Skip to content

Fully bundle ws, semver and recast #32854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mrginglymus wants to merge 1 commit into from
Closed

Fully bundle ws, semver and recast #32854

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions code/core/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,10 +202,7 @@
"@vitest/expect": "3.2.4",
"@vitest/mocker": "3.2.4",
"@vitest/spy": "3.2.4",
"esbuild": "^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0 || ^0.25.0",
"recast": "^0.23.5",
"semver": "^7.6.2",
"ws": "^8.18.0"
"esbuild": "^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0 || ^0.25.0"
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify no runtime code imports the moved packages before merging.

Moving recast, semver, and ws from dependencies to devDependencies is the correct change per the PR rationale—these should be development-only since they're bundled tools rather than runtime dependencies. However, this assumes:

  1. No runtime imports: Source code in the exported entry points must not import these packages at runtime.
  2. Build system fix in place: The bundler must be configured to prevent re-bundling these packages.
  3. No consumer impact: End users shouldn't be affected since these packages weren't meant to be runtime dependencies.

Please verify the following before merging:

Additionally, confirm that a corresponding build system fix exists in this PR or a related issue (#32822) to prevent these packages from being bundled. The PR description indicates that the build system had a bug causing these to be bundled despite only their types being exposed.

Based on learnings from PR #32484, bundled packages belong in devDependencies.

Also applies to: 313-313, 316-316, 333-333

🏁 Script executed:

#!/bin/bash
# Description: Verify recast, semver, ws are not imported in runtime source code

# Search for imports of moved packages in src/ directory
echo "=== Checking for runtime imports of moved packages ==="
echo ""
echo "Searching for 'recast' imports:"
rg -n "from ['\"]recast['\"]|import.*recast|require\(['\"]recast" src/

echo ""
echo "Searching for 'semver' imports in non-build code:"
rg -n "from ['\"]semver['\"]|import.*semver|require\(['\"]semver" src/ | grep -v "\.test\|\.spec\|test/"

echo ""
echo "Searching for 'ws' imports in non-build code:"
rg -n "from ['\"]ws['\"]|import.*ws['\"]|require\(['\"]ws['\"]" src/ | grep -v "\.test\|\.spec\|test/"

Length of output: 320

🏁 Script executed:

#!/bin/bash
# First, find the structure under code/core/
echo "=== Finding source code structure in code/core/ ==="
fd -t d . code/core/ -max-depth 2

echo ""
echo "=== List of files in code/core/ ==="
ls -la code/core/ | head -20

echo ""
echo "=== Checking for src directory ==="
ls -la code/core/src/ 2>/dev/null || echo "src/ not found, checking other locations..."

echo ""
echo "=== Checking lib, dist, or index files ==="
find code/core/ -maxdepth 1 -type f \( -name "*.js" -o -name "*.ts" -o -name "index.*" \) 2>/dev/null | head -10

Length of output: 4029

🏁 Script executed:

#!/bin/bash
# Search for imports in code/core/ and related directories
echo "=== Searching for 'recast' imports in code/core ==="
rg -n "recast" code/core/ --type ts --type tsx --type js --type jsx 2>/dev/null | grep -i "import\|require\|from" | head -20

echo ""
echo "=== Searching for 'semver' imports in code/core ==="
rg -n "semver" code/core/ --type ts --type tsx --type js --type jsx 2>/dev/null | grep -i "import\|require\|from" | head -20

echo ""
echo "=== Searching for 'ws' imports in code/core ==="
rg -n "ws" code/core/ --type ts --type tsx --type js --type jsx 2>/dev/null | grep -i "import\|require\|from" | grep -v "ws:" | head -20

Length of output: 153

🏁 Script executed:

#!/bin/bash
# Check package.json exports and main fields
echo "=== Checking package.json main entry points ==="
jq '.main, .exports, .types' code/core/package.json

echo ""
echo "=== Checking if build output exists ==="
ls -la code/core/dist/ 2>/dev/null | head -20 || echo "dist/ not found"

echo ""
echo "=== Looking for tsconfig or build config ==="
find code/core/ -maxdepth 1 -type f \( -name "tsconfig*" -o -name "esbuild*" -o -name "build*" \) 2>/dev/null

