Introduce `inlinedDependencies` Field in `package.json`

[sxzz]

Summary

Propose a new inlinedDependencies field in package.json as a community convention for explicitly declaring which dependencies are physically inlined into a published tarball — regardless of how they were inlined. This is a purely declarative metadata field, intended to improve ecosystem observability without instructing any package manager to change its behavior.

Background: bundleDependencies Already Exists — But Is Not Enough

npm already supports a bundleDependencies field (also accepted as bundledDependencies). When set, npm pack and npm publish will copy the listed packages from node_modules directly into the tarball.

This is the mechanism behind packages like vite shipping cac — every npm install vite delivers a copy of cac, yet cac's download count reflects none of this. cac has 20M weekly downloads, and the real number is even higher.

However, bundleDependencies has a specific and narrow semantic: "copy from node_modules at pack time." It does not cover the equally common case where a bundler (Rollup, esbuild, webpack, etc.) statically inlines dependency code at build time. Authors using a bundler pipeline cannot accurately use bundleDependencies to describe their inlined deps, because the mechanism is fundamentally different and the version actually bundled may differ from what's in node_modules.

Proposed: inlinedDependencies Field

A new inlinedDependencies field as a community standard for declaring inlined dependencies regardless of how they were inlined. The key distinction:

Field	Mechanism	Who sets it
bundleDependencies	npm pack copies from node_modules	npm (automatically honored)
inlinedDependencies (proposed)	Any method: bundler tree-shaking, manual vendoring, npm pack copy, etc.	Author declares explicitly

inlinedDependencies is purely declarative metadata — it does not instruct any package manager to do anything. It is a signal to tooling and registries that says: "these packages are physically present in my tarball in inlined form."

Proposed field shape (open for discussion)

Option A — string[]

{
  "inlinedDependencies": ["cac", "rollup"]
}

Simple. Exact version must be inferred from dependencies in the same manifest.

Option B — Record<string, string | string[]> (name → exact version or list of versions)

{
  "inlinedDependencies": {
    "cac": "6.7.14",
    "rollup": ["3.29.5", "4.9.1"]
  }
}

More explicit. Allows authors to record the exact version(s) bundled, which may differ from the range declared in dependencies. The value is an array to accommodate the case where a single package ends up bundled in multiple versions within the same tarball — for example, when two independent parts of a build depend on different major versions of the same library.

Both options are on the table. Community input on ergonomics and tooling compatibility is welcome.

Why Not Just Reuse bundleDependencies?

Its semantic is specifically tied to npm pack copying from node_modules. Using it to describe bundler-inlined code would be a misuse of the field and could mislead package managers and tooling that act on it today.

Open Questions

1. Field name: inlinedDependencies? vendoredDependencies? Other suggestions welcome.
2. Field format: string[] vs Record<string, string | string[]>? Are there other shapes worth considering?
3. Author adoption: This field is opt-in, meaning authors can simply ignore it — leaving the ecosystem with incomplete data. Possible paths to drive adoption: proactive outreach to high-download packages known to inline deps, integration with popular bundlers to emit the field automatically from the build module graph, or tarball inspection as a fallback to detect undeclared inlined packages and prompt authors to declare them.
4. Tooling: Should the ecosystem provide a bundler plugin or CLI to auto-generate inlinedDependencies from a build output's module graph, rather than requiring authors to maintain it by hand?

Alternatives Considered

• Reuse bundleDependencies for all cases: already exists, but semantically wrong for bundler-inlined code and risks confusing package managers.
• Rely on tarball inspection alone: technically possible but expensive at scale, and gives authors no explicit, intent-declaring mechanism.
• Do nothing: leaves the ecosystem blind to a significant class of implicit dependency usage.

This is an RFC — all details are open for discussion. Also cross-posted to npmx as a potential consumer of this standard.

[acutmore]

X-posting: npmx-dev/npmx.dev#1736 (comment)

Packages listing the components that were used when they were built sounds like it might have decent overlap with SBOMs

• https://github.com/CycloneDX/cyclonedx-node-npm
• https://ecma-international.org/publications-and-standards/standards/ecma-424/

[sxzz]

Good points — though I'd say these are more complementary than overlapping.

SBOMs are full supply-chain inventories for security auditing and compliance. They're separate documents with their own lifecycle, and realistically most npm authors aren't going to generate and maintain a CycloneDX SBOM just to say "I bundled cac."

inlinedDependencies is a much simpler thing — a declarative field in package.json that registries and tools can consume directly (download count correction, surfacing inlined deps on npmjs.com, etc.). The adoption cost is near zero, especially since bundlers can emit it automatically. Speaking from experience with tsdown/rolldown: we already know exactly which deps get inlined at build time, so writing a package.json field is trivial — generating a proper SBOM is a different story entirely.

Nothing stops the two from coexisting. inlinedDependencies could even feed into SBOM generation as an upstream signal.

[sxzz]

tsdown is ready to adopt this convention. We've implemented automatic inlinedDependencies generation using Option B (Record<string, string | string[]>) — the field is populated from the build's module graph during bundling, so authors don't need to maintain it by hand.

Implementation: rolldown/tsdown#785