The packaged file volume is too large and contains nodes_ modules electron-forge package (--template=vite) #3224
Comments
|
In addition to |
|
This still happens with version 6.2.1, the whole source folder including the node_modules folder is copied to resources/app. Instead only the .vite folder should be copied. |
|
yes, seeing this too (6.2.1) |
|
Can you provide a specific repository for replication? Maybe you put most of the packages in |
|
it happens with the template repository, no modifications: I am on mac, the and for example, on a previous project where I used webpack, the
|
|
Any word on this? I noticed the same thing. All of our source code is bundled up with the package. It more or less appears as if the build advantages of vite using rollup etc. is nullified as the packaged app is not tree shook, not bundled to the few main.js/preload.js etc. and not minified / obfuscated (code of our app can easily be read by users). It almost seems as if the regular electron-forge package/make procedure is being used and ignoring vite/rollup. Anyone have any thoughts? |
|
its also quite a security vulnerability because the entire source code is copied into the release, so users who use this template and then distribute the app would be distributing their entire repo without realizing. not sure who is in charge on this (@BlackHole1 @caoxiemeihao ) but maybe maintainers might want to remove this template until fixed or warn users. |
|
@jbtobar I know the vite template was based on the webpack template... do you know if the webpack template (with and/or without TypeScript) is packaging correctly? I am not a webpack guy so have never used it. |
|
I am using the webpack typescript template with electron-forge v I am not familiar with the forge repo but from quick glancing I think |
|
@GitMurf the current webpack template does work correctly btw. |
|
This also sounds related: #2175 |
|
Is there any temporary fix to this issue? |
|
I am trying to figure one out. I have been trying to play with these hooks (postStart in the forge.config but no dice. Now playing with the source code to figure out the issue. @erickzhao or anyone familiar with electron-forge code base maybe knows something. |
|
this direction is giving me results btw: packagerConfig: {
ignore: (path) => {
if (path.startsWith('/.vite')) return false;
if (path === '/package.json') return false;
if (!path) return false;
return true;
},
}, |
|
@bermanboris fyi the above dirty hack doesn't package |
So is the idea here that this is ignoring everything except .Vite and package.Json? |
|
This also appears related: #1250 |
|
ok yep this ignore function is in webpack plugin but not in vite plugin: |
This function cannot identify the code in the nodejs section of the main process, and will remove the dependent packages in the main process that should not be ignored. This function has a bug |
|
@caoxiemeihao PTAL |
@ht-sauce you are correct. This assume you are not using anything like a native module that has to be "externalized". Same if you use squirrel, need to make sure that node module is included (NOT ignored) as well. Below is what I got working where I use Realm DB which is a native node module and has to be packaged as an external dependency. cc @caoxiemeihao I recommend doing testing using something like Realm (https://github.com/realm/realm-js) as a way to validate external dependencies work as well :) Update this array with the dependencies you need to externalize: Note: this uses the import type { ForgeConfig } from '@electron-forge/shared-types';
import { dirname } from 'node:path';
import { Walker, DepType, type Module } from 'flora-colossus';
// any packages that you must mark as "external" in vite
const NATIVE_MODULES_TO_PACKAGE = ['realm', 'electron-squirrel-startup'];
const INCLUDE_NESTED_DEPS = true as const;
let nativeModuleDependenciesToPackage: Set<string>;
const config: ForgeConfig = {
// other config stuff...
hooks: {
prePackage: async (forgeConfig) => {
if (forgeConfig.packagerConfig.ignore !== undefined) {
throw new Error(
'forgeConfig.packagerConfig.ignore is already defined. Please remove it from your forge config and instead use the prePackage hook to dynamically set it.'
);
}
const getExternalNestedDependencies = async (
nodeModuleNames: string[],
includeNestedDeps = true
) => {
const foundModules = new Set(nodeModuleNames);
if (includeNestedDeps) {
for (const external of nodeModuleNames) {
type MyPublicClass<T> = {
[P in keyof T]: T[P];
};
type MyPublicWalker = MyPublicClass<Walker> & {
modules: Module[];
walkDependenciesForModule: (
moduleRoot: string,
depType: DepType
) => Promise<void>;
};
const moduleRoot = dirname(
require.resolve(`${external}/package.json`, { paths: [__dirname] })
);
const walker = new Walker(moduleRoot) as unknown as MyPublicWalker;
walker.modules = [];
await walker.walkDependenciesForModule(moduleRoot, DepType.PROD);
walker.modules
.filter((dep) => (dep.nativeModuleType as number) === DepType.PROD)
.map((dep) => dep.name)
.forEach((name) => foundModules.add(name));
}
}
return foundModules;
};
nativeModuleDependenciesToPackage = await getExternalNestedDependencies(
NATIVE_MODULES_TO_PACKAGE,
INCLUDE_NESTED_DEPS
);
forgeConfig.packagerConfig.ignore = (path) => {
// .vite bundled build files
if (path.startsWith('/.vite')) {
return false;
}
// main package.json file
if (path === '/package.json') {
return false;
}
if (!path) {
return false;
}
// need to first NOT ignore the root node_modules folder
if (path === '/node_modules') {
return false;
}
// if path is in nativeModuleDependenciesToPackage, return false (to package it)
const foundModules: Set<string> = nativeModuleDependenciesToPackage;
for (const module of foundModules) {
if (
path.startsWith(`/node_modules/${module}`) ||
path.startsWith(`/node_modules/${module.split('/')[0]}`)
) {
return false;
}
}
// for everything else, ignore it
return true;
};
},
},
// other config stuff...
};Hope this helps! |
|
Hi all, I too am plagued with this issue even in latest 7.2.x release. this is a huge security risk and should be fixed as soon as possible. |
|
Also related #3377 also highlights how big this is a risk for security |
|
Hi @akash07k. I recently communicated with @caoxiemeihao. He is currently looking for a new job, so he temporarily doesn’t have extra time to address the related PR. However, he also mentioned that once his job is stable, he will refocus on these issues. |
|
Oh, I see.
|
|
@akash07k Hey! 👋 I'm about to fix this issue and have been stuck on CI for a few days. BTW, I know the specific reason for the CI error, I have temporarily resolved it, and I will try to completely fix the CI error in the next upgrade of Vite5 PR (it is coming soon). |
|
Thanks so much @caoxiemeihao, I'll be waiting for the update. :-)
|
|
Fixed in #3336 |
Pre-flight checklist
Electron Forge version
6.1.1
Electron version
24.1.2
Operating system
macOs 12.2.1
Last known working Electron Forge version
6.1.1
Expected behavior
yarn create electron-app my-new-app --template=vite and run electron-forga package The packaged file volume is too large and contains nodes_ modules in out =>app =>resource
Actual behavior
yarn create electron-app my-new-app --template=vite and run electron-forga package The packaged file volume is too large and contains nodes_ modules in out =>app =>resource
Steps to reproduce
yarn create electron-app my-new-app --template=vite
npm run package
Additional information
No response
The text was updated successfully, but these errors were encountered: