search

web-infra-dev / rspack

The fast Rust-based web bundler with webpack-compatible API 🦀️
https://rspack.dev
MIT License
9.08k stars 521 forks source link

[Bug Report]: Rspack incompatibile with csp-webpack-plugin #2669

Open RobinClowers opened 1 year ago

RobinClowers commented 1 year ago

System Info

System: OS: macOS 13.3 CPU: (10) arm64 Apple M1 Max Memory: 1.38 GB / 64.00 GB Shell: 5.2.15 - /opt/homebrew/bin/bash Binaries: Node: 18.15.0 - ~/.volta/tools/image/node/18.15.0/bin/node Yarn: 1.22.17 - ~/.volta/tools/image/yarn/1.22.17/bin/yarn npm: 9.5.0 - ~/.volta/tools/image/node/18.15.0/bin/npm Browsers: Chrome: 111.0.5563.146 Edge: 112.0.1722.34 Firefox: 111.0.1 Safari: 16.4 npmPackages: @rspack/cli: ^0.1.6 => 0.1.6

Details

Rspack seems to be incompatible with the @melloware/csp-webpack-plugin package.

It appears to fail on this line:

compiler.hooks.beforeCompile.tapPromise(thisPluginName, async () => {
TypeError: Cannot read properties of undefined (reading 'tapPromise')
    at SubresourceIntegrityPlugin.apply (/Users/robinclowers/src/console/node_modules/webpack-subresource-integrity/index.ts:365:34)
    at CspHtmlWebpackPlugin.apply (/Users/robinclowers/src/console/node_modules/@melloware/csp-webpack-plugin/plugin.js:397:40)
    at createCompiler (/Users/robinclowers/src/console/node_modules/@rspack/core/src/rspack.ts:75:12)
    at create (/Users/robinclowers/src/console/node_modules/@rspack/core/src/rspack.ts:141:20)
    at rspack (/Users/robinclowers/src/console/node_modules/@rspack/core/src/rspack.ts:165:31)
    at RspackCLI.createCompiler (/Users/robinclowers/src/console/node_modules/@rspack/cli/src/rspack-cli.ts:49:26)
    at async Object.handler (/Users/robinclowers/src/console/node_modules/@rspack/cli/src/commands/build.ts:94:22)

Reproduce link

No response

Reproduce Steps

  1. Create an rspack project
  2. Install the csp-webpack-pugin package: npm i -D @melloware/csp-webpack-plugin
  3. Add a minimal CSP: 
    plugins: [
new CspWebpackPlugin(
  {
    "base-uri": ["'self'"],
    "child-src": ["'none'"],
    "upgrade-insecure-requests": "",
  },
),
],
  4. Try to compile: npm run build
hyf0 commented 1 year ago

Thanks for reporting. Could you add some details about what problem this plugin solves?

We would discuss this issue next week and might need more feedback on this from more persons.

ScriptedAlchemy commented 1 year ago

Sub resource integrity. Quite a big one for enterprises with complex compliance requirements.

A simple workaround might by trying to change the hook from tapPromise to tapAsync.

I believe some tappable types are still WIP, even tho hook might exist the tap method may not yet.

RobinClowers commented 1 year ago

Yeah, what @ScriptedAlchemy said, it's a plugin for adding Content Security Policy meta tags to the document head. I just realized I put the wrong package name in the description, I've updated it and included a link to the package. Let me know if there are any more details I can provide, happy to help.

ScriptedAlchemy commented 1 year ago

Have you tried the sub-resource integrity webpack plugin? It might already be working.

Im pretty sure if you change the plugin code to tapAsync, it would work. Can you edit it in node modules and try tap or tapAsync and let us know what happens?

RobinClowers commented 1 year ago

@ScriptedAlchemy This error actually comes from webpack-subresource-integrity plugin. I tried switching to tapAsync, but the problem is the whole beforeCompile hook is missing.

This is the line where it fails: https://github.com/waysact/webpack-subresource-integrity/blob/914fdd9dd5982b4f52782c55eb6cb33fea5861cc/webpack-subresource-integrity/src/hooks.ts#L65

hardfist commented 1 year ago

beforeCompile is supported and now is blocked by #3090

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

hardfist commented 1 year ago

we also need to support webpack.DefinePlugin, cc @ahabhgk

RobinClowers commented 10 months ago

I just tried with 0.3.8 and it looks like there has been some progress, but unfortunately there are still more compiler hooks that aren't supported that webpack-subresource-integrity relies on:

Even if these were all supported @melloware/csp-webpack-plugin relies on the HtmlWebpackPlugin to inject the tag, so I assume it would only work if we didn't use the builtin html support of rspack.

I also noticed https://github.com/web-infra-dev/rspack/issues/4381 is tracking webpack-subresource-integrity compatibility directly.

RobinClowers commented 10 months ago

Alternatively, are there any plans for an native rspack CSP solution? I'm not married to the setup I have now, but dropping CSP is not an option either.

stale[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

xc2 commented 4 months ago

still blocked by #4381

stale[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

hardfist commented 1 month ago

bump

karesztrk commented 1 month ago

bump

hardfist commented 2 days ago

@LingyuCoder can we support this feature in rspackHtmlPlugin?