Skip to content

feat: add option to include/exclude dev deps #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
serhalp wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: add option to include/exclude dev deps #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ inputs:
description: 'Detect modules which have community suggested alternatives'
required: false
default: true
include-dev-deps:
description: 'Include dev dependencies in the analysis'
required: false
default: 'true'
working-directory:
description: 'Working directory to scan for package lock file'
required: false
Expand Down
52 changes: 37 additions & 15 deletions build/main.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24033,11 +24033,23 @@ var supportedLockfiles = [
"yarn.lock",
"bun.lock"
];
function computeDependencyVersions(lockFile) {
function computeDependencyVersions(lockFile, includeDevDeps) {
const result = /* @__PURE__ */ new Map();
for (const pkg of lockFile.packages) {
if (!pkg.name || !pkg.version) continue;
addVersion(result, pkg.name, pkg.version);
if (!includeDevDeps) {
const visitorFn = (node) => {
if (!node.name || !node.version) return;
addVersion(result, node.name, node.version);
};
traverse(lockFile.root, {
dependency: visitorFn,
optionalDependency: visitorFn,
peerDependency: visitorFn
});
} else {
for (const pkg of lockFile.packages) {
if (!pkg.name || !pkg.version) continue;
addVersion(result, pkg.name, pkg.version);
}
}
return result;
}
Expand Down Expand Up @@ -24452,7 +24464,7 @@ function getLsCommand(lockfilePath, packageName) {
}
return void 0;
}
function computeParentPaths(lockfile, duplicateDependencyNames, dependencyMap) {
function computeParentPaths(lockfile, duplicateDependencyNames, dependencyMap, includeDevDeps) {
const parentPaths = /* @__PURE__ */ new Map();
const visitorFn = (node, _parent, path2) => {
if (!duplicateDependencyNames.has(node.name) || !path2) {
Expand All @@ -24471,13 +24483,13 @@ function computeParentPaths(lockfile, duplicateDependencyNames, dependencyMap) {
};
const visitor = {
dependency: visitorFn,
devDependency: visitorFn,
...includeDevDeps ? { devDependency: visitorFn } : {},
optionalDependency: visitorFn
};
traverse(lockfile.root, visitor);
return parentPaths;
}
function scanForDuplicates(messages, threshold, dependencyMap, lockfilePath, lockfile) {
function scanForDuplicates(messages, threshold, dependencyMap, lockfilePath, lockfile, includeDevDeps) {
const duplicateRows = [];
const duplicateDependencyNames = /* @__PURE__ */ new Set();
for (const [packageName, currentVersionSet] of dependencyMap) {
Expand All @@ -24491,7 +24503,8 @@ function scanForDuplicates(messages, threshold, dependencyMap, lockfilePath, loc
const parentPaths = computeParentPaths(
lockfile,
duplicateDependencyNames,
dependencyMap
dependencyMap,
includeDevDeps
);
for (const name of duplicateDependencyNames) {
const versionSet = dependencyMap.get(name);
Expand Down Expand Up @@ -24820,6 +24833,7 @@ async function run() {
const token = getInput("github-token", { required: true });
const prNumber = parseInt(getInput("pr-number", { required: true }), 10);
const detectReplacements = getBooleanInput("detect-replacements");
const includeDevDeps = getBooleanInput("include-dev-deps");
const dependencyThreshold = parseInt(
getInput("dependency-threshold") || "10",
10
Expand Down Expand Up @@ -24906,8 +24920,11 @@ async function run() {
setFailed(`Failed to parse base lockfile: ${err}`);
return;
}
const currentDeps = computeDependencyVersions(parsedCurrentLock);
const baseDeps = computeDependencyVersions(parsedBaseLock);
const currentDeps = computeDependencyVersions(
parsedCurrentLock,
includeDevDeps
);
const baseDeps = computeDependencyVersions(parsedBaseLock, includeDevDeps);
info(`Dependency threshold set to ${dependencyThreshold}`);
info(`Size threshold set to ${formatBytes(sizeThreshold)}`);
info(`Duplicate threshold set to ${duplicateThreshold}`);
Expand All @@ -24924,7 +24941,8 @@ async function run() {
duplicateThreshold,
currentDeps,
lockfilePath,
parsedCurrentLock
parsedCurrentLock,
includeDevDeps
);
await scanForDependencySize(
messages,
Expand Down Expand Up @@ -24964,15 +24982,19 @@ async function run() {
);
return;
}
const baseDependencies = getDependenciesFromPackageJson(basePackageJson, [
const depTypes = [
"optional",
"peer",
"dev",
...includeDevDeps ? ["dev"] : [],
"prod"
]);
];
const baseDependencies = getDependenciesFromPackageJson(
basePackageJson,
depTypes
);
const currentDependencies = getDependenciesFromPackageJson(
currentPackageJson,
["optional", "peer", "dev", "prod"]
depTypes
);
scanForReplacements(messages, baseDependencies, currentDependencies);
}
Expand Down
11 changes: 7 additions & 4 deletions src/checks/duplicates.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ function getLsCommand(
function computeParentPaths(
lockfile: ParsedLockFile,
duplicateDependencyNames: Set<string>,
dependencyMap: Map<string, Set<string>>
dependencyMap: Map<string, Set<string>>,
includeDevDeps: boolean
): Map<string, string[]> {
const parentPaths = new Map<string, string[]>();

