build do not remove dev deps
Unanswered
aabeborn posted this in #help-forum
aabebornOP
Hi trying to use next 14.2.3 in production, but CI complains (snyk) about vulnerabilities due to some dev dependencies we have in the project after build in standalone mode
Seems that next is not removing anymore dev deps inside .pnpm folder.
It is a bug or something expected? (using pnpm 9.0.2)
Seems that next is not removing anymore dev deps inside .pnpm folder.
It is a bug or something expected? (using pnpm 9.0.2)
9 Replies
next doesn’t touch the node_modules folder. If your node_modules has the dependency, it will continue to be there after build, regardless of whether next uses it or not
aabebornOP
I have found what is happening and it is totally a bug
aabebornOP
even in the simpliest solution, adding storybook (all dev deps) to the project resulting into having inside the ./next/standalone/node_modules/.pnpm folder esbuid deps
here you see the first deps is esbuild which is not a next dependency (the project is clean without any code)
here you see the first deps is esbuild which is not a next dependency (the project is clean without any code)
@aabeborn even in the simpliest solution, adding storybook (all dev deps) to the project resulting into having inside the ./next/standalone/node_modules/.pnpm folder esbuid deps
here you see the first deps is esbuild which is not a next dependency (the project is clean without any code)
Nextjs doesnt care about whether a dependency is a devDependency or a regular dependency.
When you run pnpm install, the entire dependency tree is installed. What you see here is the list of the dependency tree, inclusive of both deps and devDeps.
This is completely normal and expected. Not even related to next, this is just related to how the package manager manages the dependencies.
When you run pnpm install, the entire dependency tree is installed. What you see here is the list of the dependency tree, inclusive of both deps and devDeps.
This is completely normal and expected. Not even related to next, this is just related to how the package manager manages the dependencies.
@joulev Nextjs doesnt care about whether a dependency is a devDependency or a regular dependency.
When you run pnpm install, the entire dependency tree is installed. What you see here is the list of the dependency tree, inclusive of both deps and devDeps.
This is completely normal and expected. Not even related to next, this is just related to how the package manager manages the dependencies.
aabebornOP
ok so based on this, what's the aim of node_modules in the .next folder? Because if I need to manually fix them why that folder is there, can't directly use the project one? also I don't see eslint dep or a lot of other dev deps (in another project). I'm kind of confused
@aabeborn ok so based on this, what's the aim of node_modules in the .next folder? Because if I need to manually fix them why that folder is there, can't directly use the project one? also I don't see eslint dep or a lot of other dev deps (in another project). I'm kind of confused
I suppose nextjs just directly copies the project node_modules into the .next’s node_modules so that the .next folder is self contained and can be moved anywhere for deployment.
Nextjs doesn’t mutate the node_modules folder because, well, that’s not how frameworks are supposed to handle node_modules. Except for patching libraries, node_modules should be kept intact and read-only. Not to mention different package managers have different approaches to organise things inside the node_modules, nextjs cant just mutate it freely and expect that to work across all package managers.
Nextjs doesn’t mutate the node_modules folder because, well, that’s not how frameworks are supposed to handle node_modules. Except for patching libraries, node_modules should be kept intact and read-only. Not to mention different package managers have different approaches to organise things inside the node_modules, nextjs cant just mutate it freely and expect that to work across all package managers.
@joulev I suppose nextjs just directly copies the project node_modules into the .next’s node_modules so that the .next folder is self contained and can be moved anywhere for deployment.
Nextjs doesn’t mutate the node_modules folder because, well, that’s not how frameworks are supposed to handle node_modules. Except for patching libraries, node_modules should be kept intact and read-only. Not to mention different package managers have different approaches to organise things inside the node_modules, nextjs cant just mutate it freely and expect that to work across all package managers.
aabebornOP
well it's ok I think the only thing is not clear to me is why for example eslint deps are not there for example https://codesandbox.io/p/sandbox/competent-shirley-zg6rwr you can see that main node_modules is different from the standalone one
@aabeborn well it's ok I think the only thing is not clear to me is why for example eslint deps are not there for example https://codesandbox.io/p/sandbox/competent-shirley-zg6rwr you can see that main node_modules is different from the standalone one
Hmm interesting. Now it does look like a bug to me, it should be either you strip all unused dependencies or you don’t strip any at all. Something in between like this does look like a bug