open-pioneer · mbeckem · Dec 1, 2023 · Dec 1, 2023
diff --git a/.changeset/khaki-moons-sniff.md b/.changeset/khaki-moons-sniff.md
@@ -0,0 +1,11 @@
+---
+"@open-pioneer/vite-plugin-pioneer": major
+---
+
+**Breaking Change:** A trails package's `devDependencies` are no longer included in the build (fixes #43).
+For normal dependencies, service classes are automatically picked up and compiled into the application.
+
+This behavior is surprising for `devDependencies`: license scanners and cve scanner sometimes chose to exclude
+`devDependencies`; which would have been invalid prior to this change (as the code was compiled in anyway).
+
+If your package depends on another trails package at runtime, configure an entry in `peerDependencies` instead.
diff --git a/packages/vite-plugin/src/codegenPlugin.test.ts b/packages/vite-plugin/src/codegenPlugin.test.ts
@@ -59,13 +59,15 @@ describe("codegen support", function () {
         });
 
         /*
-         * Normal deps, Dev deps, required peer dependencies and installed optional dependencies
+         * Normal deps,required peer dependencies and installed optional dependencies
          * are discovered. Non-existing optional peer dependencies and non existing
          * optional dependencies are not an error.
+         *
+         * Code from dev dependencies not is not automatically included.
          */
         const testAppJs = readFileSync(join(outDir, "test-app.js"), "utf-8");
         assert.include(testAppJs, `console.log("from normal dep");`);
-        assert.include(testAppJs, `console.log("from dev dep");`);
+        assert.notInclude(testAppJs, `console.log("from dev dep");`);
         assert.include(testAppJs, `console.log("from peer dep");`);
         assert.include(testAppJs, `console.log("from optional dep");`);
     });

diff --git a/packages/vite-plugin/src/metadata/loadPackageMetadata.ts b/packages/vite-plugin/src/metadata/loadPackageMetadata.ts
@@ -86,7 +86,7 @@ class PackageMetadataReader {
             version: packageVersion,
             dependencies,
             frameworkMetadata
-        } = await parsePackageJson(packageJsonPath, mode);
+        } = await parsePackageJson(packageJsonPath);
 
         // The package config is read either from the package's build.config.mjs (for source packages)
         // or from a package's serialized metadata in its package.json (for published packages).
@@ -288,7 +288,7 @@ class PackageMetadataReader {
     }
 }
 
-async function parsePackageJson(packageJsonPath: string, mode: "local" | "external") {
+async function parsePackageJson(packageJsonPath: string) {
     if (!(await fileExists(packageJsonPath))) {
         throw new ReportableError(`Expected a 'package.json' file at ${packageJsonPath}`);
     }
@@ -330,13 +330,6 @@ async function parsePackageJson(packageJsonPath: string, mode: "local" | "extern
         );
     }
 
-    const devDependencies = packageJsonContent.devDependencies ?? {};
-    if (typeof devDependencies !== "object") {
-        throw new ReportableError(
-            `Expected a valid 'devDependencies' object in ${packageJsonPath}`
-        );
-    }
-
     const deps = new Map<string, PackageDependency>();
     const addDep = (packageName: string, optional: boolean) => {
         let dep = deps.get(packageName);
@@ -363,12 +356,6 @@ async function parsePackageJson(packageJsonPath: string, mode: "local" | "extern
         addDep(depName, true);
     }
 
-    if (mode === "local") {
-        for (const depName of Object.keys(devDependencies)) {
-            addDep(depName, false);
-        }
-    }
-
     const frameworkMetadata = packageJsonContent[PackageMetadataV1.PACKAGE_JSON_KEY] ?? undefined;
     return {
         name: packageName,