proj4js icon indicating copy to clipboard operation
proj4js copied to clipboard

Published 20 hours ago verified publisher icon proj4js

Don't reference package.json and using module field in package.sjon

Open ChristianStornowski opened this issue 7 years ago • 7 comments

I'm using webpack 3 and bundle dependencies by using es2015 import and export statements. TypeScript is transcompiling everything. Therefore the module field in proj4 package.json will lead webpack to lib/index.js and this uses version.js. My problem is now the version.js which reference to proj4js package.json. Because of this combination webpack is bundling package.json from proj4js for my app. npm 5 added some file system path information at installing proj4js. So i will have a production app with a bundled proj4js package.json with lmy ocal file system path information. In my opinion this is a security issue.

ChristianStornowski avatar Aug 16 '17 20:08 ChristianStornowski

~~The security issue is in Webpack 3, as rollup which we use to build this, and browserify before that don't include the path information~~

I thought we took some steps to make sure the package.json didn't get bundled, will look into this, though @ahocevar and I are both at a conf this week so it might not be until next week

calvinmetcalf avatar Aug 17 '17 13:08 calvinmetcalf

try building with the --optimize-minimize flag

calvinmetcalf avatar Aug 17 '17 13:08 calvinmetcalf

Thanks for helping me. I used this flag and my problem is not solved :-/ Also using -p like in documentation https://webpack.js.org/guides/production/ doesn't work. I found an issue with module field in package.json and webpack 2 https://github.com/webpack/webpack/issues/1979

ChristianStornowski avatar Aug 17 '17 14:08 ChristianStornowski

the issue is that the json loader doesn't support scope hosting, so I opened a pull to try to fix that

calvinmetcalf avatar Aug 17 '17 15:08 calvinmetcalf

you can also try pointing to a prebuild version of proj4, e.g. 'proj4/dist/proj4-src.js'

calvinmetcalf avatar Aug 17 '17 15:08 calvinmetcalf

you can also try pointing to a prebuild version of proj4, e.g. 'proj4/dist/proj4-src.js' I tried this out and this works.

ChristianStornowski avatar Aug 17 '17 15:08 ChristianStornowski

Has there been a fix to this? I'm getting the same issue. Proj4JS ^2.5.0 is in my dependency and using npm 5.6.0.

I'm using webpack 3.6 as well and on build, my resulting dist/static/js/app.js file includes the system file path (I'm using Windows; _where:"C:\\Users\\MyUserName\\path\\to\\application").

I tried using the prebuild version but it made no difference: import proj4 from 'proj4/dist/proj4-src.js'

kngai avatar Sep 19 '18 16:09 kngai