Replace traverse with neotraverse #443
Conversation
There was a problem hiding this comment.
Thank you @wojtekmaj for the PR, it is really appreciated!
Was not aware of https://github.com/puruvj/neotraverse, it seems to be a great library from the original traverse.
Since this looks like a simple change and since neotraverse is 1-1 compatible with traverse, I'm approving these changes.
Tagging @nelsonic to give a quick look over and we'll get it merged ASAP :)
|
Looks awesome! I just checked this lib on npmgraphs, and the entire middle part will be gone after this PR is merged and released 😄 EDIT: Well a big chunk should be gone, but not everything, as even aws-sdk relies on some of these shared micropolyfills
|
There was a problem hiding this comment.
@wojtekmaj thanks for the PR! 🙏
@LuchoTurtle thanks for tagging. 🏷️ 👌
I'm all for PRs that reduce our dependency tree! 🎉
Never heard of neotraverse ... 🤷♂️
Prolly cause it was first published 6 days ago! 💭
https://www.npmjs.com/package/neotraverse?activeTab=versions 👀
Currently has very low usage: https://www.npmjs.com/package/neotraverse
By contrast traverse is "community tested": https://www.npmjs.com/package/traverse
If we merge this PR we will 200x the neotraverse download stats ... 📈
https://www.npmjs.com/package/aws-sdk-mock
Looks reasonably well-documented: https://github.com/PuruVJ/neotraverse
Only two contributors ... https://github.com/PuruVJ/neotraverse/graphs/contributors
@PuruVJ seems legit.
@Aslemammad also seems technically competent! 👌
My only "concern" is this:
New modules appearing to "fix" the problems of older/bloated ones is great!
But it's a massive attack vector for getting malicious code onto the computers of key engineers using AWS to deploy their apps!
Right now the code for neotraverse https://github.com/PuruVJ/neotraverse/tree/main/src looks fine!
But if a malicious person can inject code into it, they could steal AWS keys on dev machines, spin up $$$$$$ of machines on AWS and then erase their tracks ...
We definitely don't want to be in the news, e.g:
https://www.trendmicro.com/vinfo/mx/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
So while I appreciate the enthusiasm, I am naturally cautious/paranoid. 💭
@wojtekmaj how did you find out about this package?
|
Hi! I created neotraverse specifically because traverse itself got extremely bloated between 0.6.8 and 0.6.9, going from 1.4KB to 21KB and 0 dependencies to 66. It's an extremely concerning problem. neotraverse aims to follow the exact API for traverse forever(barring neotraverse/modern which requires rewriting your own code, so the gun is in ur hand, not mine, metaphorically speaking).
Regarding authenticity of myself, I have multiple open source packages, namely
I am not after any vanity metrics like these, they don't matter. If you still have reservations about me introducing attack vector, the best I can do is give you my word it won't happen. I myself have no mal-intentions, neither do I let anyone make any change to my projects without scrutinizing it to death and back 😅 Being the devil's advocate, you can stick to traverse, and it will be perfectly fine in the end. The user who owns the 66 packages will most probably not introduce an attack vector or anything like that. Only concern is that it's going to become bigger with time, as I noted here: https://puruvj.dev/blog/forking-and-fixing-traverse#Deeper-issue Some references: Let me know your thoughts |
I would suggest building this PR. While the API itself is identical, neotraverse doesn't ship with CommonJS, which could break the entire build. we will have to switch |
|
Hi! Thanks @nelsonic for a detailed write-up.
I found the package through author's Twitter: https://x.com/puruvjdev
While I definitely hear your concerns, I'm wondering, how did you manage to keep up with That setup is infinitely easier to sneak shady stuff into. One of the reason is that you will NEVER be able to lock a version for secondary dependencies - you can only do that for your own dependencies. With |
|
The test is breaking due to neotraverse being ESM-only. @wojtekmaj could you switch it to neotraverse/legacy? |
|
@wojtekmaj to answer your question:
We didn't even However we've recently had a " Would definitely have preferred to see an attempt to improve Anyway ... 💭 Let's get this PR updated to use |
That's a giant discussion we should not have here 😅 Just know that traverse was all good before it was "sabotaged" and based on the discussion, it seems unlikely its gonna get any lighter Anyways, thanks a lot for agreeing! Let's get this done! 🚀 |
This PR replaces traverse with neotraverse, a fork and TypeScript rewrite of traverse with 0 dependencies (as opposed to 66: https://npmgraph.js.org/?q=traverse) and lots of improvements.
|
Sorry folks for the delay! I literally became a father since my last comment 🤣 Fixed the import to |
|
Approving the workflow. All tests pass ❤️ @wojtekmaj oh wow! Huge congratulations! You shouldn't be worried about this PR now, go enjoy the perks of fatherhood! :D |
|
Whoaaa Huge congrats @wojtekmaj!! 🔥🎉🎉🎉 |
No worries, he's asleep 🤣 GOTTA HUSTLE 
|
|
Now THAT is a cute one! 👶 We gotta work on creating him a |
|
Imagine Github signup doesn't allow today's date 🥲 Someone make a petition |
|
Register your kid's account with a birthday 20 years ago and in a few years time he can update it. 😉 |
|
@nelsonic i believe we're waiting for your approval 👀👀 |
|
@PuruVJ thanks for drawing our attention to the bloat https://x.com/passle_/status/1810805530706792930 ... 🤦♂️ I'm all for modularity and re-use. but c'mon ... 🤷♂️ Anyway ... 🙊 |
There was a problem hiding this comment.
Thanks again for the PR @wojtekmaj and congrats! 👶 ❤️
@PuruVJ good work on keeping neotraverse low dependency. 🥇
Forking is part of Open Source. 👌
@LuchoTurtle over to you to create the new release and publish to NPM. 📦
Given that neotraverse is a drop-in-replacement with no (test) breaking changes, it prob doesn't need a major version just a minor; e.g: 6.0.4 -> 6.1.0? but up to you. 💭
|
Sorry for spamming you the last time, but I just gotta say, this discussion was just THE NICEST. It belongs to an Open Source Museum once someone establishes one. |
|
Thank you all!! Excited to see gigabytes drop across entire internet thanks to this change 😄 |
This PR replaces traverse with neotraverse, a fork and TypeScript rewrite of traverse with 0 dependencies (as opposed to 66: https://npmgraph.js.org/?q=traverse) and lots of improvements.