bogus runtime dependencies

[brjsp]

I noticed version 7.17.0 added @storybook/preview-api to shipped dependencies. I grepped the whole shipped javascript code and did not find any references to storybook — that means it should be in devDependencies instead. (removing it from dependencies and running electron-builder again seems to shave about 3MB unpacked)

This is not the first time a node module has been incorrectly marked as a runtime dependency. At openSUSE, we have determined the following ones are trivially safe to remove (because they're not referenced by anything):

Remove build-time dependencies incorrectly specified as runtime which bring a lot of garbage
Compare https://github.com/microsoft/vscode/issues/143395

--- a/node_modules/mac-screen-capture-permissions/package.json	2022-06-07 18:02:10.000000000 +0200
+++ b/node_modules/mac-screen-capture-permissions/package.json	2022-06-07 18:34:54.695787124 +0200
@@ -14,8 +14,7 @@
   "dependencies": {
     "electron-util": "^0.13.0",
     "execa": "^2.0.4",
-    "macos-version": "^5.2.1",
-    "prebuild-install": "^6.0.0"
+    "macos-version": "^5.2.1"
   },
   "devDependencies": {
     "electron": "^7.1.0",
--- a/node_modules/@signalapp/better-sqlite3/package.json	2022-06-07 19:06:26.261094868 +0200
+++ b/node_modules/@signalapp/better-sqlite3/package.json	2022-06-07 19:17:48.526056277 +0200
@@ -17,7 +17,6 @@
   ],
   "dependencies": {
-    "bindings": "^1.5.0",
+    "bindings": "^1.5.0"
-    "tar": "^6.1.0"
   },
   "devDependencies": {
     "chai": "^4.3.6",
--- vendor/node_modules/@signalapp/ringrtc/package.json.old	2023-01-26 09:43:16.454468097 +0100
+++ vendor/node_modules/@signalapp/ringrtc/package.json	2023-01-27 12:56:26.446086113 +0100
@@ -24,10 +24,6 @@
   },
   "author": "",
   "license": "AGPL-3.0-only",
-  "dependencies": {
-    "https-proxy-agent": "7.0.1",
-    "tar": "^6.2.1"
-  },
   "devDependencies": {
     "@types/chai": "4.3.11",
     "@types/chai-as-promised": "^7.1.5",
--- Signal-Desktop-7.17.0/package.json.orig	2024-07-25 16:38:59.000000000 +0200
+++ Signal-Desktop-7.17.0/package.json	2024-07-25 20:53:26.215614997 +0200
@@ -106,8 +106,6 @@
     "@signalapp/libsignal-client": "0.52.3",
     "@signalapp/ringrtc": "2.44.3",
     "@signalapp/windows-dummy-keystroke": "1.0.0",
-    "@storybook/preview-api": "8.1.11",
-    "@types/fabric": "4.5.3",
     "backbone": "1.4.0",
     "blob-util": "2.0.2",
     "blueimp-load-image": "5.14.0",
@@ -169,12 +167,10 @@
     "react-blurhash": "0.1.2",
     "react-contextmenu": "2.11.0",
     "react-dom": "17.0.2",
-    "react-hot-loader": "4.13.0",
     "react-intl": "6.1.1",
     "react-popper": "2.3.0",
     "react-quill": "2.0.0-beta.4",
     "react-redux": "7.2.8",
-    "react-router-dom": "5.0.1",
     "react-textarea-autosize": "8.3.4",
     "react-virtualized": "9.22.3",
     "read-last-lines": "1.8.0",
@@ -182,16 +178,13 @@
     "redux-logger": "3.0.6",
     "redux-promise-middleware": "6.1.0",
     "redux-thunk": "2.3.0",
-    "redux-ts-utils": "3.2.2",
     "reselect": "4.1.2",
     "rimraf": "2.6.2",
     "sanitize.css": "11.0.0",
     "semver": "5.7.2",
     "split2": "4.0.0",
-    "type-fest": "3.5.0",
     "urlpattern-polyfill": "9.0.0",
     "uuid": "3.3.2",
-    "uuid-browser": "3.1.0",
     "websocket": "1.0.34",
     "write-file-atomic": "5.0.1",
     "zod": "3.22.3"


Upstream removes the following two packages manually, so their transitive dependencies are also guaranteed dead:
--- vendor/node_modules/@formatjs/intl-displaynames/package.json.orig	2023-09-21 16:36:58.598999000 +0200
+++ vendor/node_modules/@formatjs/intl-displaynames/package.json	2023-09-21 17:45:34.771829227 +0200
@@ -20,11 +20,6 @@
     "type": "git",
     "url": "git+https://github.com/formatjs/formatjs.git"
   },
-  "dependencies": {
-    "@formatjs/ecma402-abstract": "1.12.0",
-    "@formatjs/intl-localematcher": "0.2.31",
-    "tslib": "2.4.0"
-  },
   "devDependencies": {
     "@formatjs/intl-getcanonicallocales": "2.0.4",
     "@formatjs/intl-locale": "3.0.6"
--- vendor/node_modules/@formatjs/intl-listformat/package.json.orig	2023-09-21 16:36:58.664999000 +0200
+++ vendor/node_modules/@formatjs/intl-listformat/package.json	2023-09-21 17:45:51.608495274 +0200
@@ -18,11 +18,6 @@
     "type": "git",
     "url": "[email protected]:formatjs/formatjs.git"
   },
-  "dependencies": {
-    "@formatjs/ecma402-abstract": "1.12.0",
-    "@formatjs/intl-localematcher": "0.2.31",
-    "tslib": "2.4.0"
-  },
   "devDependencies": {
     "@formatjs/intl-getcanonicallocales": "2.0.4",
     "@formatjs/intl-locale": "3.0.6"

[ayumi-signal]

Hi @brjsp thanks for letting us know. You are correct that @storybook/preview-api should be a dev-only dependency. Sorry for the mistake and we will fix it!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[brjsp]

bump — this is still relevant to 7.32.0

what's somewhat useful is that we invented a script to clean up unused transitive dependencies:

# Filter out garbage node_modules leftover from upstream's removal of react-aria etc.
# `npm ls` needs to be called in a loop because extraneous nodules' transitive deps
# aren't marked themselves as extraneous.
while : ; do
extraneous_nodules=$(npm ls --all --omit=dev --parseable --long | grep ':EXTRANEOUS$' | sed 's/:.*//')
if [[ -z "$extraneous_nodules" ]]; then
break
fi
rm -rf $extraneous_nodules
done