[eval unsafe] fix build production only!! [urgent]

[salvoravida]

eval( ) problem on production!! csp unsafe

[johannwagner]

Is there a real reason, why you want to use the minified version? If you use a production ready toolchain, your toolchain will include and minify this in your build.

[salvoravida]

no the only reason is that in 3.4.0 the NON min version is a DEV version with eval( ....
and if you are on a server with CSP that does not allow eval unsafe.eval all is broken!!

i think you shoud release in dist/ only PRODUCTION env code, min and non min version

[salvoravida]

https://github.com/krisk/Fuse/blob/master/dist/fuse.js#L114

[johannwagner]

So, your proposed fix is a hotfix and not a correct fix.
You may want to look at #280, where an similar issue is described.

[JCKodel]

StencilJS is complaining about 3.4 (it was not in 3.3). I don't know if it imports dev or production, and I don't really care. For me, just stopped working. [ WARN ] Bundling Warning Use of eval is strongly discouraged, as it poses security risks and may cause issues with minification

…

On Thu, Feb 7, 2019 at 1:15 PM Johann Wagner ***@***.***> wrote: So, your proposed fix is a hotfix and not a correct fix. You may want to look at #280 <#280>, where an similar issue is described. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#283 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAXJyzGB9LiM-A7J_GEdEFBXOnCnNs4iks5vLEMMgaJpZM4anKGY> .

[salvoravida]

i think you are missing the point.
dist/fuse.js is built in DEV MOE and is exported from package JSON -> main: "dist/fuse.js"
dist/fuse.min.js is bult in PROD mode but is NOT exported anyware.

ok?

i'm pushing a FULL fix to webpack.config.js
give me 5 minutes

[johannwagner]

I totally got your point.

I just wanted to point out, that it is not the solution to use the minified version, otherwise you will kill tree shaking for other users. You have to fix the non minifed build, this also should be production ready, because it is in the dist folder.

[salvoravida]

@johannwagner see now. thanks

[krisk]

Thanks for flagging. Broken behavior right now, even with this fix.

Originally, npm build was meant to build both the production (minified) and the development (full) version. Tangentially, #270 was caused by an unfortunate issue with the Webpack version I was using (mea culpa, frankly). Having since upgraded to Webpack 4, yet another problem had surfaced with the configuration. Turns out upgrading wasn't as straightforward. Also, current tests don't cover all cases. Could use some help there though 😄

i think you shoud release in dist/ only PRODUCTION env code, min and non min version

@salvoravida, in principle, sure. However, I think your change added --mode production to both. Note that Webpack v4+ will minify your code by default in production mode. Ergo, I think we still want the following:

"build": "webpack --mode development && webpack --mode production"

As @johannwagner pointed out:

...it is not the solution to use the minified version, otherwise you will kill tree shaking for other users. You have to fix the non minifed build, this also should be production ready, because it is in the dist folder.

To fix the original problem of those pesky evals, we can add devtool: false to webpack.config.js.

Sure, it also marginally slows down build time, but it's a fair trade.

@salvoravida thank you for catching this. It definitely escaped my eyes!

[salvoravida]

thank you ! all is working now!