Moleculer: Reduce dependencies

Created on 9 Dec 2018  Β·  46Comments  Β·  Source: moleculerjs/moleculer

Due to the recent event-stream vulnerability issue, I'm thinking to reduce the used NPM dependencies in the Moleculer core.
Currently it is the current dependency tree (29 modules):

`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | +-- [email protected] deduped
  | +-- [email protected]
  | `-- [email protected]
  +-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | | `-- [email protected]
  | |   `-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   `-- [email protected]
  +-- [email protected]
  +-- [email protected]
  +-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | +-- [email protected]
  | | +-- [email protected] deduped
  | | `-- [email protected]
  | +-- [email protected]
  | +-- [email protected]
  | | `-- [email protected]
  | |   +-- [email protected]
  | |   `-- [email protected]
  | +-- [email protected]
  | | `-- [email protected] deduped
  | `-- [email protected]
  +-- [email protected]
  `-- [email protected]

There are 3 libs which have too much dependencies:

  1. args (4 other deps)
    It is used in Moleculer Runner to parse arguments
  2. chalk (6 other deps)
    It is used to coloring some log messages
  3. glob (12(!) other deps)
    It is used in Moleculer Runner & ServiceBroker to load services from folders.
  4. vorpal
    It's a dev dependency but it is not maintained & contains some vulnerabilities.

Possible alternatives:

_Important to keep the current functionality, so the changes don't cause breaking changes!_

args

  • [ ] [mri](https://github.com/lukeed/mri) (no deps)
  • [ ] [cac](https://github.com/cacjs/cac) (no deps)

    chalk

  • [x] [kleur](https://github.com/lukeed/kleur) (no deps)

glob

  • [ ] [tiny-glob](https://github.com/terkelg/tiny-glob) (2 deps)

vorpal

  • ?
Core Enhancement help wanted

Most helpful comment

Hey, haha, I helped work on tiny-glob. It's the one I use

All 46 comments

@lukeed do you have any awesome (fast & no deps) lib to replace the huge glob lib? :smile:

Hey, haha, I helped work on tiny-glob. It's the one I use

https://github.com/vadimdemedes/ink could be a replacement for vorpal

Ink is good. I forgot to mention before that sade is also an option for your CLI builder. Its only dependency is mri, which is already in this list

Hello, we use Moleculer at my company and vorpal's vulnerabilities are a concern to us and we'd like to get this resolved. What can I do to help with this? I can fork and start a PR to replace vorpal with something else.

Thanks.

vorpal is more than the ink. It has a REPL mode with command & argument handling and autocomplete feature. Ink (as soon as I can see) is a react based GUI for console apps.
The better option would be to fix vulnerable packages in vorpal. I've created a fork here

Yeah I was looking over alternatives and none really seem to do what moleculer uses vorpal for.

@icebob do you plan to utilize the fork in moleculer-repl by publishing a package or directly to the github repo in the package.json? I can start working on getting the vulnerabilities patched and submit a PR to the fork.

This is another one more close to the vorpal concept: https://github.com/drew-y/cliffy

But I agree:

The better option would be to fix vulnerable packages in vorpal. I've created a fork here

@joshmanders good news. It would be good if you could fix it. I plan to publish the fixed vorpal under the org like: @moleculer/vorpal

@tinchoz49 great, yes, cliffy can be an alternative. _Btw, I've starred it for a while :P_

@joshmanders good news. It would be good if you could fix it. I plan to publish the fixed vorpal under the org like: @moleculer/vorpal

Excellent. I have a PR waiting right now, just have noticed some tests are timing out so I'm trying to figure that out.

