move @graphql-codegen/cli to dev dependencies

draaglom · draaglom · commit 954a5e5c93f3 · 2024-09-11T15:32:21.000+01:00
@graphql-codegen/cli and friends are super useful as tooling, but they also depend on the world: https://npmgraph.js.org/?q=%40shopify%2Fshopify_function Just @graphql-codegen/cli and its transitive dependencies add 211 maintainers to your supply chain: https://npmgraph.js.org/?q=%40graphql-codegen%2Fcli It also creates noise re: CVE spam in a long tail of dependent packages. As far as I can tell, there's no runtime dependency on any of these packages -- so we can freely move them to dev dependencies.
diff --git a/package.json b/package.json
@@ -11,13 +11,15 @@
   "author": "Surma <surma@shopify.com>",
   "license": "Apache-2.0",
   "dependencies": {
-    "@graphql-codegen/cli": "^2.13.7",
-    "@graphql-codegen/typescript": "^2.8.0",
-    "@graphql-codegen/typescript-operations": "^2.5.5",
     "graphql": "^16.6.0",
     "typescript": "^4.8.4"
   },
   "peerDependencies": {
     "javy": "^0.1.0"
+  },
+  "devDependencies": {
+    "@graphql-codegen/cli": "^2.13.7",
+    "@graphql-codegen/typescript": "^2.8.0",
+    "@graphql-codegen/typescript-operations": "^2.5.5"
   }
 }
