search

nrwl / nx

Smart Monorepos · Fast CI
https://nx.dev
MIT License
23.69k stars 2.36k forks source link

@nx/vite:build includes package.json in the build output #26127

Open toteto opened 5 months ago

toteto commented 5 months ago

Current Behavior

I have React web app that is bundled with Vite. When bundling directly with the vite build the build output doesn't contain package.json file. When building with the nx/vite:build executor, somewhere along the lines package.json is included.

This file is not coming from the vite build step since the file is not being mentioned in the Vite console output.

Expected Behavior

No package.json is being outputed for web apps because it doesn't play any role. Since most often the dist directory is directly being served by a server, the package.json might end up being accessible by the public too.

While this doesn't create direct security risk, it creates an indirect one by having the application dependancies and scripts available to the public.

Each app developer now has to make sure that this file is ignored/protected. Think it would be easier if nx/vite:build didn't copy this file at all.

GitHub Repo

https://github.com/toteto/nx-vite-react-example

Steps to Reproduce

  1. Create brand new nx workspace with npx create-nx-workspace@latest --preset=react-standalone --bundler=vite. Or checkout the example repo.
  2. npm build

Nx Report

Node   : 20.11.0
OS     : darwin-x64
npm    : 10.2.4

nx (global)        : 17.2.8
nx                 : 19.1.0
@nx/js             : 19.1.0
@nx/linter         : 19.1.0
@nx/eslint         : 19.1.0
@nx/workspace      : 19.1.0
@nx/devkit         : 19.1.0
@nx/eslint-plugin  : 19.1.0
@nx/react          : 19.1.0
@nrwl/tao          : 19.1.0
@nx/vite           : 19.1.0
@nx/web            : 19.1.0
typescript         : 5.4.5
---------------------------------------
Registered Plugins:
@nx/vite/plugin
@nx/eslint/plugin

Failure Logs

> nx run nx-vite-react:build

> vite build

The CJS build of Vite's Node API is deprecated. See https://vitejs.dev/guide/troubleshooting.html#vite-cjs-node-api-deprecated for more details.
vite v5.0.13 building for production...
✓ 32 modules transformed.
dist/nx-vite-react/index.html                   0.48 kB │ gzip:  0.30 kB
dist/nx-vite-react/assets/index-DPbuekZ_.css    5.98 kB │ gzip:  1.74 kB
dist/nx-vite-react/assets/index-B3B2zwyz.js   167.78 kB │ gzip: 51.96 kB
✓ built in 1.67s

Package Manager Version

No response

Operating System

Additional Information

No response

rapaglaz commented 5 months ago

I'm facing same problems.

toteto commented 5 months ago

I'm facing same problems.

Workaround, I am just excluding the file from being deployed to the server. Recommend you do the same for now.

rapaglaz commented 5 months ago

@toteto You're right, I do something similar, but the bug is... quite frustrating. But thx!

Aimen-Khalid commented 4 months ago

I'm facing same problems.

Workaround, I am just excluding the file from being deployed to the server. Recommend you do the same for now.

@toteto Just add "generatePackageJson": false in the options of your build target that is using @nx/vite:build executor.

kwextpb commented 1 month ago

@Aimen-Khalid it's not really working for me 

"@nx/vite": "^19.5.6",
"nx": "19.5.6",

Maybe this is the fix? https://github.com/nrwl/nx/pull/19780