Why does tsup bundle devDependencies instead of dependencies?

[is-jonreeves]

If I use frontend projects as an example, dependencies are usually the deps that are expected to be bundled into the production distributable, and devDependencies are the ones that are only used during development or as part of the build process/tooling.

Node/NPM docs state:

"dependencies": Packages required by your application in production.
"devDependencies": Packages that are only needed for local development and testing.

And scanners like Snyk tend to call out vulnerabilities in dependencies as impacting, but those in devDependencies as not.

When using tsup I'm using it to as a bundler to "build for production", so I would expect it to produce a package/module for use in another project that includes any dependencies and none of the peerDependencies or devDependencies.

For example, if I'm building a...

1. UI Component/Library that needs a lodash function, then I would expect that to be in dependencies and it would be bundled
2. API SDK using buf I would want the @bufbuild/buf runtime as in dependencies and would expect it to be part of the published bundle

Additionally, things like typescript, tsup, eslint are all in devDependencies and I wouldn't want those being accidentally bundled.

As you can probably tell, I found the default behavior of tsup a bit backwards, but perhaps I'm misunderstanding something about deps? Or maybe I'm missing a setting somewhere?

Any clarity would be appreciated

[is-jonreeves]

I was combing through the issues and I think I may have found the answer here:

think of it like this:

tsup bundles everything you imported by default, just like parcel or webpack, but "dependencies" and "peerDependencies" are externalized because they are available at runtime, since you usually use tsup to publish a library, whose "dependencies" will be downloaded when user installs your library.

I guess I understand this in the context of a "development asset" specifically published as an "npm package" that is going to be used in a dev environment and then bundled again as part of another build step. But it doesn't really make sense if the package/module is designed to be published itself as a runtime asset.

How would you build your output for publishing to CDN, it didn't look like there was a way to customize this behavior. Is that still the case?