Le mardi 7 novembre 2023, 11:07:41 UTC Yadd a écrit : > On 11/7/23 14:48, Bastien Roucariès wrote: > > Le mardi 7 novembre 2023, 10:25:04 UTC Yadd a écrit : > >> On 11/7/23 13:47, Bastien Roucariès wrote: > >>> Hi, > >>> > >>> I believe for a security point of view it is interesting to do dynamic linking of module (aka no packing external module) > >>> > >>> I plan to package webpack-node-externals in order to do this > >>> > >>> May be automagically using this in dh_nodejs will be nice ? > >>> > >>> What do you think ? > >>> > >>> Updating policy will be also nice > >>> > >>> Bastien > >> > >> Hi, > >> > >> it is not easy to replace rollup builds by webpack-style, then I don't > >> see a way to automatically use your recommendation inside dh-nodejs. > > > > I was thinking to create a webpack wrapper (by changing path before running dh_build) that will capture > > --config or default config file and apply json patch in order to add > > externalsPresets: { node: true }, // in order to ignore built-in modules like path, fs, etc. > > externals: [nodeExternals()], // in order to ignore all modules in node_modules folder > > > > May be in a first time policy will be suffisant > > as a _very partial_ response is implemented in dh-nodejs: when it > supposes that there is a potential embed fo JS library, it creates a > pkgjs-lock.json file that could permit to detect packages to rebuild in > case of security issue. I have just uploaded a few package using webpack recipes like: externals : [ /^(?!([.][/])?src[/]|([.][.]?[/]))/, ], And webpack does not bundle external package. It is also nice from a compile time point of view Will be nice to test further than document Bastien
Attachment:
signature.asc
Description: This is a digitally signed message part.