chore: netlify-cli package install-size analysis

[iChenLei]

TL;DR

Too many big-size binary npm package in dependencies list, so netlify-cli's install size is very huge.

List all netlify-cli(v6.8.6) deps

package	install-size	semver
@netlify/build		^18.7.4
@netlify/config		^15.5.1
@netlify/framework-info		^5.9.1
@netlify/local-functions-proxy		^1.1.1
@netlify/plugin-edge-handlers		^1.11.22
@netlify/plugins-list		^3.6.0
@netlify/routing-local-proxy		^0.31.0
@netlify/zip-it-and-ship-it		4.20.0
@oclif/command		^1.6.1
@oclif/config		^1.15.1
@oclif/errors		^1.3.4
@oclif/parser		^3.8.4
@oclif/plugin-help		^3.0.0
@oclif/plugin-not-found		^1.1.4
@oclif/plugin-plugins		^1.9.3
@octokit/rest		^18.0.0
@sindresorhus/slugify		^1.1.0
@ungap/from-entries		^0.2.1
ansi-styles		^5.0.0
ascii-table		0.0.9
backoff		^2.5.0
better-opn		^2.1.1
body-parser		^1.19.0
boxen		^5.0.0
chalk		^4.0.0
chokidar		^3.0.2
ci-info		^3.0.0
clean-deep		^3.0.2
cli-ux		^5.5.1
concordance		^5.0.0
configstore		^5.0.0
content-type		^1.0.4
cookie		^0.4.0
copy-template-dir		^1.4.0
debug		^4.1.1
decache		^4.6.0
del		^6.0.0
dot-prop		^6.0.0
dotenv		^10.0.0
env-paths		^2.2.0
envinfo		^7.3.1
execa		^5.0.0
express		^4.17.1
express-logging		^1.1.1
filter-obj		^2.0.1
find-up		^5.0.0
flush-write-stream		^2.0.0
folder-walker		^3.2.0
from2-array		^0.0.4
fuzzy		^0.1.3
get-port		^5.1.0
gh-release-fetch		^2.0.0
git-repo-info		^2.1.0
gitconfiglocal		^2.1.0
hasbin		^1.2.3
hasha		^5.2.2
http-proxy		^1.18.0
http-proxy-middleware		^1.0.0
https-proxy-agent		^5.0.0
inquirer		^6.5.1
inquirer-autocomplete-prompt		^1.0.1
is-docker		^2.0.0
is-plain-obj		^3.0.0
isexe		^2.0.0
jwt-decode		^3.0.0
lambda-local		^2.0.0
listr		^0.14.3
locate-path		^6.0.0
lodash		^4.17.20
log-symbols		^4.0.0
make-dir		^3.0.0
memoize-one		^5.2.1
minimist		^1.2.5
multiparty		^4.2.1
netlify		^8.0.0
netlify-headers-parser		^4.0.1
netlify-redirect-parser		^11.0.2
netlify-redirector		^0.2.1
node-fetch		^2.6.0
node-version-alias		^1.0.1
oclif-plugin-completion		^0.6.0
omit.js		^2.0.2
open		^7.0.0
ora		^5.0.0
p-event		^4.2.0
p-filter		^2.1.0
p-map		^4.0.0
p-wait-for		^3.0.0
parallel-transform		^1.2.0
parse-github-url		^1.0.2
parse-gitignore		^1.0.1
path-exists		^4.0.0
path-key		^3.1.1
path-type		^4.0.0
prettyjson		^1.2.1
pump		^3.0.0
raw-body		^2.4.1
resolve		^1.12.0
semver		^7.3.4
source-map-support		^0.5.19
static-server		^2.2.1
strip-ansi-control-characters		^2.0.0
tempy		^1.0.0
through2-filter		^3.0.0
through2-map		^3.0.0
to-readable-stream		^2.1.0
toml		^3.0.0
update-notifier		^5.0.0
uuid		^8.0.0
wait-port		^0.2.2
winston		^3.2.1
write-file-atomic		^3.0.0

As Business Competitors, vercel's cli install size is:

package	install-size
vercel

vercel cli is only 81mb, and netlify cli is 330mb+. .....

What a crazy big install-size ! That's why netlify user complained about this issue. #494 [Huge increase in install size]. The core issue is netlify-cli rely on some binary npm package which size is too big. For example, @netlify/routing-local-proxy -> . This binary file size is more than ~50mb. Replace lodash with lodash/fp or lodash.xx is not useful for reduce package install-size, beacuse it's only ~1.3mb.

Alternative solution

Rewriten netlify-cli in golang, I think these binary netlify private package is also writen in golang, and then pack it as npm package, distribute it via npmjs.org. So netlify user only need install a single platform-specific golang binary file. I know this is impossiable, rewriten is a huge work and stop the cli iteration.

