chore: bump env-paths from 2.2.1 to 4.0.0

Bumps [env-paths](https://github.com/sindresorhus/env-paths) from 2.2.1 to 4.0.0. - [Release notes](https://github.com/sindresorhus/env-paths/releases) - [Commits](https://github.com/sindresorhus/env-paths/compare/v2.2.1...v4.0.0) --- updated-dependencies: - dependency-name: env-paths dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Prune dev dependencies when building release
2026-05-08 13:27:25 +02:00 · 2026-04-01 12:48:12 +00:00 · 2026-03-31 09:07:39 -08:00
3 changed files with 33 additions and 9 deletions
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@@ -85,11 +85,15 @@ EOF
  ) > "$RELEASE_PATH/package.json"
  mv npm-shrinkwrap.json "$RELEASE_PATH"

-  rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
-
  if [ "$KEEP_MODULES" = 1 ]; then
    rsync node_modules/ "$RELEASE_PATH/node_modules"
+    # Remove dev dependencies.
+    pushd "$RELEASE_PATH"
+    npm prune --production
+    popd
  fi
+
+  rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
 }

 bundle_vscode() {
@@ -108,7 +112,9 @@ bundle_vscode() {
  # need it for the npm package.
  rsync_opts+=(--exclude /node)

-  # Exclude Node modules.
+  # Exclude Node modules.  Note that these will already only include production
+  # dependencies, so if we do keep them there is no need to do any
+  # post-processing to remove dev dependencies.
  if [[ $KEEP_MODULES = 0 ]]; then
    rsync_opts+=(--exclude node_modules)
  fi
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,7 @@
        "argon2": "^0.44.0",
        "compression": "^1.7.4",
        "cookie-parser": "^1.4.6",
-        "env-paths": "^2.2.1",
+        "env-paths": "^4.0.0",
        "express": "^5.0.1",
        "http-proxy": "^1.18.1",
        "httpolyglot": "^0.1.2",
@@ -2316,12 +2316,18 @@
      }
    },
    "node_modules/env-paths": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz",
-      "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-4.0.0.tgz",
+      "integrity": "sha512-pxP8eL2SwwaTRi/KHYwLYXinDs7gL3jxFcBYmEdYfZmZXbaVDvdppd0XBU8qVz03rDfKZMXg1omHCbsJjZrMsw==",
      "license": "MIT",
+      "dependencies": {
+        "is-safe-filename": "^0.1.0"
+      },
      "engines": {
-        "node": ">=6"
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
    "node_modules/es-abstract": {
@@ -3990,6 +3996,18 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
+    "node_modules/is-safe-filename": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/is-safe-filename/-/is-safe-filename-0.1.1.tgz",
+      "integrity": "sha512-4SrR7AdnY11LHfDKTZY1u6Ga3RuxZdl3YKWWShO5iyuG5h8QS4GD2tOb04peBJ5I7pXbR+CGBNEhTcwK+FzN3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/is-set": {
      "version": "2.0.3",
      "resolved": "https://registry.npmjs.org/is-set/-/is-set-2.0.3.tgz",
--- a/package.json
+++ b/package.json
@@ -71,7 +71,7 @@
    "argon2": "^0.44.0",
    "compression": "^1.7.4",
    "cookie-parser": "^1.4.6",
-    "env-paths": "^2.2.1",
+    "env-paths": "^4.0.0",
    "express": "^5.0.1",
    "http-proxy": "^1.18.1",
    "httpolyglot": "^0.1.2",