graphql-js icon indicating copy to clipboard operation
graphql-js copied to clipboard
verified publisher icon graphql

dead code from `instanceOf.ts` is not tree shaked for browser due `globalThis.process`

Open dimaMachina opened this issue 2 years ago • 3 comments

after https://github.com/graphql/graphql-js/pull/3923 and https://github.com/graphql/graphql-js/pull/3501 dead code from instanceOf is no longer tree shaked for browsers

@IvanGoncharov wrote

Bundlers incorrectly replace (probably RegExp) process.env.NODE_ENV with "development" resulting in:

(_globalThis$process = globalThis.process) === null ||
_globalThis$process === void 0
  ? void 0
  : _globalThis$"development";

but this happens only when using globalThis.process.env.NODE_ENV

dimaMachina avatar Jun 23 '23 11:06 dimaMachina

Any update on this issue? This is a blocker for us to upgrade to newer versions of graphql and there's an advisory for the version we're currently on: https://github.com/advisories/GHSA-9pv7-vfvm-6vr7

vdineva avatar Sep 28 '23 18:09 vdineva

Can we get an update on this? This is a security warning caused by this https://github.com/advisories/GHSA-9pv7-vfvm-6vr7

radesai21 avatar Oct 05 '23 17:10 radesai21

For now you can use something like rollup-plugin-replace or the equivalent in your own bundler to do the following

{
  `globalThis.process`: JSON.stringify(true),
  `globalThis.process.env.NODE_ENV`: JSON.stringify("production"),
}

after #4022 you'll be able to look it up in the docs, see the files changed you can pick and choose your bundler.

JoviDeCroock avatar May 11 '24 05:05 JoviDeCroock

Hey @dimaMachina #4022 is live in the latest 16.x.x line, does this solve your issue?

JoviDeCroock avatar Jul 12 '24 07:07 JoviDeCroock