v2.36.2 fails webpack production builds

[avatarneil]

Describe the problem

Attempting to create a production webpack build with the recently released Auth0 v2.36.2 results in quite a few warnings/errors being thrown, the most critical (and relevant to this issue) of which are:

WARNING in ../node_modules/.pnpm/vm2@3.9.3/node_modules/vm2/lib/main.js 99:24-48
Module not found: Error: Can't resolve 'coffee-script' in '/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/vm2@3.9.3/node_modules/vm2/lib'
 @ ../node_modules/.pnpm/vm2@3.9.3/node_modules/vm2/index.js 3:0-38
 @ ../node_modules/.pnpm/degenerator@3.0.1/node_modules/degenerator/dist/src/index.js 6:14-28
 @ ../node_modules/.pnpm/pac-resolver@5.0.0/node_modules/pac-resolver/dist/index.js 6:22-44
 @ ../node_modules/.pnpm/pac-proxy-agent@5.0.0/node_modules/pac-proxy-agent/dist/agent.js 26:39-62
 @ ../node_modules/.pnpm/pac-proxy-agent@5.0.0/node_modules/pac-proxy-agent/dist/index.js 7:32-50
 @ ../node_modules/.pnpm/proxy-agent@5.0.0/node_modules/proxy-agent/index.js 16:20-46
 @ ../node_modules/.pnpm/superagent-proxy@3.0.0_superagent@5.3.1/node_modules/superagent-proxy/index.js 6:17-39
 @ ../node_modules/.pnpm/rest-facade@1.13.1/node_modules/rest-facade/src/Client.js 15:0-27
 @ ../node_modules/.pnpm/rest-facade@1.13.1/node_modules/rest-facade/src/index.js 2:10-29
 @ ../node_modules/.pnpm/auth0@2.36.2/node_modules/auth0/src/management/index.js 7:20-56
 @ ../node_modules/.pnpm/auth0@2.36.2/node_modules/auth0/src/index.js 8:20-43
 @ ./index.js 1:14-30

and

ERROR in bundle.js
bundle.js from Terser plugin
Invalid function parameter [bundle.js:82271,21]
    at js_error (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:550:11)
    at croak (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:1274:9)
    at binding_element (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:2026:13)
    at parameter (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:1830:17)
    at parameters (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:1804:25)
    at _function_body (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:2077:19)
    at function_ (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:1728:20)
    at /Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:2585:16
    at _embed_tokens_wrapper (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:1339:26)
    at concise_method_or_getset (/Users/neil/Documents/projects/auth0-vm2-webpack-repro/node_modules/.pnpm/terser@5.9.0/node_modules/terser/dist/bundle.min.js:2792:31)

After these errors are thrown, the webpack build fails.

What was the expected behavior?

Successful webpack build!

Reproduction

I made an example repo which reproduces this issue https://github.com/avatarneil/auth0-vm2-webpack-repro

Environment

• Node: v15.11.0
• Auth0: v2.36.2
• Webpack: 5.42.1, in production mode (note: development builds seem to be fine)

Additional Details

Upon some investigation, it appears that Auth0 v2.36.2 introduced a dependency on https://github.com/patriksimek/vm2/. It appears that this dependency breaking webpack builds is a known issue (see https://github.com/patriksimek/vm2/issues/68), and the maintainer of the package has been resistant to making any changes to fix this, simply stating that this package is not webpack compatible. Unfortunately, this is very far down in the dependency tree for Auth0; in order to resolve this issue, I think that rest-facade may need to be subbed out for another library which does not contain vm2 anywhere in the dependency tree.

I do hope that this issue can be resolved, as I am now forced to lock my auth0 version at an earlier version that does not contain this dependency... Of all the packages to keep up-to-date, I think this is one of the most important 😅

[adamjmcgrath]

Hi @avatarneil - thanks for raising this and providing a reproduction

For the moment, you can work around this by resolving coffee-script in your webpack config, eg

resolve: {
    alias: {
      'coffee-script': false
    }
  }
}

Please use this workaround for now while we try and find a better solution

[avatarneil]

Hi @adamjmcgrath, thanks for the prompt response and workaround suggestion! Unfortunately, it seems that this workaround (while silencing the coffee-script resolution warning), still results in the Terser failure. Before filing this issue, I additionally tried using the webpack IgnorePlugin, and ran into the same result (module resolution warning gone, but Terser still failing).

[adamjmcgrath]

Looks like there's a couple of Webpack issues with vm2 - how about?

resolve: {
  alias: {
    vm2: false
  }
}

Assuming you're not using a PAC proxy

[macsj200]

@avatarneil I'll try your repro tomorrow.

[NotMyself]

I ran into this issue this morning. I can confirm that the following webpack config section allows the build to succeed.

resolve: {
    //fix: added to resolve issue with node-auth0 v2.36.2
    alias: {
      'formidable': false, //  node-auth0 build warning
      'coffee-script': false, //  node-auth0 build fail
      'vm2': false, // node-auth0 build fail
      'yargs': false, // auth0-deploy-cli build warning
      'colors': false, // auth0-deploy-cli build warning
      'keyv': false, // openid-client build warning
    },
  },

Note I have similar issues with the auth0-deploy-cli throwing warnings.

[CyberSecDemon]

The problem child here is https://github.com/TooTallNate/node-degenerator .

