vendeps 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -4
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -14,10 +14,10 @@ import confetti from './dependencies/canvas-confetti.js'
|
|
|
14
14
|
|
|
15
15
|
Modern browsers support ES modules natively, but most npm packages still ship CommonJS or split their code across dozens of files. Using a CDN solves the format problem but introduces new ones:
|
|
16
16
|
|
|
17
|
-
- **Security** — Every page load fetches code from a third-party server, opening the door to man-in-the-middle attacks or CDN compromises.
|
|
18
|
-
- **Reliability** — Your app's uptime becomes coupled to the CDN's uptime.
|
|
19
|
-
- **Reproducibility** — CDN URLs can change, disappear, or serve different versions.
|
|
20
|
-
- **Predictability** — You know exactly what code your users are running.
|
|
17
|
+
- **Security** — Every page load fetches code from a third-party server, opening the door to man-in-the-middle attacks or CDN compromises. Vendeps allows you to version-control your dependencies for audit.
|
|
18
|
+
- **Reliability** — Your app's uptime becomes coupled to the CDN's uptime. Vendeps decouples your app's uptime from any CDN.
|
|
19
|
+
- **Reproducibility** — CDN URLs can change, disappear, or serve different versions. Vendeps ensures that your app always uses the same version of a dependency.
|
|
20
|
+
- **Predictability** — You know exactly what code your users are running. Vendeps ensures that the exact same dependency you used during development is used in production.
|
|
21
21
|
|
|
22
22
|
`vendeps` takes a different approach: convert each dependency into a single, self-contained `.js` file that you **check into your repository**. Your app ships everything it needs — no external requests at runtime, no surprises.
|
|
23
23
|
|
|
@@ -31,6 +31,32 @@ npx vendeps
|
|
|
31
31
|
|
|
32
32
|
That's it. A `dependencies/` folder appears with one `.js` file per dependency. Point your `<script type="module">` at them and go.
|
|
33
33
|
|
|
34
|
+
### Even better: use Import Maps
|
|
35
|
+
|
|
36
|
+
Instead of rewriting your imports to point at `./dependencies/**/*.js`, you can use a [browser import map](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/script/type/importmap) so your source code keeps using bare specifiers — exactly like Node.js:
|
|
37
|
+
|
|
38
|
+
```html
|
|
39
|
+
<script type="importmap">
|
|
40
|
+
{
|
|
41
|
+
"imports": {
|
|
42
|
+
"lit-html": "./dependencies/lit-html.js",
|
|
43
|
+
"canvas-confetti": "./dependencies/canvas-confetti.js"
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
</script>
|
|
47
|
+
<script type="module" src="app.js"></script>
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
Now your application code works without any path changes:
|
|
51
|
+
|
|
52
|
+
```js
|
|
53
|
+
// app.js — same imports you'd write in Node
|
|
54
|
+
import { html, render } from 'lit-html'
|
|
55
|
+
import confetti from 'canvas-confetti'
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
The browser resolves the bare specifiers through the import map, so your code stays portable between Node.js and the browser with zero modifications.
|
|
59
|
+
|
|
34
60
|
## Installation
|
|
35
61
|
|
|
36
62
|
If you prefer to install it as a dev dependency:
|
|
@@ -53,6 +79,8 @@ To ensure the `dependencies/` folder is always up to date after `npm install` or
|
|
|
53
79
|
|
|
54
80
|
Now every `npm ci` on your CI server or a fresh clone will automatically populate the `dependencies/` folder with minified bundles — no extra step to remember.
|
|
55
81
|
|
|
82
|
+
> ⚠️ **Dependency drift** — The vendored bundles are snapshots of whatever versions are installed at build time. If you update a dependency version in `package.json` (or run `npm update`), remember to re-run `npx vendeps` (or trigger a fresh `npm ci`) so the bundles stay in sync. Checking in the `dependencies/` folder helps catch drift — any version bump will show up as a diff in your commit.
|
|
83
|
+
|
|
56
84
|
## CLI Options
|
|
57
85
|
|
|
58
86
|
```
|
|
@@ -166,6 +194,10 @@ By committing the `dependencies/` folder, you get:
|
|
|
166
194
|
- **Auditability** — the exact code your users receive is visible in your repo.
|
|
167
195
|
- **Reproducibility** — every clone, every checkout, every deploy uses the exact same dependency code.
|
|
168
196
|
|
|
197
|
+
## Limitations
|
|
198
|
+
|
|
199
|
+
> ⚠️ **CSS-only packages** — `vendeps` bundles JavaScript only. If a dependency ships exclusively CSS (e.g. `normalize.css`), it will not be handled. You will need to copy those assets manually or use a separate tool.
|
|
200
|
+
|
|
169
201
|
## License
|
|
170
202
|
|
|
171
203
|
[MIT](LICENSE)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "vendeps",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.1",
|
|
4
4
|
"description": "Uses esbuild to convert npm packages to ESM bundles for the browser.",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"bin": {
|
|
@@ -43,4 +43,4 @@
|
|
|
43
43
|
"esbuild": "^0.27.3",
|
|
44
44
|
"jty": "^4.0.0"
|
|
45
45
|
}
|
|
46
|
-
}
|
|
46
|
+
}
|