-
Notifications
You must be signed in to change notification settings - Fork 52
Get Rollup and Node builtin modules to work #884
Comments
Do I understand correctly that this would provide some of parts of the node API from the main process to libraries used in renderer? So far we've been trying to not expose any node API to the renderer directly, because the renderer has to deal with untrusted content:
To mitigate the risks, we currently try to isolate main and renderer by using a How would the proposed changes would influence security here? See more on locking down electron here. |
Refs: #952. |
Security will not be impacted by adding replacements for builtin Node modules to the bundle. Adding replacements for Node builtins to the bundle will not expose any main process APIs to the renderer. For example, even if an |
@geigerzaehler thanks for the clarification! |
@geigerzaehler still relevant? |
This is still relevant and needs to be addressed by the ethereum integration work. |
At the moment, it is not possible to bundle packages with rollup that depend on Node builtin modules like
event
orutil
. If we start using packages that depend on this (e.g.web3
) we’ll need to resolve this issue.I’ve investigated
rollup-plugin-node-polyfills
to make builtins available in the bundle. However, I quickly ran into issue where the provided builtins were not compatible with the node builtins and packages depending on them would break. Moreover the plugin is not actively maintained and was last released a year ago.There exists a fork
rollup-plugin-node-polyfills2
on NPM but this package does have an associated repository and is not used very often so I’d avoid trusting it.The solution that I’m suggesting is curating our own list of builtin module replacements that work building on
browserify
.The text was updated successfully, but these errors were encountered: