@sencha/cmd-linux-64/dist/js/node_modules/fashion/clean-dev-dependency.js

Productivity and performance optimization tool for building applications with Sencha Ext JS

const fs = require('fs');
const path = require('path');

/**
 * Script to remove the `devDependencies` block from a specific package.json file.
 *
 * This is useful in CI/CD pipelines (e.g., TeamCity) to prevent false-positive
 * vulnerability reports that may arise from development-only dependencies
 * listed in transitive packages like `esprima`.
 *
 * Usage:
 *   1. Run with Node after `npm install`:
 *        node clean-dev-dependency.js
 *
 *   3. Optionally modify the call to `removeDevDependencies()` at the bottom to target
 *      any other package under `node_modules`.
 *
 * Example:
 *   removeDevDependencies('./node_modules/esprima/package.json');
 *
 * Notes:
 * - This modifies files under `node_modules`.
 * - Should be run after install and before security scans or packaging.
 *
 * @function removeDevDependencies
 * @param {string} packageJsonPath - Relative or absolute path to the target package.json file.
 */
function removeDevDependencies(packageJsonPath) {
  try {
    const resolvedPath = path.resolve(packageJsonPath);
    const rawData = fs.readFileSync(resolvedPath, 'utf-8');
    const packageJson = JSON.parse(rawData);

    if (packageJson.devDependencies) {
      delete packageJson.devDependencies;
      fs.writeFileSync(resolvedPath, JSON.stringify(packageJson, null, 2));
      console.log(`devDependencies removed from ${resolvedPath}`);
    } else {
      console.log(`No devDependencies block found in ${resolvedPath}`);
    }
  } catch (err) {
    console.error(`Error modifying ${packageJsonPath}: ${err.message}`);
    process.exit(1);
  }
}

// Remove `esprima`'s devDependencies to avoid false positive vulnerability reports from development-only dependencies
removeDevDependencies('./node_modules/esprima/package.json');