electron-packager unexpectedly copies entire package.json into distribution

[jameshfisher]

Preflight Checklist

• I have read the contribution documentation for this project.
• I agree to follow the code of conduct that this project follows, as appropriate.
• I have searched the issue tracker for a bug that matches the one I want to file, without success.

Issue Details

• Electron Packager Version: 15.1.0
• Electron Version: v10.1.3
• Operating System: darwin 19.6.0 (x64)

Expected Behavior

electron-packager creates a distribution with the minimal package.json required for Electron. As far as I know, it only needs to contain the main field. It should not leak private info about my development setup.

Actual Behavior

electron-packager seems to just copy-paste my entire package.json into the distribution. This contains all kind of unnecessary and private info, such as my devDependencies and scripts. These are never accessed at runtime and so should not be distributed.

To Reproduce

A minimal repo here on this branch, but it seems to happen under standard conditions.

Additional Information

Is there a standard way to work around this behavior?

[welcome]

👋 Thanks for opening your first issue here! If you have a question about using Electron Packager, read the support docs. If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.

To help make it easier for us to investigate your issue, please follow the contributing guidelines.

[jameshfisher]

So here is my awful hacky workaround. It creates a custom afterPrune callback, which modifies the package.json to only include fields necessary for distribution.

I'm going to leave this issue open, as I don't know whether this is the expected or best way to achieve this. It certainly feels like an ugly way to achieve the behavior that I expected.

#!/usr/bin/env node
const packager = require("electron-packager");
const {readFileSync, writeFileSync} = require('fs');
(async () => {
  const appPaths = await packager({
    dir: '.',
    name: 'MyElectronApp',
    overwrite: true,
    prune: true,
    afterPrune: [(buildPath, electronVersion, platform, arch, callback) => {
      const packageJsonPath = buildPath + '/package.json';
      const devPackageJson = JSON.parse(readFileSync(packageJsonPath));
      const prodPackageJson = Object.fromEntries(['name', 'version', 'main'].map(k => [k, devPackageJson[k]]));
      writeFileSync(packageJsonPath, JSON.stringify(prodPackageJson, null, 2));
      callback();
    }],
  });
  console.log(`Electron app bundles created: ${appPaths.join("\n")}`);
})();

[DenisTis]

So here is my awful hacky workaround. It creates a custom afterPrune callback, which modifies the package.json to only include fields necessary for distribution.

I'm going to leave this issue open, as I don't know whether this is the expected or best way to achieve this. It certainly feels like an ugly way to achieve the behavior that I expected.

#!/usr/bin/env node
const packager = require("electron-packager");
const {readFileSync, writeFileSync} = require('fs');
(async () => {
  const appPaths = await packager({
    dir: '.',
    name: 'MyElectronApp',
    overwrite: true,
    prune: true,
    afterPrune: [(buildPath, electronVersion, platform, arch, callback) => {
      const packageJsonPath = buildPath + '/package.json';
      const devPackageJson = JSON.parse(readFileSync(packageJsonPath));
      const prodPackageJson = Object.fromEntries(['name', 'version', 'main'].map(k => [k, devPackageJson[k]]));
      writeFileSync(packageJsonPath, JSON.stringify(prodPackageJson, null, 2));
      callback();
    }],
  });
  console.log(`Electron app bundles created: ${appPaths.join("\n")}`);
})();

Could you please provide more data on where did you add this?
And which command did you use for the build?