Reputation: 862
How to stop React Webpack from including scripts from package.json
I recently stumbled on what looks like a security issue to me. When I had a look at the main.[...].js file being deployed to my website, I noticed that it included my entire package.json file, which has some scripts I'd rather not have exposed to the world.
This is probably happening because I'm importing the file in order to get the current deployment version and log it with any bug reports. How can I go about getting that version from the package.json file without actually importing the file and exposing it?
Even if I import just the { version } and not the entire file, Webpack still packages the whole thing (which makes me wonder what the point of that even is?).
Thanks for any help!
Upvotes: 0
Views: 228
Answers (1)
Reputation: 3322
Tree shaking for json files like you need it is a new feature in webpack 4.x
Here is the ticket:
https://github.com/webpack/webpack/issues/5578
You could write a script to read the version number and write it into its own file before webpack runs and import this one if you have to stay on 3.x, but hopefully create-react-app will update soon. There is already an open pull request here:
https://github.com/facebook/create-react-app/pull/4077
Upvotes: 1
Related Questions
- Exclude specific packages from bundle in Webpack
- Webpack how to ignore the imported files
- Get Webpack not to bundle files
- Exclude specific file from webpack bundle
- Exclude JSON files from the main bundle with webpack for react-lottie
- How do i prevent a .js file being bundled by webpack
- Exclude react from webpack bundle
- Prevent Webpack's default loaders from running
- Webpack - how can I identify and exclude some package from rendering?
- Prevent web pack from bundling react