How to exclude devDependencies about cyclonedx-node-module HOT 7 CLOSED

The node module should not be including devDependencies.

It relies on the read-installed module which excludes devDependencies by default.

When obtaining package info, the module will only obtain modules in the dependencies section.

If you're seeing devDependencies being included, please supply a package.json which can reproduce the problem.

from cyclonedx-node-module.

So, first did a "npm install --only=prod", and then generated bom. This included only dependencies.

Then I did a "npm install", and generated the bom again. This one includes dev dependencies like karma and protractor.

Here is the package.json file:
{
"name": "myproject",
"version": "0.1.0",
"scripts": {
"bom": "cyclonedx-bom -o bom.xml"
},
"private": true,
"dependencies": {
"@agm/core": "^1.0.0-beta.5",
"@angular/animations": "^6.0.3",
"@angular/common": "^6.0.3",
"@angular/compiler": "^6.0.3",
"@angular/core": "^6.0.3",
"@angular/forms": "^6.0.3",
"@angular/http": "^6.0.3",
"@angular/platform-browser": "^6.0.3",
"@angular/platform-browser-dynamic": "^6.0.3",
"@angular/router": "^6.0.3",
"@google/maps": "^0.5.5",
"@test/account": "dev-latest",
"@test/animations": "dev-latest",
"@test/http-interceptors": "dev-latest",
"@test/notifications": "dev-latest",
"@test/static-assets": "dev-latest",
"@progress/kendo-angular-buttons": "^4.0.0",
"@progress/kendo-angular-dateinputs": "2 - 3",
"@progress/kendo-angular-dialog": "^3.7.0",
"@progress/kendo-angular-dropdowns": "^3.4.2",
"@progress/kendo-angular-excel-export": "1 - 2",
"@progress/kendo-angular-grid": "^3.6.0",
"@progress/kendo-angular-inputs": "2 - 3",
"@progress/kendo-angular-intl": "^1.0.0",
"@progress/kendo-angular-l10n": "^1.3.0",
"@progress/kendo-angular-layout": "^3.1.0",
"@progress/kendo-angular-popup": "^2.0.0",
"@progress/kendo-angular-tooltip": "^1.1.2",
"@progress/kendo-data-query": "^1.0.0",
"@progress/kendo-drawing": "^1.0.0",
"@progress/kendo-theme-default": "latest",
"agm-direction": "^0.6.0",
"bootstrap": "^4.1.1",
"core-js": "^2.5.4",
"install": "^0.11.0",
"moment": "^2.22.2",
"npm": "^6.1.0",
"open-iconic": "^1.1.1",
"popper.js": "^1.14.3",
"rxjs": "^6.0.0",
"rxjs-compat": "^6.3.3",
"zone.js": "^0.8.26"
},
"devDependencies": {
"@angular-devkit/build-angular": "~0.6.0",
"@angular-devkit/build-ng-packagr": "~0.6.5",
"@angular/cli": "~6.0.0",
"@angular/compiler-cli": "^6.0.0",
"@angular/language-service": "^6.0.0",
"@types/googlemaps": "^3.30.11",
"@types/jasmine": "~2.8.6",
"@types/jasminewd2": "~2.0.3",
"@types/node": "~8.9.4",
"codelyzer": "~4.2.1",
"jasmine-core": "~2.99.1",
"jasmine-spec-reporter": "~4.2.1",
"karma": "~1.7.1",
"karma-chrome-launcher": "~2.2.0",
"karma-coverage-istanbul-reporter": "~1.4.2",
"karma-jasmine": "~1.1.1",
"karma-jasmine-html-reporter": "^0.2.2",
"ng-packagr": "^3.0.0-rc.2",
"protractor": "~5.3.0",
"ts-node": "~5.0.1",
"tsickle": ">=0.25.5",
"tslib": "^1.7.1",
"tslint": "~5.9.1",
"typescript": "~2.7.2",
"sonarqube-scanner": "^2.1.0"
}
}

@test are some internal modules

from cyclonedx-node-module.

Could you reproduce the case? thks

from cyclonedx-node-module.

@ruimda For what it's worth I ran into this issue and tried to diagnose it. So, read-installed traverses the node_modules folder to build the dependency tree and marks any devDependencies that exists in that folder as extraneous when using the dev: false option which is the default.

I've created PR #13 to exclude extraneous packages which should resolve the issue.

from cyclonedx-node-module.

Thanks a lot. I will follow this closely

from cyclonedx-node-module.

0.2.5 was pushed which should solve this issue. Also included is an updated SPDX license list (v3.5). Please reopen if anyone experiences this problem going forward.

from cyclonedx-node-module.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

from cyclonedx-node-module.