Why is web3.min.js not provided anymore?

[carsonwah]

Description

No web3.min.js available since v1.0.0-beta.38.

Expected behavior

A web3.min.js file should be pre-packed and is ready to use directly.

Actual behavior

The collaborator said "he" always use webpack to bundle the js files.
#2475 (comment)

Versions

• web3.js: >=1.0.0-beta.38

---

Can someone explain the reason behind this decision? It is too troublesome to use a bundler in order to use this library. I don't see why we can't have a web3.min.js. Many people are sticking with v1.0.0-beta.37 because of this.

(You may view this issue as a question or a feature request)

[nivida]

I've removed the minified file because I thought the frontend space is using a build chain anyways. Sorry for the troubles. I will add a minified file for each module back to the npm packages asap.

[carsonwah]

@nivida Thank you. I think providing a minified js will be very helpful especially for many people that are using Truffle as their starting point, which does not include a frontend bundler usually.
Thanks for the quick reply.

[GHLover]

Yes, please provide this. Many users cannot even install web3 with npm. Web3 uses a deprecated version of scrypt npm module instead of native node.js functions. As a result of this dependency it cannot be installed as this module has difficulties installing under many modern linux distributions.

You can see this module is deprecated here: https://github.com/barrysteyn/node-scrypt

There is even potential issues of malicious code injection: barrysteyn/node-scrypt#186

[fulldecent]

Reference to #2013 to explain the security problem with this issue.

[smiled0g]

@nivida Any ETA on this issue? I found that installing web3 via npm doesn't even compile correctly with create-react-app. With different build systems out there, it'd be more difficult to make sure that web3 package would work with all of them.

[OFRBG]

@smiled0g I've used web3 with create-react-app many times, and I've never had a problem. Maybe add more information? create-react-app uses webpack, and it has no problems with web3 as of now.

[smiled0g]

@smiled0g I've used web3 with create-react-app many times, and I've never had a problem. Maybe add more information? create-react-app uses webpack, and it has no problems with web3 as of now.

In web3.js 1.0.0-beta.51, it did break. Particularly the transactionSigner.constructor.name was evaluated as'TransactionSigner' in development build, but evaluated as 't' in uglified, production version that webpack generates.

The issue was fixed in 507d2b0#diff-0ad486d5fb5fd6cb067665b271b692d8L183

[shawenbin]

I've removed the minified file because I thought the frontend space is using a build chain anyways. Sorry for the troubles. I will add a minified file for each module back to the npm packages asap.

yes, web3.min.js is very useful in many project.

[princesinha19]

@nivida I think this should also be added to 1.0 milestone.

[kevinsimper]

Using the bundled version is super great for quick demos and small POC that can just be made in the browser.

I often go to https://www.jsdelivr.com/ and find the bundle version.

I can agree with that fronend most uses tools, but until the ecosystem has built the tools that exist for react for example a bundled version is super great!

[sshelton76]

+1000 on this. Releasing a pre-built bundled version especially if it can be signed would greatly increase the visibility of the project. It also makes a great reference point to see if something that broke is broke in the "official build" or just some quirk in your own build process.

[tangelo313]

I just registered to Github to say that many dev friends and I are really missing the web3.min.js. We build web apps without using npm and other fancy things. Please put it back as we stuck on beta37 for a while.

[kevinsimper]

One thing to add would also be to add integrity checks for any CDN script tags loading. web3.js would be a target as it will enable you to hit a larger percentage of dapps.

<script src="https://example.com/example-framework.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#Examples

[wbt]

Beta.53 was just released and still no "dist" which was going to be added "asap" following its drop in -beta.38. Having a known constant reference version instead of a build pipeline helps reduce variance and give simpler steps to reproduce for reporting bugs and resolving issues.

The project should also not be reopening security issues and then leaving them unfixed as part of steps toward 1.0; that feels like another step backward.

I support moving this issue back to a priority position which we should have recognized as an April Fool's joke.

Thanks for your work on the project!

[mrehanabbasi]

Still waiting for the bundled version.

[wbt]

@nivida Thank you for the kind thoughts and words. However, "the minified file will be added back asap” has been the status for >3 months now and there is no credible indication this will change anytime soon. The issue remains marked as an Enhancement in the “To Do’s” category and you’re swamped with other tasks & contributions.

@andy0130tw was clearly just trying to help, stepping up to fill a gap as that’s how open-source is supposed to work. I applaud those efforts and hope they aren’t so readily dismissed/closed off in the future, especially on the basis that “asap” somehow takes on its usual meaning in the context of this project.

[CryptoJanne]

Still nothing? been waiting for this for like 4 months now

[nivida]

The minified file is existing here in the repository on branch 1.x.

[CryptoJanne]

Ah yes sorry. Does this mean that 2.x will not get web3.min.js?

[pydlv]

really would like web3.min.js for 2.x

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions

[wbt]

I don't think this should be marked as stale.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. If you believe this was a mistake, please comment.

[dzimbeck]

I downloaded main branch and don't see anything for easy deployment. A signed release of min would be recommended in the main package. Is it that nobody wants liability of signing production release? The releases don't contain anything built, cdn shows older version I was able to find newer releases at cdn web3@latest/dist/web3.min.js which was mentioned in a comment in the repo but it should probably be made more clear where to find them or include a signed release in the main build. Because its a bit of a hassle for security to have to audit the entire package instead of auditing a single file.

[wbt]

Look in the dist/ folder for a web3.min.js and corresponding map+license.
https://npm.runkit.com/web3/dist/web3.min.js?t=1708960641472