So how about developer experience ? sorry, nobody cares.

cc @erezrokah @ehmicky

[ehmicky]

Hi @iChenLei,

Thanks for reporting this issue.

Netlify CLI has lots of features and therefore lots of dependencies. I do agree though that we should strive for a smaller package size. I also agree that 330MB is a lot.

However, the developer experience is mostly only impacted by how long it takes to run npm install netlify-cli, which is rather minor IMHO.

Also, this is not an easy fix. As your correctly pointed out with the long table, the total installation size does not come so much from specific dependencies than from the number of dependencies we use. However, most of those dependencies are providing Netlify CLI with essential features.

One potential action item i could see would be to make @netlify/plugin-edge-handlers optional, which is something we've been discussing.

Happy to hear what @erezrokah also thinks about this. 🤔

[iChenLei]

Thanks for reply, @netlify/plugin-edge-handlers | @netlify/routing-local-proxy | @netlify/zip-it-and-ship-it | @netlify/build , I'm curious why these package install-size is so huge. It looks like same with esbuild(writen in golang, and compile different platform-specific binary artifacts ?).

[iChenLei]

Anyway, I'm just making a fuss . Skip it , and continue your great work for netlify-cli. Thanks

[xmedeko]

I just need to deploy a small static site (a few kB). If would be nice to have some lite version of netlify-cli for netlify API calls like init, deploy, etc. (i.e. without dev server and others).

[jtojnar]

Switching to https://gitlab.com/lepovirta/netlify-deployer made the deploys by CI significantly faster for me.

[XhmikosR]

@ehmicky Like I mentioned in #494, this is NOT only an issue of package size.

It's a fundamental security issue: you make all of the people who consume netlify-cli trust 1300+ packages and hundreds of different developers!

• https://npm.anvaka.com/#/view/2d/netlify-cli

The supply chain attacks are real, and the only solution is to reduce the packages you depend on. If you do that, then size and install time will also improve.

Also, the disk churn is serious with each netlify-cli release:

C:\Users\xmr\Desktop>node -v && npm -v
v16.13.1
8.1.2

C:\Users\xmr\Desktop>npm i -g netlify-cli
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated rollup-plugin-inject@3.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated node-pre-gyp@0.13.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future

added 1374 packages, and audited 1375 packages in 47s

108 packages are looking for funding
  run `npm fund` for details

16 vulnerabilities (9 moderate, 7 high)

The above is with a clean npm cache on my Windows 10 VM, which admittedly might be a little on the slow side, but you get my point.

Size is one important factor. Disk churn another. Install time is also important. Security is the most important, though.

EDIT: heck, packagephobia has trouble showing results anymore for netlify-cli...

[erezrokah]

Thanks for the additional context @XhmikosR.

I agree the security aspect is more important than the package size.

We've recently dropped oclif from the codebase which helped and are also in the process of converting the codebase to ES Modules so we can upgrade our dependencies to latest versions.

As for the npm audit results - unfortunately they are not very helpful as they contain too much noise. It's hard to know which of the reported vulnerabilities are actually exploitable in the context of the CLI.
There's more about that here and here.

We use a shrinkwrap file, which means once we publish the CLI you'd always get the same dependencies when you install it using npm (with yarn you should use your own lock file).
That pins the dependencies users get when installing the CLI, so they don't implicitly get minor/patch updates due to semver ranges.

We also highly encourage submitting any security issue you find by following our policy.

[XhmikosR]

I've submitted a few PRs the last couple weeks reducing the deps etc.

I've pinpointed the root cause for the biggest size increase in netlify-cli. It comes from multiple typescript versions. See netlify/zip-it-and-ship-it#951 for more info.

This affects quite a few packages that depend on @netlify/zip-it-and-ship-it.

A few wins so far:

• https://arve0.github.io/npm-download-size/#@netlify%2fplugin-edge-handlers@3.0.0
• https://arve0.github.io/npm-download-size/#@netlify%2fplugin-edge-handlers@3.0.3
• https://packagephobia.com/result?p=%40netlify%2Fplugin-edge-handlers%403.0.1%2C%40netlify%2Fplugin-edge-handlers%403.0.3

---

• https://arve0.github.io/npm-download-size/#netlify-cli@8.6.0
• https://arve0.github.io/npm-download-size/#netlify-cli@8.8.2

---

So, with the above zip-it-and-ship-it change I get these results for netlify-cli:

Before: 240 MB (251.943.583 bytes)
After:  188 MB (197.329.508 bytes)
1351 -> 1349 packages

I'm sure we can get this even more down. I have a few more suggestions for later.