Le mardi 7 novembre 2023, 11:07:41 UTC Yadd a écrit :
> On 11/7/23 14:48, Bastien Roucariès wrote:
> > Le mardi 7 novembre 2023, 10:25:04 UTC Yadd a écrit :
> >> On 11/7/23 13:47, Bastien Roucariès wrote:
> >>> Hi,
> >>>
> >>> I believe for a security point of view it is interesting to do dynamic linking of module (aka no packing external module)
> >>>
> >>> I plan to package webpack-node-externals in order to do this
> >>>
> >>> May be automagically using this in dh_nodejs will be nice ?
> >>>
> >>> What do you think ?
> >>>
> >>> Updating policy will be also nice
> >>>
> >>> Bastien
> >>
> >> Hi,
> >>
> >> it is not easy to replace rollup builds by webpack-style, then I don't
> >> see a way to automatically use your recommendation inside dh-nodejs.
> >
> > I was thinking to create a webpack wrapper (by changing path before running dh_build) that will capture
> > --config or default config file and apply json patch in order to add
> > externalsPresets: { node: true }, // in order to ignore built-in modules like path, fs, etc.
> > externals: [nodeExternals()], // in order to ignore all modules in node_modules folder
> >
> > May be in a first time policy will be suffisant
>
> as a _very partial_ response is implemented in dh-nodejs: when it
> supposes that there is a potential embed fo JS library, it creates a
> pkgjs-lock.json file that could permit to detect packages to rebuild in
> case of security issue.
I have just uploaded a few package using webpack recipes like:
externals : [
/^(?!([.][/])?src[/]|([.][.]?[/]))/,
],
And webpack does not bundle external package.
It is also nice from a compile time point of view
Will be nice to test further than document
Bastien
Attachment:
signature.asc
Description: This is a digitally signed message part.