[blobs]

Totally second this. I see novice web developers writing in Typescript in an effort to be more type save and at the same time using hundreds of npm packages that are often written by amateurs that make basic mistakes.

Just take an average startups web project node_modules directory, what's inside there? Hundreds and hundreds of packages of which most are dependencies of other packages. Anyone could have written it! Novice devs swear by using Typescript, but at the same time using hundreds of black boxes that can easily contain stuff way more damaging that a string applied to a number..

Remember left-pad? That was an easy one to fix, but still caused damage at large scale. What about a vulnerability in a larger and more complex package, owned by some bad party?

[jannes]

For me the biggest problem is webpack. Do you know an alternative bundler with less dependencies and typescript support? I already use webpack without the webpack-cli package in most of my projects in order to avoid the extra dependencies.

I'm currently investigating rollup because it only has 3 dependencies (2 of which are @types)

[marcus_holmes]

I'm trying to use Vue in a secure web app, and Webpack is a nightmare. I have to trust hundreds of dependencies to use it at all. Trying to avoid this and use some other method of compiling multiple .vue single-file components into a larger single js file is proving tricky (to say the least). How did the JS ecosystem end up in this situation?

[rmilejczz]

I recommend rollup for libraries and parcel for web apps.

[lucideer]

I'll 2nd the rollup recommendation for libraries, but unfortunately parcel has the same (or worse) problems as Webpack with it's proliferation of dependencies.

Rollup does have some issues with webapps since it's so heavily oriented toward JS-as-entrypoint, but tbh Webpack has the same issues; it just works around them by layering some extra complexity on top in the form of plugins (which you can actually do relatively easily in rollup too, though it's still not ideal in either situation).

Edit: Just measured those dependencies for comparison.

- rollup: 3 dependencies (all top-level, none have subdependencies. 2 are just typings which contain no executable code)

- webpack: 425 dependencies (23 top-level)

- parcel: 837 dependencies (57 top-level)

I haven't used parcel, so can't comment on its function. By the sounds of their website they're focused on speed, so if performance is your only concern they might be a good shout. If you're looking to reduce your security surface area, their approach to dependency management seems pretty irresponsible.

[rmilejczz]

Yeah I actually didn’t realize parcel had so many dependencies. I choose it over webpack not for speed but because it’s highly opinionated and requires essentially zero config.

So I guess I’ll change my suggestion and say just use rollup

[jannes]

Parcel has 57 dependencies... (not even counting transient dependencies)

That sort of defeats the purpose of switching from webpack.

And for libraries: Why do you even need a bundler? Can you not distribute the library as multiple files?

[rmilejczz]

Yeah I made some incorrect assumptions about the nature of parcel, foolish mistake on my part.

For your other question it depends on your library. If you’re only targeting ESM or CJS sure, if you need a UMD or want separate outputs for separate targets a bundler like rollup can help prevent a lot of pointless boilerplate.

[sebazzz]

Isn't parcel a front-end for webpack?