Is there a way to configure webpack (out-of-the-box or via some plugin?) to flag/raise a warning if the code getting bundled (for a production bundle) requires / imports any dev dependencies? (either directly via devDependencies, or indirectly via dev: true in package-lock.json)?
We are configuring dependabot to only scan packages declared in dependencies (this is achievable by using dependabot's allow config option).
However, in order for this to be a reliable security process (as we are relying on dependabot's security vulnerability scanning), we need to have an automated process that ensure packages are correctly placed either in dependencies or devDependencies. One way to do this would be to have webpack emit a warning if any bundled code includes a devDependency.
Some further potentially relevant info:
This is for a monorepo managed by nx with
package.json at the rootapps/frontend and apps/backend)libs/*)No. There is no Webpack plugin that can do this for you. There are some other dependency graph traversal modules/CLI tools that can generate these stats. The depcheck is one such module that I often use.
It can tell you about unused and missing modules, but not exactly what you seek. In general, it is hard to find that out. It may happen that what you declared as a devDependency may also be an actual dependency for some transitive package. Also, mandatory peer dependencies are also declared as dev dependencies which further complicate things. Finally, you may also have scripts which are meant only for development purpose and in those scripts, you may also import those dev dependencies.