Expand All @@ -43,7 +44,7 @@ function computeParentPaths(
};
const visitor = {
dependency: visitorFn,
devDependency: visitorFn,
...(includeDevDeps ? {devDependency: visitorFn} : {}),
optionalDependency: visitorFn
};

Expand All @@ -57,7 +58,8 @@ export function scanForDuplicates(
threshold: number,
dependencyMap: Map<string, Set<string>>,
lockfilePath: string,
lockfile: ParsedLockFile
lockfile: ParsedLockFile,
includeDevDeps: boolean
): void {
const duplicateRows: string[] = [];
const duplicateDependencyNames = new Set<string>();
Expand All @@ -75,7 +77,8 @@ export function scanForDuplicates(
const parentPaths = computeParentPaths(
lockfile,
duplicateDependencyNames,
dependencyMap
dependencyMap,
includeDevDeps
);

for (const name of duplicateDependencyNames) {
Expand Down
23 changes: 18 additions & 5 deletions src/lockfile.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import type {ParsedLockFile} from 'lockparse';
import {type ParsedLockFile, traverse, type VisitorFn} from 'lockparse';
import {existsSync} from 'node:fs';
import {join} from 'node:path';

Expand All @@ -12,13 +12,26 @@ export const supportedLockfiles = [
] as const;

export function computeDependencyVersions(
lockFile: ParsedLockFile
lockFile: ParsedLockFile,
includeDevDeps: boolean
Copy link
Contributor

@43081j 43081j Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if its worth just accepting excludeTypes: DependencyType[] (or whatever the type is called)

then set the right visitors based on the specified types

): VersionsSet {
const result: VersionsSet = new Map();

for (const pkg of lockFile.packages) {
if (!pkg.name || !pkg.version) continue;
addVersion(result, pkg.name, pkg.version);
if (!includeDevDeps) {
const visitorFn: VisitorFn = (node) => {
if (!node.name || !node.version) return;
addVersion(result, node.name, node.version);
};
traverse(lockFile.root, {
dependency: visitorFn,
optionalDependency: visitorFn,
peerDependency: visitorFn
});
} else {
for (const pkg of lockFile.packages) {
if (!pkg.name || !pkg.version) continue;
addVersion(result, pkg.name, pkg.version);
}
}

return result;
Expand Down
25 changes: 17 additions & 8 deletions src/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import {join} from 'node:path';
import {parse as parseLockfile, type ParsedLockFile} from 'lockparse';
import {detectLockfile, computeDependencyVersions} from './lockfile.js';
import {getFileFromRef, getBaseRef, tryGetJSONFromRef} from './git.js';
import {getDependenciesFromPackageJson} from './npm.js';
import {getDependenciesFromPackageJson, type DependencyType} from './npm.js';
import {getPacksFromPattern} from './packs.js';
import {scanForReplacements} from './checks/replacements.js';
import {scanForDuplicates} from './checks/duplicates.js';
Expand Down Expand Up @@ -34,6 +34,7 @@ async function run(): Promise<void> {
const token = core.getInput('github-token', {required: true});
const prNumber = parseInt(core.getInput('pr-number', {required: true}), 10);
const detectReplacements = core.getBooleanInput('detect-replacements');
const includeDevDeps = core.getBooleanInput('include-dev-deps');
const dependencyThreshold = parseInt(
core.getInput('dependency-threshold') || '10',
10
Expand Down Expand Up @@ -129,8 +130,11 @@ async function run(): Promise<void> {
return;
}

