mischnic
commented
4 years ago @Aaronius Does replacing __dirname and __filename also need to be disabled for your usecase?
Open Aaronius opened 4 years ago
mischnic
commented
4 years ago @Aaronius Does replacing __dirname and __filename also need to be disabled for your usecase?
Aaronius
commented
4 years ago It's probably not a blocker, but optimally it would be disabled as well. It seems to me that anything that could potentially leak sensitive information about the environment that's bundling the code would be better disabled by default.
mischnic
commented
4 years ago Tasks for follow-up PR(s):
process, Buffer (what about builtins?).env files, then we can disable env inlining by default except env-files and NODE_ENV__dirname, __filenameAaronius
commented
4 years ago @mischnic, I just want to say thanks for the effort you're putting into this. ❤️
mischnic
commented
4 years ago 😄
The linked PR will be released in the next nightly (docs at https://github.com/parcel-bundler/website/pull/644)
Aaronius
commented
4 years ago @mischnic, I tested this out. It looks good! We're looking forward to the follow-up PRs as well, but this is a great start.
One question about configuration: is this configurable through .parcelrc somehow as well or only through package.json (as outlined in https://github.com/parcel-bundler/website/pull/644)?
Thank you again for your work on this. When you ask "what about builtins" in https://github.com/parcel-bundler/parcel/issues/4991#issuecomment-675660069, you may not be asking my opinion specifically, but I'll offer it anyway. 😄 My opinion is that built-ins should be disabled by default. To me, it's an interesting feature, but probably not something I would more-often-than-not want or expect when building code for the web (maybe I'm in the minority?). I believe, but not sure, it may also inadvertently expose sensitive information about the machine/environment that is building the code, which could really negatively affect the unsuspecting user (myself included--I'm very grateful/fortunate I read through all the docs). These are the two things that influence my opinion on the matter.
mischnic
commented
4 years ago parcelrc somehow as well or only through package.json
Only via package.json. .parcelrc only contains is the names of the plugins, not their configuration. We don't wanto do replicate webpack.config.js 😄
builtins it may also inadvertently expose sensitive information about the machine/environment that is building the code
I don't think so, these are merely polyfills for builtin Node.js modules (e.g. crypto/process) or polyfills for Node.js globals.
🙋 feature request
I'd like the ability to disable node emulation in Parcel 2.
🤔 Expected Behavior
The ability to toggle node emulation.
😯 Current Behavior
This doesn't seem to be possible.
💁 Possible Solution
I assume just a configuration option?
🔦 Context
We're using Parcel to bundle third-party, untrusted code. For security reasons, we can't allow the third-party code to access sensitive things like environment variables and OS information. Parcel 2 automatically provides access to this type of information.
In order to be able to use Parcel 2 for our purposes, we'll need the ability to be able disable this functionality. There may be additional functionality that I'm unaware of that could pose other security risks that we would also need to be able to disable. If you're aware of anything else, I'd appreciate if you let me know what they are so we could take necessary precautions.
💻 Examples