We're using in our project BlackDuck from Synopsis to identify the licenses of our used dependencies. There is actualy an small issue with Vaadin: When we build the frontend - based on Vaadin Core - in production mode the package.json is stuffed with a lot more dependencies than we use. And it includes also features from the pro-version. Since the detect-script for BlackDuck scans this package.json we get a lot of "false-positives". So is there a way of reducing the package.json to the only required dependencies by creating the build via Vaadin? As far as i could see the package.json will be always overwritten, when starting the build. Of course i can "hack" the package.json afterwards with a script, but this is not the way i look for. Here is our profile for creating the "production ready" frontend sources:
<profile>
<id>production-mode</id>
<build>
<plugins>
<plugin>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>build-frontend</goal>
</goals>
<phase>compile</phase>
</execution>
</executions>
<configuration>
<productionMode>true</productionMode>
</configuration>
</plugin>
</plugins>
</build>
</profile>
Thanks for your help in advance!
Update: This response was based on speculation rather than how things actually work.
The dependencies that Vaadin generates into
package.jsonare based on the Java dependencies that are defined through Maven or Gradle.If you want to have all the free components but want to avoid the commercial ones, then you can just change the
com.vaadin:vaadindependency tocom.vaadin:vaadin-core. If you want to be even more granular, then you can either exclude the ones you don't want or build your own platform by including only the things you think you need out of the dependencies listed in https://mvnrepository.com/artifact/com.vaadin/vaadin-core/23.0.8.