Please can someone clarify what we are allowed to do with respect to bundling 3rd party libraries via a build system such as webpack or rollup?
I have recently seen advice that indicates that:
- 3rd party libraries must be manually included independently of the webpack bundle
- It’s fine to use npm/yarn to include a 3rd party dependency as long as there are clear instructions on how to reproduce the add-on code (i.e.
npm cior similar)
I’m not sure how to best interpret the combination of advice and I’m particularly interested in understanding this soon because I am experimenting with using tree-shaking to massively reduce the amount of 3rd party code that gets bundled into the addon, both to improve security through a reduced attack surface and to reduce the size of the extension package.