Move action to a different package, and call is-my-node-vulnerable API from it.

[trivikr]

Is your feature request related to a problem? Please describe.

The module is-my-node-vulnerable is designed to be a CLI/API as well as GitHub Action.

The consumers of CLI/API need to download GitHub Action specific dependencies, like @actions/core which they don't need
https://github.com/RafaelGSS/is-my-node-vulnerable/blob/050a05a0798054e069bd305e866a84e326bba558/package.json#L30

Describe the solution you'd like

Move action to a different package, and call is-my-node-vulnerable API from it.

Additional context

Discussion on Twitter: https://x.com/trivikram/status/1848096860755435622

[trivikr]

There were some discussions about moving GitHub Actions to it's own package in a different issue
#19 (comment)

[RafaelGSS]

I think we can just move @actions/core to devDependencies and it will work. I'm almost sure the gh action uses only dist/index.js. I think action.js (https://github.com/RafaelGSS/is-my-node-vulnerable/blob/main/action.js) is no longer used.

Could you confirm @UlisesGascon?

[trivikr]

Why do we need to use ncc build for GitHub action?
Can it just be a simple unbundled source code in a separate package?

I tried to reduce duplicate code, and remove GET calls in #29 (comment), but it doesn't seem to work with existing ncc setup without duplicating cache.

[styfle]

Why do we need to use ncc build for GitHub action?

GitHub Actions won’t install dependencies so they recommend bundling and committing the bundled code. In fact, GitHub actions don’t use npm at all, they just reference repos and tags.

[trivikr]

I've to find out how to not copy the cache when running ncc in #29
And later find out if action cache can be used for the same.