This is not a permanent solution if you use proxy in node-auth. This can leave you vulnerable, but if you are trying to push to prod and realize auth0 doesn't care that they've just broken then entire package for so many users. Well, you do what you need to do.

We are using pkg and receive this error:

pkg/prelude/bootstrap.js:1697 throw error; ^

Error: File C:**\app\node_modules\vm2\lib\contextify.js was not included into executable at compilation stage. Please recompile adding it as asset or script. at error_ENOENT (pkg/prelude/bootstrap.js:557:19) at readFileFromSnapshot (pkg/prelude/bootstrap.js:949:29) at Object.readFileSync (pkg/prelude/bootstrap.js:997:18) at loadAndCompileScript (C:\snapshot\app\node_modules\vm2\lib\main.js:45:18) at Object. (C:\snapshot\app\node_modules\vm2\lib\main.js:72:20) at Module._compile (pkg/prelude/bootstrap.js:1751:22) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10) at Module.load (internal/modules/cjs/loader.js:950:32) at Function.Module._load (internal/modules/cjs/loader.js:790:14) at Module.require (internal/modules/cjs/loader.js:974:19) { errno: -4058, code: ENOENT, path: C:\snapshot\app\node_modules\vm2\lib/contextify.js, pkg: true }

We attempted every recommendation provided by Vercel to include this as an asset. After further review the packages are just simply incompatible.

Workaround is as follows:

npm i npm-force-resolutions

in package.json add:

"resolutions": { "degenerator": "2.2.0" },

also add to package.json:

"scripts": { "preinstall": "npx npm-force-resolutions" },

Save your package.json . After that, you will need to do the following in this exact order:

• Run npm install then delete your node_modules folder.

• Run npm preinstall and npm install one more time.

NOTE: We also had to change our build scripts to: npm install --ignore-scripts && npm install

Best of luck. Auth0 team. Please fix this, it's broken quite a few things for such a small sub-dependency. I'm sure others will be here to chime in, in the near future as well.

[adamjmcgrath]

Hi @CyberSecDemon - thanks for sharing this

auth0 doesn't care that they've just broken then entire package for so many users

We do care 😄 - this is just an issue with a downstream dependency that we don't have control over and refactoring it out will involve a large change to our networking stack that we're not ready to do yet.

If you're running into the issue with Webpack as described in the original issue post, for now please use the workarounds suggested in the thread.

[OG84]

hhm ok this also breaks my app at runtime (nodejs lambda, using auth0 management client), because of no such file or directory, open '/var/task/contextify.js'

I'm using esbuild (to bundle everything into one file prior to deployment) and tried to add vm2 to externals of the esbuild config, which excludes it from bundling. But this also fails at runtime because nodejs can not require vm2 when loading the js code.

I will try to downgrade auth0 and pin it to a specific version for now.

EDIT: ok, downgrading auth0 does not work, because even "rest-facade": "^1.13.0" is being resolved to the latest version (1.16.1), due to the ^.

So the only way i see is that rest-facade removes or downgrades the superagent-proxy dependency and releases a new minor or patch package, or auth0 is removing rest-facade or pinning it to 1.13.0.

Kind of blocking my releases until we find a solution. Will try to find other solutions for the time being...

[OG84]

i think this is just caused by this bug https://github.com/ngonzalvez/rest-facade/pull/62. superagent-proxy is currently always required in rest-facade. Looks like a mistake by them, so maybe this can be easily fixed within the mentioned PR. Doesn't look like auth0-nodejs is using the proxy option of rest-facade so i think this PR would fix our issue.

[frederikprijck]

They have released 1.16.2, can you verify this solves your problem?

[OG84]

wow that was fast. Unfortunately for my use case it does not solve it though. esbuild is still resolving superagent-proxy at build time, even it is inside an if block.

(rest-facade client code snippet)

if (this.options.proxy) {
    // Add proxy support to the request library.
    require('superagent-proxy')(request);
  }

I can not exclude superagent-proxy in general via the esbuild config, because I have another library (node-mailjet) which is using superagent-proxy@v2 (without vm2 down the tree)

I will try to find other solutions today and get back here.

[frederikprijck]

Might also be more of a thing to discuss on their repository or on esbuild.

[vicary]

For esbuild users who do not need HTTP proxies, upgrading rest-facade to 1.16.2 and mark superagent-proxy as external does solve the problem. The runtime error of ENOENT is not anymore.

If you otherwise needs superagent-proxy, copy contextify.js and sandbox.js as runtime assets. See https://github.com/evanw/esbuild/issues/495 for more information.

[Tryd0g0lik]

I ran into this issue this morning. I can confirm that the following webpack config section allows the build to succeed.

resolve: {
    //fix: added to resolve issue with node-auth0 v2.36.2
    alias: {
      'formidable': false, //  node-auth0 build warning
      'coffee-script': false, //  node-auth0 build fail
      'vm2': false, // node-auth0 build fail
      'yargs': false, // auth0-deploy-cli build warning
      'colors': false, // auth0-deploy-cli build warning
      'keyv': false, // openid-client build warning
    },
  },

Note I have similar issues with the auth0-deploy-cli throwing warnings.

thanks for this post

---

i fixed this ERORR: [!hexoid is not a function]