalDependencies instead.
npm install in a fresh working copy of this repo will automatically install @swc/core and esbuild, due to their presence in devDependencies.

That's why they are listed in peerDependenciesMeta

npm@v6 ignores this field entirely; thus peerDependenciesMeta is useless on its own.

Don't use outdated npm

@boneskull
Copy link
Author

boneskull commented May 22, 2025
edited
Loading

@alexander-akait I mentioned npm v6 because this package purports to support Node.js v10.13.0 or newer. Node.js v10.x, v12.x, and v14.x all ship with [email protected]. If npm v6 isn't supported, it should probably be mentioned in the engines field.

But the above is moot because peerDependenciesMeta w/o corresponding entries in peerDependencies is useless on any version of npm.

I tested my change with npm v10.9.2 and npm v6.14.16; packages listed in peerDependenciesMeta with optional: true and corresponding entries in peerDependencies do not cause npm to automatically install the dependencies upon npm install—meaning that it would not impact consumers' CI nor the "weight" of this package.

Before dismissing this change, I encourage you to pull this PR and test it like so:

# this will give you a tarball as would be installed from the registry and ensures
# behavior isn't influenced by dev dependencies
npm pack # (note the path to the tarball)
mkdir -p /tmp/pr630
cd /tmp/pr630
npm install /path/to/terser-webpack-plugin-5.3.14.tgz
npm ls esbuild
npm ls @swc/core
npm ls uglify-js

You should see they are not installed. But terser-webpack-plugin's package.json is now valid. 😄

Note that webpack will be installed automatically in the newer npm, but npm v6 will print a warning.

@alexander-akait
Copy link
Member

@alexander-akait I mentioned npm v6 because this package purports to support Node.js v10.13.0 or newer. Node.js v10.x, v12.x, and v14.x all ship with [email protected]. If npm v6 isn't supported, it should probably be mentioned in the engines field.

We have it only for compatibility with old version, not more, we don't want to make something more than just have it for CI purposes

I tested my change with npm v10.9.2 and npm v6.14.16; packages listed in peerDependenciesMeta with optional: true and corresponding entries in peerDependencies do not cause npm to automatically install the dependencies upon npm install—meaning that it would not impact consumers' CI nor the "weight" of this package.

This is because you test it using v10 there a lot of bugs with peer dependencies were fixed, there are other package managers and old versions of npm/yarn/pnpm where it doesn't work as you describe, your change is a breaking change and we don't want to change it

@boneskull
Copy link
Author

Sorry to make more demands on your time, but ...

Can you please provide a reproducible example of how this would break consumers? For example, a specific version of a specific package manager where this PR introduces a breaking change.

I'm not saying you're wrong, but I've tried with other versions of other package managers and have not been able to reproduce a situation in which these peer dependencies get installed by default.

@alexander-akait
Copy link
Member

@boneskull to be honest I don't remember because it was a long time ago, your pr does everything correctly and the logic is correct, most likely it was fixed in npm in some patch versions, but I would prefer to leave it until the next major release

@boneskull
Copy link
Author

@alexander-akait Thanks. That's fine. I agree that there was weird behavior in the past, but I think maybe those days have passed.

How would we get this into the next major? Leave unmerged until ready?

@alexander-akait
Copy link
Member

@boneskull just leave it, I will rebase and merge for the next major release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@boneskull @alexander-akait