search

electron / packager

Customize and package your Electron app with OS-specific bundles (.app, .exe, etc.) via JS or CLI
https://npm.im/@electron/packager
BSD 2-Clause "Simplified" License
165 stars 17 forks source link

electron-packager unexpectedly copies entire package.json into distribution #1184

Open jameshfisher opened 4 years ago

jameshfisher commented 4 years ago

Preflight Checklist

Issue Details

Expected Behavior

electron-packager creates a distribution with the minimal package.json required for Electron. As far as I know, it only needs to contain the main field. It should not leak private info about my development setup.

Actual Behavior

electron-packager seems to just copy-paste my entire package.json into the distribution. This contains all kind of unnecessary and private info, such as my devDependencies and scripts. These are never accessed at runtime and so should not be distributed.

To Reproduce

A minimal repo here on this branch, but it seems to happen under standard conditions.

Additional Information

Is there a standard way to work around this behavior?

welcome[bot] commented 4 years ago

👋 Thanks for opening your first issue here! If you have a question about using Electron Packager, read the support docs. If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.

To help make it easier for us to investigate your issue, please follow the contributing guidelines.

jameshfisher commented 4 years ago

So here is my awful hacky workaround. It creates a custom afterPrune callback, which modifies the package.json to only include fields necessary for distribution.

I'm going to leave this issue open, as I don't know whether this is the expected or best way to achieve this. It certainly feels like an ugly way to achieve the behavior that I expected.

#!/usr/bin/env node
const packager = require("electron-packager");
const {readFileSync, writeFileSync} = require('fs');
(async () => {
  const appPaths = await packager({
    dir: '.',
    name: 'MyElectronApp',
    overwrite: true,
    prune: true,
    afterPrune: [(buildPath, electronVersion, platform, arch, callback) => {
      const packageJsonPath = buildPath + '/package.json';
      const devPackageJson = JSON.parse(readFileSync(packageJsonPath));
      const prodPackageJson = Object.fromEntries(['name', 'version', 'main'].map(k => [k, devPackageJson[k]]));
      writeFileSync(packageJsonPath, JSON.stringify(prodPackageJson, null, 2));
      callback();
    }],
  });
  console.log(`Electron app bundles created: ${appPaths.join("\n")}`);
})();
DenisTis commented 11 months ago

So here is my awful hacky workaround. It creates a custom afterPrune callback, which modifies the package.json to only include fields necessary for distribution.

I'm going to leave this issue open, as I don't know whether this is the expected or best way to achieve this. It certainly feels like an ugly way to achieve the behavior that I expected.

#!/usr/bin/env node
const packager = require("electron-packager");
const {readFileSync, writeFileSync} = require('fs');
(async () => {
  const appPaths = await packager({
    dir: '.',
    name: 'MyElectronApp',
    overwrite: true,
    prune: true,
    afterPrune: [(buildPath, electronVersion, platform, arch, callback) => {
      const packageJsonPath = buildPath + '/package.json';
      const devPackageJson = JSON.parse(readFileSync(packageJsonPath));
      const prodPackageJson = Object.fromEntries(['name', 'version', 'main'].map(k => [k, devPackageJson[k]]));
      writeFileSync(packageJsonPath, JSON.stringify(prodPackageJson, null, 2));
      callback();
    }],
  });
  console.log(`Electron app bundles created: ${appPaths.join("\n")}`);
})();

Could you please provide more data on where did you add this? And which command did you use for the build?