I heard that bluebird is no longer needed

@icebob Could we add lodash to the list of libraries that Moleculer _could_ live without? I dissected the framework a while back while playing around with making it a first-class typescript citizen and noticed a lot of lodash usage that could be replaced by simple native js. The reason I particularly am mentioning this lib is because of the bad pratices like prototype pollution it often entails.

https://github.com/moleculerjs/moleculer/search?q=isObject&unscoped_q=isObject

Latest tree btw

[email protected] /Users/davborre/Source/moleculer
β”œβ”€β”¬ [email protected]
β”‚ β”œβ”€β”€ [email protected]
β”‚ β”œβ”€β”¬ [email protected]
β”‚ β”‚ β”œβ”€β”¬ [email protected]
β”‚ β”‚ β”‚ └─┬ [email protected]
β”‚ β”‚ β”‚   └── [email protected]
β”‚ β”‚ β”œβ”€β”€ [email protected]
β”‚ β”‚ └─┬ [email protected]
β”‚ β”‚   └── [email protected]
β”‚ β”œβ”€β”€ [email protected]
β”‚ └── [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”¬ [email protected]
β”‚ β”œβ”€β”€ [email protected]
β”‚ β”œβ”€β”¬ [email protected]
β”‚ β”‚ β”œβ”€β”€ [email protected] deduped
β”‚ β”‚ └── [email protected]
β”‚ β”œβ”€β”€ [email protected]
β”‚ β”œβ”€β”¬ [email protected]
β”‚ β”‚ └─┬ [email protected]
β”‚ β”‚   β”œβ”€β”€ [email protected]
β”‚ β”‚   └── [email protected]
β”‚ β”œβ”€β”¬ [email protected]
β”‚ β”‚ └── [email protected] deduped
β”‚ └── [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”€ [email protected]
β”œβ”€β”¬ [email protected]
β”‚ └── [email protected]
└── [email protected]

Yes, it would be good to drop lodash lib from the core repo. The most important method is the _.defaultsDeep. It is used in many places, so it's the most important to find an exact same implementation _or copy out from the lodash_.

Yes, it would be good to drop lodash lib from the core repo. The most important method is the _.defaultsDeep. It is used in many places, so it's the most important to find an exact same implementation _or copy out from the lodash_.

Could just depend on lodash.defaultsDeep which is just the dependencies needed for that function.

Hmm, good idea!

By the way, I've just found cac which is same as args but no dependencies.

Only need to change the glob to avoid another big branch

_.get used in the cacher implementation is pretty important aslo I believe. It would be great to firstly get an overview of all lodash deps to determine which could easily be switched out with vanilla js and which we need to consider keeping or replace. I’d be happy to contribute on some concrete issues like Β«replace usage of isObjectΒ» etc to we can gradually migrate lodash out.

  • David
  1. mai 2020 kl. 18:32 skrev Josh Manders notifications@github.com:

ο»Ώ
Yes, it would be good to drop lodash lib from the core repo. The most important method is the _.defaultsDeep. It is used in many places, so it's the most important to find an exact same implementation or copy out from the lodash.

Could just depend on lodash.defaultsDeep which is just the dependencies needed for that function.

β€”
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

cac has dependencies (including mri) – it's just all inlined into one big pre-built file, which prevents any cross-dep code reuse

Ohh, thanks @lukeed, I didn't see it.

It's actually _only_ mri - I thought there were more. This means cac basically the same as sade...good upgrade either way

@abdavid Here is a list about the used Lodash methods:
image

Nice! I see a couple of low hanging ones. I think we can break them down pr function.

@icebob should we maybe create an epic and materialize tasks for each function? That way we will have the oppertunity to discuss replacements contextually. Like Josh commented we could just import the complex ones.

  • David
  1. mai 2020 kl. 18:37 skrev Icebob notifications@github.com:

ο»Ώ
@abdavid Here is a list about the used Lodash methods:

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.

Ok, go ahead :)

I do not have the necessary access to create anything like that. For github an epic equivalent would maybe be a project with multiple subtasks? #jiranerd

Here there are some native implementation: https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#quick-links

Here there are some native implementation: https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#quick-links

Sweet! Nice find

@icebob Do we have any docs / guides on performance testing? Would be necessary to have before and after measurements to ensure we keep things speedy

Yes, you can with npm run bench. It executes common performance benchmark tests, so you can measure before & after with it.

