shadow-cljs

souenzzo 2025-10-02T16:39:12.402349Z

Hello During the lein run -m shadow.cljs.devtools.cli release app, shadow internally runs this: running: npm install --save --save-exact @js-joda/core@3.2.0 How do I know which dependency does this? Where does this js-joda come from? it is a hook? a deps.cljs file?

thheller 2025-10-02T16:50:11.076569Z

yes, its from a deps.cljs file from a dependency. you can prevent this install by either already having the dependency in your package.json or setting :npm-deps {:install false} in your shadow-cljs.edn top-level (not build config)

👍 1
thheller 2025-10-02T16:50:55.101019Z

you can find out what that is from via npx shadow-cljs clj-repl and then (shadow.cljs.devtools.server.npm-deps/get-deps-from-classpath)

❤️ 1
thheller 2025-10-02T16:51:28.195349Z

just raw data, but should be enough to figure it out. will contain a :url to the jar containing it

souenzzo 2025-10-02T17:19:02.747729Z

do we have any shadow-cljs install-deps command?

thheller 2025-10-02T17:36:06.120639Z

not currently no

🆗 1
souenzzo 2025-10-02T17:36:46.940379Z

thanks for the library and support

2025-10-02T22:06:51.755629Z

Is "npm install" the command that installs malicious versions of everything, stuffed into NPM by malignant malefactors? Is there an "npm ci" version that Shadow could use? I would like the "batteries included" service from Shadow, but only to the extent of getting the exact same batteries Shadow was tested with?

thheller 2025-10-03T06:41:22.103339Z

npm ci only works if you already have a lockfile, which you only get by doing npm install first. so that is not an option. not sure what you mean by "shadow was tested with". I can't possibly test all npm packages, so there is no such thing as knowing whats good or bad. It just installs whatever your dependencies demand, so you'll have to manage those carefully yourself.