rspack [Bug Report]: Rspack incompatibile with csp-webpack-plugin

System Info

System: OS: macOS 13.3 CPU: (10) arm64 Apple M1 Max Memory: 1.38 GB / 64.00 GB Shell: 5.2.15 - /opt/homebrew/bin/bash Binaries: Node: 18.15.0 - ~/.volta/tools/image/node/18.15.0/bin/node Yarn: 1.22.17 - ~/.volta/tools/image/yarn/1.22.17/bin/yarn npm: 9.5.0 - ~/.volta/tools/image/node/18.15.0/bin/npm Browsers: Chrome: 111.0.5563.146 Edge: 112.0.1722.34 Firefox: 111.0.1 Safari: 16.4 npmPackages: @rspack/cli: ^0.1.6 => 0.1.6

Details

Rspack seems to be incompatible with the @melloware/csp-webpack-plugin package.

It appears to fail on this line:

compiler.hooks.beforeCompile.tapPromise(thisPluginName, async () => {

TypeError: Cannot read properties of undefined (reading 'tapPromise')
    at SubresourceIntegrityPlugin.apply (/Users/robinclowers/src/console/node_modules/webpack-subresource-integrity/index.ts:365:34)
    at CspHtmlWebpackPlugin.apply (/Users/robinclowers/src/console/node_modules/@melloware/csp-webpack-plugin/plugin.js:397:40)
    at createCompiler (/Users/robinclowers/src/console/node_modules/@rspack/core/src/rspack.ts:75:12)
    at create (/Users/robinclowers/src/console/node_modules/@rspack/core/src/rspack.ts:141:20)
    at rspack (/Users/robinclowers/src/console/node_modules/@rspack/core/src/rspack.ts:165:31)
    at RspackCLI.createCompiler (/Users/robinclowers/src/console/node_modules/@rspack/cli/src/rspack-cli.ts:49:26)
    at async Object.handler (/Users/robinclowers/src/console/node_modules/@rspack/cli/src/commands/build.ts:94:22)

Reproduce link

No response

Reproduce Steps

Create an rspack project
Install the csp-webpack-pugin package: npm i -D @melloware/csp-webpack-plugin
Add a minimal CSP:

  plugins: [
    new CspWebpackPlugin(
      {
        "base-uri": ["'self'"],
        "child-src": ["'none'"],
        "upgrade-insecure-requests": "",
      },
    ),
  ],

Try to compile: npm run build

Apr 07 '23 17:04 RobinClowers

Thanks for reporting. Could you add some details about what problem this plugin solves?

We would discuss this issue next week and might need more feedback on this from more persons.

Apr 08 '23 03:04 hyf0

Sub resource integrity. Quite a big one for enterprises with complex compliance requirements.

A simple workaround might by trying to change the hook from tapPromise to tapAsync.

I believe some tappable types are still WIP, even tho hook might exist the tap method may not yet.

Apr 08 '23 23:04 ScriptedAlchemy

Yeah, what @ScriptedAlchemy said, it's a plugin for adding Content Security Policy meta tags to the document head. I just realized I put the wrong package name in the description, I've updated it and included a link to the package. Let me know if there are any more details I can provide, happy to help.

Apr 09 '23 03:04 RobinClowers

Have you tried the sub-resource integrity webpack plugin? It might already be working.

Im pretty sure if you change the plugin code to tapAsync, it would work. Can you edit it in node modules and try tap or tapAsync and let us know what happens?

Apr 09 '23 11:04 ScriptedAlchemy

@ScriptedAlchemy This error actually comes from webpack-subresource-integrity plugin. I tried switching to tapAsync, but the problem is the whole beforeCompile hook is missing.

This is the line where it fails: https://github.com/waysact/webpack-subresource-integrity/blob/914fdd9dd5982b4f52782c55eb6cb33fea5861cc/webpack-subresource-integrity/src/hooks.ts#L65

Apr 10 '23 15:04 RobinClowers

beforeCompile is supported and now is blocked by #3090

May 22 '23 09:05 hardfist

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

Aug 06 '23 04:08 stale[bot]

we also need to support webpack.DefinePlugin, cc @ahabhgk

Aug 10 '23 09:08 hardfist

I just tried with 0.3.8 and it looks like there has been some progress, but unfortunately there are still more compiler hooks that aren't supported that webpack-subresource-integrity relies on:

additionalChunkRuntimeRequirements
localVars
linkPreload
jsonpScript
afterProcessAssets
beforeRuntimeRequirements

Even if these were all supported @melloware/csp-webpack-plugin relies on the HtmlWebpackPlugin to inject the tag, so I assume it would only work if we didn't use the builtin html support of rspack.

I also noticed https://github.com/web-infra-dev/rspack/issues/4381 is tracking webpack-subresource-integrity compatibility directly.

Oct 27 '23 22:10 RobinClowers

Alternatively, are there any plans for an native rspack CSP solution? I'm not married to the setup I have now, but dropping CSP is not an option either.

Oct 27 '23 22:10 RobinClowers

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

Dec 26 '23 22:12 stale[bot]

still blocked by #4381

May 10 '24 16:05 xc2

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

Jul 09 '24 16:07 stale[bot]

bump

Jul 10 '24 02:07 hardfist

bump

Jul 29 '24 07:07 karesztrk

@LingyuCoder can we support this feature in rspackHtmlPlugin?

Sep 05 '24 15:09 hardfist