vendor on npm prepare instead of committing to git

[rochdev]

Please make sure your changes are properly tested!

What does this PR do?

Vendor on npm prepare instead of committing to git.

Motivation

The choice to commit vendored dependencies was to get slightly better install times locally and in CI, and being able to install from git regardless of package manager. However, these are very small benefits, and the complexity of our CI automation has exploded because of the need to automatically re-vendor after the automation. It also has the downside that every time we touch the bundler config there are dozens of files changed every time. At this point I don't think the trade-offs are worth it to keep the files in git. Vendoring on prepare makes everything much simpler.

Additional Notes

Only the files outside of vendor/dist need review, everything else is just the dist folder being deleted.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.42%. Comparing base (d5e899b) to head (94ee4de).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #7423   +/-   ##
=======================================
  Coverage   80.42%   80.42%           
=======================================
  Files         732      732           
  Lines       31055    31055           
=======================================
  Hits        24975    24975           
  Misses       6080     6080           

Flag	Coverage Δ
aiguard-macos	39.08% <ø> (-0.11%)	⬇️
aiguard-ubuntu	39.12% <ø> (-0.11%)	⬇️
aiguard-windows	38.97% <ø> (-0.11%)	⬇️
apm-capabilities-tracing-macos	48.90% <ø> (ø)
apm-capabilities-tracing-ubuntu	48.90% <ø> (ø)
apm-capabilities-tracing-windows	48.62% <ø> (-0.01%)	⬇️
apm-integrations-child-process	38.57% <ø> (-0.11%)	⬇️
apm-integrations-couchbase-18	37.33% <ø> (-0.10%)	⬇️
apm-integrations-couchbase-eol	37.81% <ø> (-0.25%)	⬇️
apm-integrations-oracledb	38.00% <ø> (-0.10%)	⬇️
appsec-express	55.37% <ø> (-0.08%)	⬇️
appsec-fastify	51.99% <ø> (-0.08%)	⬇️
appsec-graphql	52.32% <ø> (-0.07%)	⬇️
appsec-kafka	44.64% <ø> (-0.09%)	⬇️
appsec-ldapjs	44.31% <ø> (-0.09%)	⬇️
appsec-lodash	43.99% <ø> (-0.09%)	⬇️
appsec-macos	58.48% <ø> (-0.07%)	⬇️
appsec-mongodb-core	49.19% <ø> (-0.08%)	⬇️
appsec-mongoose	49.88% <ø> (-0.08%)	⬇️
appsec-mysql	51.26% <ø> (-0.08%)	⬇️
appsec-node-serialize	43.50% <ø> (-0.09%)	⬇️
appsec-passport	48.10% <ø> (-0.09%)	⬇️
appsec-postgres	51.05% <ø> (-0.08%)	⬇️
appsec-sourcing	42.84% <ø> (-0.09%)	⬇️
appsec-template	43.67% <ø> (-0.09%)	⬇️
appsec-ubuntu	58.50% <ø> (-0.07%)	⬇️
appsec-windows	58.34% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-bluebird	32.25% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-body-parser	40.73% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-child_process	37.88% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-cookie-parser	34.51% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-express	34.85% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-express-mongo-sanitize	34.65% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-express-session	40.41% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-fs	31.85% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-generic-pool	29.81% <ø> (ø)
instrumentations-instrumentation-http	39.62% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-knex	32.25% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-mongoose	33.62% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-multer	40.47% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-mysql2	38.27% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-passport	40.77% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-passport-http	40.74% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-passport-local	40.74% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-pg	37.79% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-promise	32.18% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-promise-js	32.18% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-q	32.23% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-url	32.15% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-when	32.20% <ø> (-0.11%)	⬇️
llmobs-ai	41.41% <ø> (-0.10%)	⬇️
llmobs-anthropic	40.63% <ø> (-0.10%)	⬇️
llmobs-bedrock	39.51% <ø> (-0.09%)	⬇️
llmobs-google-genai	40.11% <ø> (-0.09%)	⬇️
llmobs-langchain	39.66% <ø> (-0.08%)	⬇️
llmobs-openai	44.48% <ø> (-0.09%)	⬇️
llmobs-vertex-ai	40.41% <ø> (-0.02%)	⬇️
platform-core	28.09% <ø> (ø)
platform-esbuild	31.49% <ø> (ø)
platform-instrumentations-misc	39.62% <ø> (ø)
platform-shimmer	34.83% <ø> (ø)
platform-unit-guardrails	30.37% <ø> (ø)
plugins-azure-event-hubs	22.64% <ø> (ø)
plugins-azure-service-bus	22.08% <ø> (ø)
plugins-bullmq	43.56% <ø> (-0.11%)	⬇️
plugins-cassandra	38.04% <ø> (-0.10%)	⬇️
plugins-cookie	23.69% <ø> (ø)
plugins-cookie-parser	23.50% <ø> (ø)
plugins-crypto	22.88% <ø> (ø)
plugins-dd-trace-api	38.42% <ø> (-0.11%)	⬇️
plugins-express-mongo-sanitize	23.67% <ø> (ø)
plugins-express-session	23.46% <ø> (ø)
plugins-fastify	42.53% <ø> (-0.10%)	⬇️
plugins-fetch	38.60% <ø> (-0.10%)	⬇️
plugins-fs	38.67% <ø> (-0.11%)	⬇️
plugins-generic-pool	22.68% <ø> (ø)
plugins-google-cloud-pubsub	45.73% <ø> (-0.09%)	⬇️
plugins-grpc	41.29% <ø> (-0.10%)	⬇️
plugins-handlebars	23.71% <ø> (ø)
plugins-hapi	40.43% <ø> (-0.10%)	⬇️
plugins-hono	40.63% <ø> (-0.10%)	⬇️
plugins-ioredis	38.47% <ø> (-0.11%)	⬇️
plugins-knex	23.51% <ø> (ø)
plugins-ldapjs	21.28% <ø> (ø)
plugins-light-my-request	23.15% <ø> (ø)
plugins-limitd-client	32.55% <ø> (-0.11%)	⬇️
plugins-lodash	22.74% <ø> (ø)
plugins-mariadb	39.61% <ø> (-0.10%)	⬇️
plugins-memcached	38.20% <ø> (-0.11%)	⬇️
plugins-microgateway-core	39.44% <ø> (-0.10%)	⬇️
plugins-moleculer	40.84% <ø> (-0.10%)	⬇️
plugins-mongodb	39.55% <ø> (-0.10%)	⬇️
plugins-mongodb-core	39.13% <ø> (-0.10%)	⬇️
plugins-mongoose	39.18% <ø> (-0.10%)	⬇️
plugins-multer	23.46% <ø> (ø)
plugins-mysql	39.23% <ø> (-0.11%)	⬇️
plugins-mysql2	39.31% <ø> (-0.10%)	⬇️
plugins-node-serialize	23.73% <ø> (ø)
plugins-opensearch	37.88% <ø> (-0.10%)	⬇️
plugins-passport-http	23.56% <ø> (ø)
plugins-postgres	35.71% <ø> (-0.09%)	⬇️
plugins-process	22.88% <ø> (ø)
plugins-pug	23.69% <ø> (ø)
plugins-redis	38.79% <ø> (-0.11%)	⬇️
plugins-router	43.24% <ø> (-0.10%)	⬇️
plugins-sequelize	22.27% <ø> (ø)
plugins-test-and-upstream-amqp10	38.39% <ø> (-0.26%)	⬇️
plugins-test-and-upstream-amqplib	43.74% <ø> (-0.26%)	⬇️
plugins-test-and-upstream-apollo	39.32% <ø> (-0.09%)	⬇️
plugins-test-and-upstream-avsc	38.81% <ø> (-0.11%)	⬇️
plugins-test-and-upstream-bunyan	33.86% <ø> (-0.11%)	⬇️
plugins-test-and-upstream-connect	41.05% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-graphql	40.23% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-koa	40.69% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-protobufjs	39.05% <ø> (-0.11%)	⬇️
plugins-test-and-upstream-rhea	44.15% <ø> (-0.13%)	⬇️
plugins-undici	39.40% <ø> (-0.10%)	⬇️
plugins-url	22.88% <ø> (ø)
plugins-valkey	38.13% <ø> (-0.08%)	⬇️
plugins-vm	22.88% <ø> (ø)
plugins-winston	34.27% <ø> (-0.10%)	⬇️
plugins-ws	40.75% <ø> (-0.10%)	⬇️
profiling-macos	40.06% <ø> (-0.10%)	⬇️
profiling-ubuntu	40.11% <ø> (-0.10%)	⬇️
profiling-windows	41.47% <ø> (-0.10%)	⬇️
serverless-azure-functions-client	22.38% <ø> (ø)
serverless-azure-functions-eventhubs	22.38% <ø> (ø)
serverless-azure-functions-servicebus	22.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-02-05 16:30:28

Comparing candidate commit 94ee4de in PR branch vendor-on-prepare with baseline commit d5e899b in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 230 metrics, 30 unstable metrics.

[github-actions]

Overall package size

Self size: 4.56 MB
Deduped: 5.4 MB
No deduping: 5.4 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 2.0.6 | 81.92 kB | 813.08 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[datadog-datadog-prod-us1]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 94ee4de | Docs | Datadog PR Page | Was this helpful? Give us feedback!}

[watson]

I see we have a problem in .github/workflows/update-3rdparty-licenses.yml that it only triggers on updates to the root yarn.lock. This means it didn't trigger on this PR. We need to make sure that it also triggers on changes to the new vendor/package-lock.json. Can you make a change to the action, so it runs here as well? And now that you're at it, could you make sure it also triggers on changes to .github/vendored-dependencies.csv?

[BridgeAR]

This should be kept. We should trigger workflows again, if a PR was reopened or updated

[rochdev]

I guess my worry is what if dependabot opens a PR, then a malicious user adds a commit, and then dependabot updates the PR? In that scenario, the PR would be auto-approved by automation without ever validating the changes from the user.

[rochdev]

This might be an existing problem and out of scope of this PR though, so I can add it back for now.

[BridgeAR]

The license script is now not picking up the vendored dependencies anymore. We should include those though.

[rochdev]

The license script is now not picking up the vendored dependencies anymore. We should include those though.

cc @watson