Include Hilla dependencies in the default package-lock.json file

[Legioth]

Description of the bug

The initially provided package-lock.json file does not include Hilla dependencies. This slows down node_modules population from 8 seconds to 34 seconds on my fast network connection and probably significantly more on slower connections.

Expected behavior

Expected that all dependencies in the default package.json file are also covered by the default package-lock.json file.

Minimal reproducible example

1. Download a Vaadin 24.4 project with only Flow views from start.vaadin.com
2. Add a src/main/frontend/views/@index.tsx file with some dummy content
3. Run mvn.
4. Shut down after using '...' for frontend package installation is logged but before Frontend dependencies resolved successfully.
5. Run npm ci and notice errors about missing dependencies.

Versions

• Vaadin / Flow version: Vaadin 24.4.0.beta1
• Node version: v18.18.0
• npm version: 10.5.2

[mcollovati]

The package-lock.json file is extracted from the (dev|prod)-bundles, that are currently built without elements that trigger Hilla to be considered.

Is the issue only about development mode, or also production build?
If it is only dev-mode, would it be ok to always have Hilla dependencies in package-lock.json, even for a pure Flow application?

I guess that when using the dev-bundle, it could be fine to have also Hilla packages, but I suppose this should not happen with the production bundle for a pure Flow application.

[knoobie]

If it is only dev-mode, would it be ok to always have Hilla dependencies in package-lock.json, even for a pure Flow application?

Would it also include them in package.json and enforce their visibility to SBOMs? If so: I don't like :)

[Legioth]

Would it also include them in package.json and enforce their visibility to SBOMs?

Those dependencies are currently added on top of the default package.json when it's initially created unless the corresponding Maven dependency has been explicitly excluded. If we change the contents of the default package.json, then those "extra" dependencies would instead be removed from the default if the corresponding Maven dependency is excluded.

[Legioth]

We shouldn't add those dependencies to the default prod bundle since that would just increase the size of the bundle without any benefits. I suspect that adding them only to the dev bundle might cause more problems similar to #18979.

[mcollovati]

So, it looks like we need to have separate pre-compiled dev and prod bundles for Flow / Flow+Hilla, and make Flow unpack the correct resources for the user project, based on the same checks we do to detect if Hilla is used.

[Legioth]

Would it be practical to just have an additional package-lock.json rather than also having an additional bundle that would effectively never be used? Or alternatively change the logic so that package-lock.json is never taken from the bundle but we instead always provide a "full" version of package-lock.json and then let npm i prune any unused dependencies from it the first time it's run.

[mcollovati]

So basically, the current a bundle should only have an additional package-lock.json adapted for Hilla?
I think this is doable, with some maven trick on the platform side, and would require minimal changes on the Flow side.

[Legioth]

That might make sense. Just need to verify that there isn't the same kind of slowdown if the package-lock.json file contains redundant entries that we're seeing when entries are missing.

[vaadin-bot]

This ticket/PR has been released with Vaadin 24.4.0.beta3 and is also targeting the upcoming stable 24.4.0 version.