@icebob Another option to replace Vorpal: https://github.com/f/omelette

Has zero dependencies;

Thanks @Wallacy but I think it's not a replacement of vorpal. It's just a part of it.

One possible replacement for vorpal in moleculer-repl is shargs.

Some features:

  • Highly customizable command-line arguments parser and usage documentation generator.
  • 35+ opt-in features, e.g. (multiple) subcommands, spelling mistake detection, default values, and (best guess) casting.
  • Synchronous and Promise-based asynchronous mode with async/await support.
  • Automatic usage documentation generation with fine-grained control over layouts and styles.
  • Easily extensible with your own custom parser stages and custom usage layouts.
  • Extensively documented and very well tested (750+ unit and integration tests).
  • Modular library layout with zero runtime dependencies.

and @Yord is currently working on REPL mode and autocompletion

It sounds great. it has no dependency.

Hey all, shargs is meant to replace the command-line parser of another project of mine because it had way too many dependencies (27!). Seems our causes are aligned.

The REPL mode is still very fresh, but I am interested in spending more time.

@Yord Do you know vorpal? Are there any other missing parts in shargs? We are using it in our moleculer-repl

@icebob I have never worked with vorpal.

The command-line parser parts of shargs are almost at 1.0.0, error message ergonomy is left (and bash autocomplete).

As for REPLs, shargs has basic REPL functionality based on the Node REPL and autocomplete for commands. These two parts are not tested, yet.

I could imagine shargs REPL misses text colors and formatting (aka tables) unless the action output does that.

Is there anything apparent to vorpal users that I miss?

Edited to add: Shargs REPL misses pipes and prompts.

I could imagine shargs REPL misses text colors and formatting (aka tables) unless the action output does that.

You are right, the coloring and formatting are done directly in action (e.g., service )

Edited to add: Shargs REPL misses pipes and prompts.

I think that we don't use either of those features. We only use "a small portion" of vorpal

Would be good to create a branch in moleculer-repl and trying to add Shargs instead of vorpal. @AndreMaz do you have some capacity to work on it? Maybe @Yord can help if something is missing :)

@icebob, @AndreMaz I will gladly ship in if I can be of help.

@icebob I will look at it during weekend. In theory it shouldn't be very complex. I just need to find the equivalent for vorpal's syntax. E.g.:

vorpal
  .command('foo <requiredArg> [optionalArg]')
  .autocomplete({
    data() {
        return // Return autocomplete array
  })
  .option('-v, --verbose', 'Print foobar instead.')
  .description('Outputs "bar".')
  .alias('foosball')
  .action(function(args, callback) {
    if (args.options.verbose) {
      this.log('foobar');
    } else {
      this.log('bar');
    }
    callback();
  });

@Yord do you have any tutorial for newbies? Your docs are very good but I didn't found any introductory tutorial.

@AndreMaz Fortunately I wrote one just yesterday:

https://github.com/Yord/shargs-tutorial-git/blob/master/README.md

Sweet πŸ˜„ Thanks

@AndreMaz Just wanted to let you know I have incorporated recent updates into shargs-example-repl.

To elaborate on this: The API has only slight changes, the updates concern mainly autocomplete internals.

@Yord thanks for the info. Can you add the changelog to your repos? It helps to track the changes

@AndreMaz Yes, I will do that. Sorry for the sloppy work. I usually start a changelog with the first stable version, but here, it definitely makes sense to start right now.

Changelogs:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

thatisuday picture thatisuday  Β·  3Comments

molobala picture molobala  Β·  3Comments

jodaks picture jodaks  Β·  5Comments

DeividasJackus picture DeividasJackus  Β·  4Comments

Kamil93 picture Kamil93  Β·  3Comments