[morbicer]

This would be an idea worth considering if you didn't pick babel which will drag a half of universe with it https://bundlephobia.com/package/babel-core

Use raw esbuild or swc; or be hassle free with Vite... or something else less cursed. I am grateful for Babel, it opened up the js development to new syntax but it's a beast from the past times. (The same applies to webpack)

Transitive dependencies of those are exactly the thing Dependabot will nag you about day and night.

[gloosx]

>babel which will drag a half of universe with it

Why should I care about 500KiB of development dependencies, they won't end up inside the build anyway? I don't see any value in vite or other build tool since I know how to write a webpack config I need in 3 minutes, and it is the same process for almost 10 years now, just npx webpack init, adjust the config slightly and never touch it again, there is no option which is too complex or hard to grasp, just the typical output/input/modules/plugins, and you never need to update it without a good reason to. Just dependabot nagging is never a good reason to start manically updating your build dependencies

[morbicer]

In enterprise environment you need to manically update to meet the security compliance SLAs because those dependencies are a source of non stop CVEs. It's mostly bunk CVEs but that's out of your control.

[gloosx]

No, you only need to update when there is an actual CVE which is a real concern, which is fairly rare for development dependencies, for instance webpack had only two in it's 12-year history – with one being severe. Babel had practically zero (except 1 indirect critical traverse package CVE last year). Vite you're proposing had 7 total and 3 severe in 4 years. Think this through – non stop CVEs, really?

[morbicer]

Webpack itself might be fine but everything that babel brings and webpack plugins are the source of pain.

CVEs aside, core-js is a liability on itself. Sad personal story, sad that the world still thanklessly depends on it.