search

nuxt-modules / security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
826 stars 60 forks source link

NUXT SECURITY conflicts with JSON import #533

Closed jozefvodicka closed 2 weeks ago

jozefvodicka commented 1 month ago

No way to run nuxt generate if nuxt-security plugin is present and also JSON import from file using experimental feature

Maybe related to @unplugin-remove and babel https://github.com/babel/babel/issues/16754

nuxt-security: 2.0.0 nuxt: 3.13.2

Steps to reproduce

use this in any of your files: import value from './value.json' with { type: 'json' };

What is Expected?

build works perfectly fine

What is actually happening?

Nuxt Build Error: [unplugin-remove-console-debugger] This experimental syntax requires enabling the parser plugin: "importAttributes". (9:32)

vejja commented 1 month ago

Yes definitely an unplugin-remove issue upstream @Baroshem Vite can remove console and debugger natively, we might be better off with Vite’s implementation

Baroshem commented 1 month ago

I think that could be a better solution indeed. The unplugin has several issues and is conflicting with many solutions. Should we wait for release 3.0.0 or should we make it for 2.1.0? According to semver we should probably wait for major but if Vite delivers similar functionality we could already go for native solution instead and just mention it in the documentation.

WDYT?

vejja commented 1 month ago

I have a working POC, but it cannot be a straight drop-in replacement:

I do believe that esbuild's binary approach (remove everything or remove nothing) is the right one, and I am of the opinion that too much configuration leads to issues. But it's ultimately a matter of taste.

Therefore I can implement via two different patterns:

  1. By breaking change: The unplugin-remove options would be replaced, and removeLoggers would just be either console, debugger, both or false
  2. By soft-deprecation: We would keep the current unplugin-remove options as well as the ability to use unplugin-remove but we would introduce a new option that allows to choose either the native Vite functionality or the plugin. Vite would be the default and we would mark unplugin-remove for deprecation

What's your preference?

Baroshem commented 1 month ago

I would say that the more we keep it the more problems will eventually appear. So I would probably be for a first option.

How would you release it?

vejja commented 1 month ago

According to semver, option 1 (breaking) would lead to 3.0.0 while option 2 (feature) would lead to 2.1.0 We can start with option 2, and wait for people to transition out of unplugin-remove options before breaking on 3.0

Baroshem commented 1 month ago

Agree, this seems like a safe and good option :)