Move @serverless/platform-client-china to peerDependency

[flisboac]

Description

I speak as someone who have never really used @serverless/components directly (I've only used Serverless CLI so far).

This dependency has caused me a lot of problems in the more recent versions of the Serverless CLI. I doubt everyone would have the need to make deployments or automate any services in a Chinese region, yet this dependency is hardwired to the Components library (it's a library, right? Sorry, I couldn't tell from first glance).

Wouldn't it be better to have it as a peer dependency instead of a hard one? So that those that actually need to deploy to a chinese region would have to explicitly add support as needed.

Additional Data

Two of the problems I've faced:

Having to compile a native library

AFAICT, following serverless@2, on every npm install, NPM tries to download snappy, but there's no binary for Windows. Because of that, it tries to compile it locally with the Visual Studio toolchain. I don't think it's the right thing to force everyone to install Visual Studio for a peer dependency most of the world (i.e. outside China) won't use at all.

Some evidence that @serverless/platform-client-china has part of the guilt. This was taken from a project with nothing but a devDependency on [email protected]:

$ npm ls snappy

`-- [email protected]
  `-- @serverless/[email protected]
    `-- @serverless/[email protected]
      `-- @serverless/[email protected]
        `-- [email protected]
          `-- UNMET OPTIONAL DEPENDENCY [email protected]

Recent CVE's on transitive dependencies

It seems that @serverless/platform-client-china brings a lot of heavy dependencies to the table, that most of the other projects in the Serverless organization do not depend on. I have no idea why you'd need any of them (kafka, socket.io, etc), and frankly, I don't really care, because I'm not in China, neither do I operate any business in China.

Also, being affected by CVE on a transitive dependency of @serverless/components affects all of its users, including the users of the biggest consumer of the library, which is the Serverless CLI (IMHO). And the library's dependency tree is already plenty deep. Wouldn't it be better to reduce the scope, at least in this case?

The most recent CVE was opened some hours ago, following a previous security report/issue of some weeks prior. Granted, this does not concern any Serverless project directly, but I just wanted to point out that the target surface for bugs and attacks is greatly broadened by such a long dependency list. Those not dependent on making any interactions to a Chinese region may be able to mitigate risks by simply not installing any Chinese region support.

Follows some evidence to show that @serverless/components is part of the path to the library affected by the CVE's I linked earlier:

$ npm ls xmlhttprequest-ssl

`-- [email protected]
  `-- @serverless/[email protected]
    `-- @serverless/[email protected]
      `-- @serverless/[email protected]
        `-- [email protected]
          `-- [email protected]
            `-- [email protected]

---

I apologize if what I'm asking is not feasible at all. But if it's possible to transform @serverless/platform-client-china dependency into a peerDependency, I kindly ask for you (the maintainers) to do so.

In any case, thank you very much for making Serverless! It's an amazing tool, and I use it everyday! (Also, please do tell if I can give any help on this specific issue)

[G-Rath]

I would strongly support making @serverless/platform-client-china an optional peer dependency, and am happy to make a PR if folks are open to this change :)

[medikoo]

Note, it'll be solved in v3 release of the Framework with serverless/serverless#9855