nuxt-security breaking build #343
Replies: 2 comments 10 replies
-
|
Is the issue always triggered by the presence of |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @kwesterfeld2 ! @Baroshem: this one is again related to |
Beta Was this translation helpful? Give feedback.
-
|
@kwesterfeld2 : one additional question |
Beta Was this translation helpful? Give feedback.
-
|
@vejja that's just a warning |
Beta Was this translation helpful? Give feedback.
-
|
The warning is related to the fact that in cspPresetPlugin we are using nuxt kit dependencies that we need to refactor in the upcoming days as explained by @vejja (#335 ) Regarding the error, probably underlying vite plugin remove removes the code of console.log and it stays like https://nuxt-security.vercel.app/documentation/utils/remove-console-loggers |
Beta Was this translation helpful? Give feedback.
-
|
Upstream issue opened at Talljack/unplugin-remove#8 |
Beta Was this translation helpful? Give feedback.
-
|
The issue with nuxt kit is resolved in 1.0.1 version. For the bug in the remove loggers we should wait for the unplugin remove author to fix it there and we will bump the package in the next major version |
Beta Was this translation helpful? Give feedback.
-
|
I hope this comment is helpful and you take it to be constructive. I think nuxt-security's handling of all the http headers, hashing, nonces, its all really great. But this feature, removing console usage, was not expected and I don't think its something that should be on by default. I was a bit shocked to realize that nuxt-security was actually going to modify code during the build process. Perhaps it should be more obvious in the docmentation that this security plugin was going to do this type of thing, but it could just as easily been handled as opt-in rather than opt-out. Hope that is helpful. |
Beta Was this translation helpful? Give feedback.
-
|
Hey @kwesterfeld2 Thanks for the feedback. A not about remove console loggers is in the README.md and in the utils section of the documentation https://nuxt-security.vercel.app/documentation/utils/remove-console-loggers I thought that having this functionality enabled by default would help avoid shipping console.logs to production. Having this functionality in the module but disabled does not make sense imho because it is essentially a wrapper around the unplugin-remove. And as a part of this module, we want to enforce good practices and one of them is to avoid leaking information that could occur when you accidentally ship Remember that you can always disable a functionality that you do not need in your project as we provide it for all available features of the Nuxt Security module. It is helpful for sure but IMHO, it is better to have this plugin enabled by default with an option to disable it when needed rather than having it disabled by default. Disabled by default makes sense for example for Basic Auth which not all users may need in the end. Avoiding leaking sensitive information should be a part of all web applications ;) I believe we just have to work with the unplugin-remove author to fix the issues :) |
Beta Was this translation helpful? Give feedback.
-
I found this project and was super excited to add it to my efforts in porting a pure vite/vue project to nuxt.
I'm very puzzled by what is happening, however. When I add
nuxt-securityto my nuxt config, my compilation starts breaking in horrible ways. I tried figuring out where the issues were, but it breaks in strange ways that I do not understand. Its possible that the plugin ordering for nuxt is at work here.Example breakage:
Which is pointing at code that is completely valid JS syntax:
I tried whack-a-mole changing everything that started erroring out, but it really led to too many changes. The changes were all really weird, like pointing at functions marked as
asyncbut not really needing it, but also valid JS.Sooo....is it possible to use nuxt-security for just a few features, like CSP generation?
Beta Was this translation helpful? Give feedback.
All reactions