Minimize the number of the Miniflare package dependencies

[dario-piotrowicz]

Fixes https://jira.cfdata.org/browse/DEVX-1578

This PR moves almost all the Miniflare dependencies to the devDependencies field ensuring that these get bundled in.

The non-bunbled packages are all pinned (which also prevents potential future npm vuln issues).

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
    • I've built Miniflare locally before and after and ensured that in one case the packages were normal dependencies while in the other their code was being bundled in
  • Additional testing not necessary because: Tests/linting for this is going to be added separately: DEVX-1580
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: this change improves the security of the package but is not something that users necessarily need to be aware of

A picture of a cute animal (not mandatory, but encouraged)

[changeset-bot]

🦋 Changeset detected

Latest commit: a6eede3

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@11897

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@11897

miniflare

npm i https://pkg.pr.new/miniflare@11897

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@11897

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@11897

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@11897

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@11897

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@11897

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@11897

wrangler

npm i https://pkg.pr.new/wrangler@11897

commit: a6eede3

[vicb]

The non-bunbled packages are all pinned (which also prevents potential future npm vuln issues).

I first think that was a change in your PR - I don't think it is, more an intent (but no related changes) right?

[dario-piotrowicz]

The non-bunbled packages are all pinned (which also prevents potential future npm vuln issues).

I first think that was a change in your PR - I don't think it is, more an intent (but no related changes) right?

Yes, sorry for the confusion, in that sentence I was describing the state of things more than what this PR is doing.

[dario-piotrowicz]

@petebacondarwin This PR is moving some of the external dependencies to devDependencies, I did that before you merged your PR and everything seemed ok and all the miniflare tests passed

But now the CI check you added errors, and I can see explanations from you here as to why we'd want to avoid bundling those deps?

workers-sdk/packages/miniflare/scripts/deps.ts

Line 7 in fe4faa3

export const EXTERNAL_DEPENDENCIES = [

Based on the tests passing I thought that it'd be ok, but there might be subtle untested consequences? If you are confident that these deps do need to be external I'm happy to close this PR, otherwise we can give this a go, please let me know 🙂