Menu
I'm worried that, by ommission, modules containing secrets like database passwords or session keys could be included in WebPack or Browserify bundles.
Even if I don't import those modules directly, I could accidentally import them indirectly from the client-side entrypoint module.
Is there a way to blacklist such files so that those bundlers will refuse to bundle them? As willing as one might be to follow best practices that could avoid problems like this, it would be nice to have such a safety net.
822
Chunk: This webpack-specific term is used internally to manage the bundling process. Bundles are composed out of chunks, of which there are several types (e.g. entry and child).
There are four basic concepts in webpack: entry , output , modules and plug-ins . These configurations are added in webpack.
When webpack processes your application, it internally builds a dependency graph from one or more entry points and then combines every module your project needs into one or more bundles, which are static assets to serve your content from.
The Webpack Externals are used to ignore the packages from the application while bundling and adding them as external CDN script references. This article provides a step-by-step introduction to creating a simple react application and configuring the Syncfusion react packages with Externals.
When importing files via loaders, you can choose either to blacklist or whitelist directories through the include and exclude properties. These can be a RegEx or absolute paths.
The following prevents any JavaScript file from being included in the bundle that exists in the ./secret directory.
var path = require('path');
module.exports = {
// Configuration omitted for brevity
module :{
loaders : [
{
test: /\.js$/,
loader: "script",
exclude : path.resolve(__dirname, './secret') // Exclude secret directory
},
{
test: /\.css$/,
loader: "style!css"
}
]
}
};
If you wanted to prevent files from the ./secret directory from being accidentally imported, and only allow files within that contain src you could do the following.
var path = require('path');
var blackList = [ path.resolve(__dirname, './secret') ];
var whiteList = [ /src/ ]; // Allow only directories containing "src"
var config = {
...
/// Webpack configuration
};
// Apply whitelisting and blacklisting for all loaders
config.module.loaders.forEach(function(loader)
{
loader['exclude'] = [...(loader['exclude'] || []), ...blackList];
loader['include'] = [...(loader['include'] || []), ...whiteList];
});
module.exports = config;
The example is a bit complex, but it should give you a good idea how to perform it. In a nutshell, loop though your loaders and append additional includes/excludes as needed.
If you do have confidential data existing in your code base, I suggest providing a type to the filename. For example, if your file was named sqlconnections.js I would rename it to sqlconnections.confidential.js. Then I would add an exclude RegEx pattern of /\.confidential\.js$/ to my loaders. This creates a convention that can be reused across your code base.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
