Skip to content

feat: properly filter workspace devDependencies in production mode#456

Open
oNaiPs wants to merge 3 commits intoCycloneDX:mainfrom
oNaiPs:fix/workspace-devdeps-filtering
Open

feat: properly filter workspace devDependencies in production mode#456
oNaiPs wants to merge 3 commits intoCycloneDX:mainfrom
oNaiPs:fix/workspace-devdeps-filtering

Conversation

@oNaiPs
Copy link

@oNaiPs oNaiPs commented Jan 16, 2026
edited
Loading

Description

Fixes an issue where devDependencies declared in workspace packages were not being filtered out when using the --prod flag in monorepo setups. This resulted in devDependencies incorrectly appearing in production SBOMs.

The fix adds proper tracking of workspace package devDependencies and filters them during dependency traversal when omitDevDependencies is enabled.

Changes:

  • Added gatherWorkspaceDevDependencies() method to collect devDeps from all workspace packages
  • Modified getDeps() to filter out devDependencies of workspace packages when in production mode
  • Added comprehensive test coverage with workspace-devdeps testbed
  • Verified fix: production SBOM now correctly shows 10 components (prod deps only) vs 405 components (all deps)

Resolves or fixes issue: #256

AI Tool Disclosure

  • My contribution includes AI-generated content, as disclosed below:
    • AI Tools: Claude Code
    • LLMs and versions: Claude Sonnet 4.5
    • Prompts: Analyzed the issue of workspace devDependencies not being filtered in production mode, designed and implemented the fix in builders.ts, created comprehensive test cases with testbed and snapshots

Affirmation

@oNaiPs
feat: properly filter workspace devDependencies in production mode
c33b224 
When using --prod flag in monorepo workspaces, devDependencies declared in workspace packages were not being filtered out correctly. This resulted in devDependencies appearing in production SBOMs.

This fix adds proper tracking of workspace package devDependencies and filters them during dependency traversal when omitDevDependencies is enabled.

Signed-off-by: Jose Luis Pereira <onaips@gmail.com>
@oNaiPs oNaiPs force-pushed the fix/workspace-devdeps-filtering branch from 991e16b to c33b224 Compare January 16, 2026 12:45
@oNaiPs oNaiPs changed the title fix(core): properly filter workspace devDependencies in production mode feat: properly filter workspace devDependencies in production mode Jan 16, 2026
@oNaiPs oNaiPs marked this pull request as ready for review January 16, 2026 12:46
@oNaiPs oNaiPs requested a review from a team as a code owner January 16, 2026 12:46
@jkowalleck jkowalleck linked an issue Jan 16, 2026 that may be closed by this pull request
[BUG] --prod flag includes devDependencies of workspace packages in module's dependencies list #256
Open
2 tasks
@jkowalleck
Copy link
Member

jkowalleck commented Jan 16, 2026

@Llois41 may i ask you for a review and test regarding #256

@jkowalleck jkowalleck requested a review from Copilot January 16, 2026 12:50
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an issue where devDependencies declared in workspace packages were not being filtered out when using the --prod flag in monorepo setups, causing them to incorrectly appear in production SBOMs.

Changes:

  • Added gatherWorkspaceDevDependencies() method to collect devDependencies from all workspace packages
  • Modified getDeps() to filter out workspace package devDependencies when in production mode
  • Added comprehensive test coverage with new workspace-devdeps testbed and snapshots

Reviewed changes

Copilot reviewed 9 out of 12 changed files in this pull request and generated 3 comments.

File Description
src/builders.ts Implements core logic for gathering and filtering workspace devDependencies in production mode
tests/integration/index.test.js Adds new workspace-devdeps test setup to test suite
tests/_data/testbeds/workspace-devdeps/* Creates comprehensive test fixture with monorepo structure and dependencies
tests/_data/snapshots/prod-arg_workspace-devdeps.* Adds expected test output snapshots showing only production dependencies

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/builders.ts
if (pkg.reference.startsWith('workspace:')) {
const devDeps = new Set<string>()
for (const depIdent of workspace.manifest.devDependencies.keys()) {
devDeps.add(depIdent)
Copy link

Copilot AI Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The depIdent being added to the Set is an IdentHash (from workspace.manifest.devDependencies.keys()), but later in line 384 it's compared with depDesc.identHash. While this works, the variable should be named consistently (e.g., devDeps.add(depIdentHash)) or the type should be clarified to avoid confusion. The Set should store identHash values, not depIdent keys directly.

Copilot uses AI. Check for mistakes.
@jkowalleck
Copy link
Member

jkowalleck commented Jan 16, 2026

@oNaiPs I see you've used AI/vibe coding. how was the process? was anything missing - did the AI suggest adding any helper files along the way, that could be beneficial for further AI assistance?

@jkowalleck jkowalleck mentioned this pull request Jan 16, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck jkowalleck left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] --prod flag includes devDependencies of workspace packages in module's dependencies list

3 participants

@oNaiPs @jkowalleck