We are evaluating DeepSource, and in the 4 days it’s been active we have used 1GB of data on our Font Awesome NPM repo. Why is DeepSource installing NPM packages to do static analysis?
DeepSource installs your project’s 3rd party dependencies to create a complete AST graph of the entire source code, which is used for inferring references used in your first-party code. Several checks in our Analyzers, including JavaScript, have something to do with external symbols and references. Installing dependencies helps us accurately understand your code and reduces false positives.
Since you’re using DeepSource Cloud, the analysis happens on DeepSource’s infrastructure, which talks directly to NPM for resolving dependencies. We do not use any of your infrastructure to do this unless you have a private dependency in your package.json
that’s resolved from a private registry.
Can you expand on what you mean by “used 1GB of data on our Font Awesome NPM repo”? Where do you see this? Are you referencing a self-hosted registry in your package.json
?
We use Font Awesome Pro, which uses their NPM repo. You may want to look into caching that stuff like you can with GitHub actions/cache@v3
if you are going to be installing everything.
Hi @MichaelM,
We install only selected user dependencies like the ones under @tsconfig namespace to help us get better semantic information about the code being analyzed. The Font Awesome package is something that we do not install from our end.
Can you share the URL of the repository in which you are seeing this happen? I can check through our logs to obtain some more clarity on this.
Here you go
cat .npmrc
@fortawesome:registry=https://npm.fontawesome.com/
//npm.fontawesome.com/:_authToken=<snip>
Hi @MichaelM,
I checked through our logs and could not see any instance where the Font Awesome package or any other npm package is being installed by DeepSource while analyzing your repository.
Can you help me understand how you identified DeepSource as being the cause of this bandwidth usage?
Before activating DeepSource, our usage was effectively zero, our GithHub actions cache the npm modules, and we don’t pull from that repo very often, only if we need an update to the fonts. Within 1 day we had burned ~500MB on that repo.
Hi,
I double-checked our logs again and did not see traces of any dependency being downloaded from npm while analyzing your repository. Also, we do not consider .npmrc
files when doing dependency installation, this makes me wonder how a private dependency is being downloaded.
As per the data I have, no DeepSource analysis has been run on your repository in the past day. Can you confirm if there is any change in your npm bandwidth usage during this period when DeepSource did not run?
Apologies for the delay in getting back to you. So it appears that the caching on our GitHub Actions stopped working at about the same time as we enabled DeepSource, I believe I got that fixed this morning. I’m going to give this a little time, and if it looks good I’ll re-enable the scans.
Ok, I have re-enabled the scans and our npm usage hasn’t moved. Apologies for the noise, just so odd that the cache went sideways at the same time.