pedestal

2024-08-07T22:42:10.814559Z

The Pedestal "Getting started" (http://pedestal.io/pedestal/0.7/guides/hello-world.html) includes, according to clj -X:deps tree, a bunch of websocket stuff which looks unnecessary to my plans. Can I safely exclude jetty-jakarta-websocket-api ring-websocket-protocols websocket-core-client websocket-core-common websocket-core-server websocket-jakarta-client websocket-jakarta-common websocket-jakarta-server websocket-servlet

souenzzo 2024-08-08T10:35:02.100289Z

Unless the size of the jar is very important to you, these dependencies will not slow anything down or get in the way of anything. Tools like GraalVM native-image are smart enough to find classes that are not in use and discard it.

2024-08-09T15:45:46.006319Z

One of the OWASP Top 10 risks is "Vulnerable and Outdated Components" and the very topmost recommendation to mitigate it is "Remove unused dependencies". Interesting about Graal. I hope that won't be necessary.

hlship 2024-08-09T18:45:36.336479Z

This is somewhat of a side-effect of building in a engine agnostic way to specify web socket handlers (part of 0.7); but (most likely) you can remove many of the dependencies beyond jetty-jakarta-websocket-api.

hlship 2024-08-09T18:45:42.333509Z

I haven't experimented with this.