brockallen
commented
3 years ago Hmm, odd. Thanks for letting me know. I'll have a look.
Open notclive opened 3 years ago
brockallen
commented
3 years ago Hmm, odd. Thanks for letting me know. I'll have a look.
notclive
commented
3 years ago I've looked into this a little bit, the rsa file contains safe-buffer 5 times. safe-buffer appears to be a node.js library so probably shouldn't be included at all. I haven't worked out where it's coming from.
brockallen
commented
3 years ago I updated jsrsasign in 1.11.1 -- I bet it's something in there.
brockallen
commented
3 years ago Ok, the updated jsrsasign was not the issue. Part of it seems to be the update to cypto to v4.0.0 (to 470K), and webpack v4.46.0 (to 800K). I'm a bit confused why the slim is that size and the normal/core library is smaller... Feel free to investigate more. I am getting pulled onto other work ATM, so you might get to a solution faster than I.
brockallen
commented
3 years ago Hmm, and in fact if I leave webpack at the latest and revert crypto back to the (vulnerable) "crypto-js": "^3.1.9-1" then it's back down to 170K. So yea, I guess it's something specifically in the crypto package.
brockallen
commented
3 years ago Looks like they're aware of the issue: https://github.com/brix/crypto-js/issues/321. So there's not much to do here until they fix/update I think.
dist/oidc-client.rsa256.min.jsjumped from 170 KB in 1.11.0 to 800 KB in 1.11.1We used
oidc-client.rsa256.min.jsbecause it was significantly smaller than the other artifacts, my understanding is thatoidc-client.rsa256.min.jsis oidc-client without the jsrsasign library for clients that don't need to generate tokens.I haven't been able to identify what change in 1.11.1 caused the jump in size.