- π«π·France andypost
Even if yarn^2 will be used each asset library will need extra script to remove test/demo files from installed package like
VendorHardeningPluginis doing for composer.I see no general solution for contrib/custom code as each package upgrades may need to tune "hardening" settings for it.
Also not clear how to manage dependencies of assets if any appear. - π«π·France prudloff Lille
Symfony tried to solve a similar problem so if we want to download NPM packages without adding a dependency on Yarn/NPM, we might be able to leverage the Symfony AssetMapper component.
It is in PHP and is able to download NPM packages and their dependencies:- https://symfony.com/blog/new-in-symfony-6-3-assetmapper-component#workin...
- https://symfony.com/blog/new-in-symfony-6-4-assetmapper-improvements#ven...
They also implemented an audit command to check for known vulnerabilities: https://github.com/symfony/symfony/blob/6.4/src/Symfony/Component/AssetM...
The main caveat is that it adds a dependency on the jsDelivr API to get the dependency tree of each NPM package (https://github.com/symfony/symfony/blob/6.4/src/Symfony/Component/AssetM...).
Also they are basically reinventing NPM in PHP, which is something I have mixed feelings about. - π¦πΊAustralia darvanen Sydney, Australia
Hi folks,
This looks like the kind of issue that could reach well over 500 comments before we come to an agreement so with the frontend framework manager's support (@nod_) and help from a core committer (@larowlan) I've kicked off a community initiative because I would *really* like to see this happen.
I've built a prototype using php-forge/foxy and a new contrib module β but I'm not at all wedded to seeing it happen that way. It's just a prototype but so far I *think* it covers all of the pitfalls of previous attempts, I'd really like people to poke holes in it.
If you're still interested in this issue please accept my humble invitation to join us over at #frontend-bundler-intitiative in Drupal Slack β .
