`ses` package doesn't define exports for minified the lockdown, making them unreachable in Node/bundlers.

[davidmurdoch]

Describe the bug

ses package includes minified versions of the libraries, but these are impossible to import/require in Node.js, as it only allows importing files defined in the package.json exports fields. Bundlers that use/follow Node's resolution algorithm are also unable to import the file.

Steps to reproduce

Via Node

npm init -y && npm install ses

// lockdown.js
require("ses/dist/lockdown.umd.min.js");

Run node lockdown.js.

Output:

~/code/test/ses $ node lockdown
node:internal/modules/cjs/loader:598
      throw e;
      ^

Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './dist/lockdown.umd.min.js' is not defined by "exports" in /home/david/code/test/ses/node_modules/ses/package.json
    at exportsNotFound (node:internal/modules/esm/resolve:303:10)
    at packageExportsResolve (node:internal/modules/esm/resolve:650:9)
    at resolveExports (node:internal/modules/cjs/loader:591:36)
    at Module._findPath (node:internal/modules/cjs/loader:668:31)
    at Module._resolveFilename (node:internal/modules/cjs/loader:1130:27)
    at Module._load (node:internal/modules/cjs/loader:985:27)
    at Module.require (node:internal/modules/cjs/loader:1235:19)
    at require (node:internal/modules/helpers:176:18)
    at Object.<anonymous> (/home/david/code/test/ses/lockdown.js:1:1)
    at Module._compile (node:internal/modules/cjs/loader:1376:14) {
  code: 'ERR_PACKAGE_PATH_NOT_EXPORTED'
}

Node.js v20.11.1

Via Bundler (Webpack)

// lockdown.js
require("ses/dist/lockdown.umd.min.js");

//webpack.config.js
module.exports = {
    mode: "production",
    entry: './lockdown.mjs',
    optimization: {
        minimize: false
    }
}

Run npx -y webpack.

output:

~/code/test/ses $ npx -y webpack
assets by status 99 bytes [cached] 1 asset

ERROR in main
Module not found: Error: Can't resolve './lockdown.mjs' in '/home/david/code/test/ses'
resolve './lockdown.mjs' in '/home/david/code/test/ses'
  using description file: /home/david/code/test/ses/package.json (relative path: .)
    Field 'browser' doesn't contain a valid alias configuration
    using description file: /home/david/code/test/ses/package.json (relative path: ./lockdown.mjs)
      no extension
        Field 'browser' doesn't contain a valid alias configuration
        /home/david/code/test/ses/lockdown.mjs doesn't exist
      .js
        Field 'browser' doesn't contain a valid alias configuration
        /home/david/code/test/ses/lockdown.mjs.js doesn't exist
      .json
        Field 'browser' doesn't contain a valid alias configuration
        /home/david/code/test/ses/lockdown.mjs.json doesn't exist
      .wasm
        Field 'browser' doesn't contain a valid alias configuration
        /home/david/code/test/ses/lockdown.mjs.wasm doesn't exist
      as directory
        /home/david/code/test/ses/lockdown.mjs doesn't exist

webpack 5.91.0 compiled with 1 error in 21 ms

Expected behavior

Users should be able to require/import the pre-minified JavaScript. While bundlers can minimize the export for lockdown that is defined in ses's package.json, I worry that aggressive minification/optimizations could alter the behavior in subtle ways that may render lockdown ineffective. Maybe this isn't a valid concern, and if not, I'd love for someone from the team to assuage my fears (note: I'm not worried about a supply chain attack compromising ses in this case)!

Platform environment

webpack@5 ses@1.4.0

[kriskowal]

@naugtur has reported this as well. I’m open to adding an entry to package.json "exports" for the existing minified dist. I would want to also test it in the top-level browser-test CI job, because as you point out, the minifier can break invariants and we are not currently testing the minified version. We also have not audited terser to ensure it maintains our invariants, so there are some implicit risks of adopting the version we distribute.