const currentDeps = computeDependencyVersions(parsedCurrentLock);
const baseDeps = computeDependencyVersions(parsedBaseLock);
const currentDeps = computeDependencyVersions(
parsedCurrentLock,
includeDevDeps
);
const baseDeps = computeDependencyVersions(parsedBaseLock, includeDevDeps);

core.info(`Dependency threshold set to ${dependencyThreshold}`);
core.info(`Size threshold set to ${formatBytes(sizeThreshold)}`);
Expand All @@ -150,7 +154,8 @@ async function run(): Promise<void> {
duplicateThreshold,
currentDeps,
lockfilePath,
parsedCurrentLock
parsedCurrentLock,
includeDevDeps
);

await scanForDependencySize(
Expand Down Expand Up @@ -198,15 +203,19 @@ async function run(): Promise<void> {
return;
}

const baseDependencies = getDependenciesFromPackageJson(basePackageJson, [
const depTypes: DependencyType[] = [
'optional',
'peer',
'dev',
...(includeDevDeps ? (['dev'] as const) : []),
'prod'
]);
];
const baseDependencies = getDependenciesFromPackageJson(
basePackageJson,
depTypes
);
const currentDependencies = getDependenciesFromPackageJson(
currentPackageJson,
['optional', 'peer', 'dev', 'prod']
depTypes
);

scanForReplacements(messages, baseDependencies, currentDependencies);
Expand Down
66 changes: 62 additions & 4 deletions test/checks/duplicates_test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ describe('scanForDuplicates', () => {
threshold,
dependencyMap,
lockfilePath,
lockfile
lockfile,
true
);

expect(messages).toHaveLength(0);
Expand Down Expand Up @@ -85,7 +86,8 @@ describe('scanForDuplicates', () => {
threshold,
dependencyMap,
lockfilePath,
lockfile
lockfile,
true
);

expect(messages).toMatchSnapshot();
Expand Down Expand Up @@ -141,12 +143,67 @@ describe('scanForDuplicates', () => {
threshold,
dependencyMap,
lockfilePath,
lockfile
lockfile,
true
);

expect(messages).toHaveLength(0);
});

it('should exclude dev dependency duplicates when includeDevDeps is false', () => {
const messages: string[] = [];
const threshold = 1;
const packageA: ParsedDependency = {
name: 'package-a',
version: '1.0.0',
dependencies: [],
devDependencies: [],
optionalDependencies: [],
peerDependencies: []
};
const packageAAlt: ParsedDependency = {
name: 'package-a',
version: '1.1.0',
dependencies: [],
devDependencies: [],
optionalDependencies: [],
peerDependencies: []
};
const dependencyMap = new Map<string, Set<string>>([
['package-a', new Set(['1.0.0', '1.1.0'])]
]);
const lockfilePath = 'package-lock.json';
const lockfile: ParsedLockFile = {
type: 'npm',
packages: [packageA, packageAAlt],
root: {
name: 'root-package',
version: '1.0.0',
dependencies: [packageA],
devDependencies: [packageAAlt],
optionalDependencies: [],
peerDependencies: []
}
};

scanForDuplicates(
messages,
threshold,
dependencyMap,
lockfilePath,
lockfile,
false
);

// With includeDevDeps=false, the devDependency path for packageAAlt should not be traversed
// The duplicate is still reported (since dependencyMap has both versions),
// but parent paths for the dev-only version won't be found
expect(messages).toHaveLength(1);
expect(messages[0]).toContain('package-a');
// The prod version should have a parent path, the dev version should not
expect(messages[0]).toContain('package-a@1.0.0');
});

it('should truncate long parent paths in the report', () => {
const messages: string[] = [];
const threshold = 1;
Expand Down Expand Up @@ -204,7 +261,8 @@ describe('scanForDuplicates', () => {
threshold,
dependencyMap,
lockfilePath,
lockfile
lockfile,
true
);

expect(messages).toMatchSnapshot();
Expand Down
Loading