Hello
During the lein run -m shadow.cljs.devtools.cli release app, shadow internally runs this:
running: npm install --save --save-exact @js-joda/core@3.2.0
How do I know which dependency does this?
Where does this js-joda come from? it is a hook? a deps.cljs file?
yes, its from a deps.cljs file from a dependency. you can prevent this install by either already having the dependency in your package.json or setting :npm-deps {:install false} in your shadow-cljs.edn top-level (not build config)
you can find out what that is from via npx shadow-cljs clj-repl and then (shadow.cljs.devtools.server.npm-deps/get-deps-from-classpath)
just raw data, but should be enough to figure it out. will contain a :url to the jar containing it
do we have any shadow-cljs install-deps command?
not currently no
thanks for the library and support
Is "npm install" the command that installs malicious versions of everything, stuffed into NPM by malignant malefactors? Is there an "npm ci" version that Shadow could use? I would like the "batteries included" service from Shadow, but only to the extent of getting the exact same batteries Shadow was tested with?
npm ci only works if you already have a lockfile, which you only get by doing npm install first. so that is not an option. not sure what you mean by "shadow was tested with". I can't possibly test all npm packages, so there is no such thing as knowing whats good or bad. It just installs whatever your dependencies demand, so you'll have to manage those carefully yourself.