Length of output: 4478

🏁 Script executed:

#!/bin/bash
# Verify build-config.ts uses the packages as build tools, not runtime
echo "=== Checking build-config.ts for package usage ==="
grep -n "recast\|semver\|ws" code/core/build-config.ts

echo ""
echo "=== Checking for dynamic requires or imports ==="
rg -n "require\s*\(\s*['\"]" code/core/src/ --type ts --type tsx | grep -E "recast|semver|ws" | head -10

echo ""
echo "=== Checking csf-tools and csf for recast usage (CSF parsing tool) ==="
rg -n "recast" code/core/src/csf-tools/ --type ts --type tsx 2>/dev/null || echo "No recast in csf-tools"
rg -n "recast" code/core/src/csf/ --type ts --type tsx 2>/dev/null || echo "No recast in csf"

Length of output: 258

🏁 Script executed:

#!/bin/bash
# Broader search for package usage across entire code/core
echo "=== Searching entire code/core for 'recast' (not just src/) ==="
rg -n "recast" code/core/ --type ts --type js 2>/dev/null | head -20

echo ""
echo "=== Searching entire code/core for 'semver' (not just src/) ==="
rg -n "semver" code/core/ --type ts --type js 2>/dev/null | head -20

echo ""
echo "=== Searching entire code/core for 'ws' (not just src/) ==="
rg -n "\bws\b" code/core/ --type ts --type js 2>/dev/null | grep -v "ws:" | head -20

echo ""
echo "=== Checking scripts directory ==="
ls -la code/core/scripts/

echo ""
echo "=== Checking if these are transitive deps (searching package.json dependencies) ==="
jq '.dependencies | keys[] as $k | select($k | contains("recast") or contains("semver") or contains("ws"))' code/core/package.json

Length of output: 5018

🏁 Script executed:

#!/bin/bash
# Check what packages depend on recast, semver, ws
echo "=== Dependencies that might use recast/semver/ws ==="
jq '.dependencies | keys[]' code/core/package.json | xargs -I {} sh -c 'echo "Checking {}..."; jq ".devDependencies.{} // .dependencies.{}" code/core/package.json' 2>/dev/null | head -30

echo ""
echo "=== Direct dependency entries for moved packages ==="
jq '.dependencies.recast, .dependencies.semver, .dependencies.ws, .devDependencies.recast, .devDependencies.semver, .devDependencies.ws' code/core/package.json

Length of output: 472

Do NOT merge—runtime imports found in bundled code.

Critical verification result: All three packages are actively imported in runtime code that gets exported and bundled:

  • recast: Used in code/core/src/csf-tools/CsfFile.ts, code/core/src/babel/index.ts, code/core/src/cli/eslintPlugin.ts for AST parsing and code generation
  • semver: Used in code/core/src/manager-api/modules/versions.ts, code/core/src/cli/helpers.ts, code/core/src/cli/detect.ts for version comparisons
  • ws: Used in code/core/src/core-server/utils/get-server-channel.ts for WebSocket server communication

These modules are exported via package.json's exports field and will be bundled into dist/. Moving these packages to devDependencies without a verified build system fix will break runtime functionality.

Ensure a corresponding build system change exists that prevents re-bundling of these packages, or keep them in dependencies if they must be available at runtime.

},
"devDependencies": {
"@aw-web-design/x-default-browser": "1.4.126",
Expand Down Expand Up @@ -313,8 +310,10 @@
"react-syntax-highlighter": "^15.4.5",
"react-textarea-autosize": "^8.3.0",
"react-transition-group": "^4.4.5",
"recast": "^0.23.5",
"require-from-string": "^2.0.2",
"resolve.exports": "^2.0.3",
"semver": "^7.6.2",
"sirv": "^2.0.4",
"slash": "^5.0.0",
"source-map": "^0.7.4",
Expand All @@ -331,6 +330,7 @@
"unique-string": "^3.0.0",
"use-resize-observer": "^9.1.0",
"watchpack": "^2.2.0",
"ws": "^8.18.0",
"zod": "^3.24.1"
},
"peerDependencies": {
Expand Down