yarn build and the project contains the entire source code #1062
Comments
|
Yeah, this definitely is a problem. I'm not sure how it's happening, but it could be that source maps are not being configured properly for production builds. Would you be willing to look into this more? |
|
Sorry for the late answer, wasn't watching. Yes, sure, if I can help, let's try something. But I need some kicks, things like this is not my daily doing.. |
|
After doing a search in the basic template on my machine for my computer username
|
|
Hmm. This is the entire contents of a new folder which sprang into my eyes for the very first time I dealt with 6.9.3 and which is not there in earlier versions. The directory is called
Interestingly enough during
Good catches so far. 👍 |
|
I stepped back a couple of versions. From 5.9.7 (this was my first step back from 6.3.9, but it still had all the sourecode in webpack build) to now 4.6.2 Namely the core dependencies look so: With this setup there is a problem with the hotloader, so I commented it for now and will return to the old style hotloading later. But in the end |
|
@tannerlinsley Wondering, why this issue does not have more attention. I would say nobody would like to see his source code on the web while thinking it is at least obfuscated... |
|
It's at the top of my security/priority list for React Static. I appreciate your patience as we all work to figure this out. |
|
@tannerlinsley Thanks. Take your time. I'm having a work around so far |
|
It appears that source maps are being created for non-staging production builds. While this should be a togglable feature, this is a regression that should not be the default. We'll need to tweak this setting here: https://github.com/nozzle/react-static/blob/master/packages/react-static/src/static/webpack/webpack.config.prod.js#L90. For |
|
@tannerlinsley Makes sense. Anything to do for me? |
|
You could create a PR that does what I outlined there. Then we can iterate on it, get it merged and cut a release asap. |
|
Currently trying to figure out if it fixes it. I have patched the script in my copy. To no avail so far, but I also changed some dependencies...
… Am 13.03.2019 um 21:04 schrieb Tanner Linsley ***@***.***>:
You could create a PR that does what I outlined there. Then we can iterate on it, get it merged and cut a release asap.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#1062 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAsnjCtmNq_6kRA4JBwgx0w-TnbEzDFSks5vWVnIgaJpZM4boiNq>.
|
|
An easy way to verify: confirm that files like |
|
OK, on duty |
|
@tannerlinsley No such a PR wouldn't help. I have patched the flag in my copy of the script at line 90 to |
|
Oh, sorry, there is one more that needs to be taken care of. https://github.com/nozzle/react-static/blob/master/packages/react-static/src/static/webpack/webpack.config.prod.js#L128 should be set appropriately as well. |
|
Hmm.. and what would be a proper value here? |
|
Similar to my prior statement, it should default to |
|
You mean instead of ? |
|
No, doesn't help. I'm out here :) |
|
Curious how are you testing these changes locally? |
|
Just want to make sure we're being thorough. |
|
I'm patching the
node_modules/react-static/src/static/webpack/webpack.config.dev.js
in my project
EDIT: Sorry, .prod.js of course
… Am 13.03.2019 um 21:48 schrieb Tanner Linsley ***@***.***>:
How are you testing these changes locally?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#1062 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAsnjLSUElJ-SfBDL_k6D-8W55nFQkTgks5vWWQugaJpZM4boiNq>.
|
|
If you're altering |
|
Oops, stupid me. Altered in lib folder, to no avail |
|
Oh wait. artifacts is still there, but no maps... testing |
|
Yepp. Looks good. Will try to make a PR |
|
Awesome. Thanks! |
|
Done #1067 |
|
@tannerlinsley i prefer to have sourcemaps for my whole app. dont disable that, they are only loaded when the dev tools are open, they are not included in the bundles |
|
I'm not fanatic on this. I could live with a config switch, which prevent the sourceMap deployment in release builds |
|
Simply dont Upload the .map files. Its Up to you
neilyoung <notifications@github.com> schrieb am Di., 26. März 2019, 00:34:
… I'm not fanatic on this. I could live with a config switch, which prevent
the sourceMap deployment in release builds
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1062 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAR615z738PQa2_BYpUdE47tliSGy5o-ks5vab9ugaJpZM4boiNq>
.
|
|
We'll have a config option for this Yes, you could easily just not upload them, but I think that would provide more trouble for people who repeatedly have to remove them or exclude them from the build directory, etc. While that's still possible, I think the flag will be more intuitive for both use cases. |
|
@tannerlinsley I don't currently have it on top of my head: Where is that config option? And yes, simply don't upload would solve it too :) |
True. The problem was: I'm using a particular react-static app in a Java app. The entire build process finally just triggered npm run build and made a copy of the dist directory into the Java app before deployment. Out of the sudden a react-static update gave me the source maps. I simply just didn't notice... That was unlucky, indeed. |
|
It's not there yet. We haven't added it yet. We're discussing it right now :) |
|
Ah ok, sorry. Got that wrong. Confused meanwhile :) |
|
I dont get the Problem with sourcemaps?! Your Code is there anyways if
minified or not.
neilyoung <notifications@github.com> schrieb am Di., 26. März 2019, 07:33:
… Ah ok, sorry. Got that wrong. Confused meanwhile :)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1062 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAR610YZv3GotPCRYWcx6Fk1ErtAkZ0uks5vaiGmgaJpZM4boiNq>
.
|
|
Well yes and no. It is there but I try to make my best to make it as unreadable as possible. OK now? |
|
Yeah sure, but why? Is it bad code? Do you have api keys in there? The
minification is even revertable, we only minimize for the transport. Look
around on big Sites, most if not all deliver sourcemaps
neilyoung <notifications@github.com> schrieb am Di., 26. März 2019, 07:40:
… Well yes and no. It is there but I try to make my best to make it as
unreadable as possible. OK now?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1062 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAR61y4d9pe1fg7aZSyyx5yv_CXExy7tks5vaiNCgaJpZM4boiNq>
.
|
|
@digitalkaoz, @neilyoung is using an obfuscator to keep some of his code as mangled as possible to deter copying and/or theft. While I agree that any IP should technically be kept behind a server for security, it should be possible to remove sourcemaps and obfuscate code. The obfuscation is not React Static's responsibility, since this goes beyond the call of duty for the library, but it's merely a webpack extension to achieve it. |
|
I'm not just minimizing. I'm also obfuscating. I don't have API keys in, but I also don't want to give anything away for nothing. This is not an open source project. Anyway, there is also not that much secret in the JS code, since it serves a well documented API in Java Spark. But you never know, who comes around and says he has seen it all... I just want to distract the average user to look behind the curtain. Whoever is able to make this readable code, has deserved it, shall take his an be damned :) If that isn't opportun, than I don't know what arguments would convince you |
|
Ah and yes, it is for sure bad code :) |
|
This conversation is likely to get off topic past what has been discussed. If you guys have anything else that pertains to the technical implementation of this feature, let me know, otherwise, I'll consider this issue ready to close as soon as we release the code. |
|
Right, feel free to close. I'm having my solutions |
I came across this accidently. In the past I was used to have an obfuscated version of my SPA after "npm run build".
With the latest react-static (which does not work correctly with
npm run build, but it passes withyarn build, see here #1053) there is the full source code available in user's browser. In the beginning I thought, this is just because there is somewhere a file link to the source code in a map or so and it would be only visible to me, but after deploying it to a webserver it was also available to all.Steps to reproduce:
console.log("Hello World")in App.js, but you could also browse the source tree in developer consoleyarn buildlocalhost:3000in your browserHello Worldand click the right most link to 'App.js:9'Find your sources. Bummer
I never had this with previous react-static versions.
The text was updated successfully, but these errors were encountered: