@elliemae/pui-cli 9.0.0-next.52 → 9.0.0-next.61

package/dist/esm/server/logger.js

@@ -1,5 +1,6 @@
 import chalk from "chalk";
 import ip from "ip";
+import { isHttps } from "../utils.js";
 const divider = chalk.gray("\n-----------------------------------");
 const logger = {
   // Called whenever there's an error on the server we want to print
@@ -15,10 +16,12 @@ const logger = {
     const accessUrls = `${chalk.bold("Access URLs:")}${divider}
 `;
     const localHostUrl = `Localhost: ${chalk.magenta(
-      `http://${host}:${port}`
+      `${isHttps() ? "https" : "http"}://${host}:${port}`
     )}
 `;
-    const lanUrl = `LAN: ${chalk.magenta(`http://${ip.address()}:${port}`)}
+    const lanUrl = `LAN: ${chalk.magenta(
+      `${isHttps() ? "https" : "http"}://${ip.address()}:${port}`
+    )}
 `;
     const proxy = tunnelStarted ? `
     Proxy: ${chalk.magenta(tunnelStarted)}` : "";

package/dist/esm/server/middlewares.js

@@ -27,7 +27,7 @@ const setupDefaultMiddlewares = (app) => {
 const setupAdditionalMiddlewars = (app, options = {}) => {
   const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
   app.use(compression());
-  app.get(basePath, (req, res) => {
+  app.get(basePath, (_req, res) => {
     sendFileWithCSPNonce({ buildPath, res });
   });
   app.use(
@@ -41,7 +41,7 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
   app.use(expressStaticGzip("cdn", {}));
   app.get(
     "*",
-    (req, res) => sendFileWithCSPNonce({ buildPath, res })
+    (_req, res) => sendFileWithCSPNonce({ buildPath, res })
   );
   return app;
 };

package/dist/esm/server/wsServer.js

@@ -1,5 +1,8 @@
+import https from "node:https";
 import http from "node:http";
 import * as wsLib from "ws";
+import { getCertOptions } from "./cert.js";
+import { isHttps } from "../utils.js";
 const PING_INTERVAL = 3e4;
 const DEFAULT_PORT = 5001;
 const onSocketError = (err) => {
@@ -25,9 +28,9 @@ const createWSServer = ({
   const heartbeat = () => {
     isAlive = true;
   };
-  const httpServer = http.createServer();
+  const server = isHttps() ? https.createServer(getCertOptions()) : http.createServer();
   const wsServer = new wsLib.WebSocketServer({ noServer: true });
-  httpServer.on("upgrade", (req, socket, head) => {
+  server.on("upgrade", (req, socket, head) => {
     socket.on("error", onSocketError);
     wsServer.handleUpgrade(req, socket, head, (ws) => {
       const protocols = req.headers["sec-websocket-protocol"]?.split(",");
@@ -84,9 +87,9 @@ const createWSServer = ({
     clearInterval(interval);
   });
   return new Promise((resolve) => {
-    httpServer.listen(port, () => {
+    server.listen(port, () => {
       console.log(`Websocket server listening on port ${port}`);
-      return resolve({ httpServer, wsServer });
+      return resolve({ server, wsServer });
     });
   });
 };

package/dist/esm/testing/jest.config.cjs

@@ -6,10 +6,8 @@ const { findMonoRepoRoot } = require('../monorepo/utils.cjs');
 
 let isReactModule = true;
 try {
-  /* eslint-disable global-require, import/no-unresolved */
   require('react');
   require('styled-components');
-  /* eslint-enable global-require, import/no-unresolved */
 } catch (err) {
   isReactModule = false;
 }
@@ -64,6 +62,7 @@ const jestConfig = {
     '.*\\.(jpg|jpeg|png|gif|eot|otf|webp|ttf|woff|woff2|mp4|webm|wav|mp3|m4a|aac|oga|ico)$':
       getMockFilePath('image.js'),
     '.*\\.svg(?:\\?[a-zA-Z]+)?$': getMockFilePath('svg.js'),
+    '.*iframe\\.html(?:\\?[a-zA-Z]+)?$': getMockFilePath('iframe.js'),
     '.*\\.html(?:\\?[a-zA-Z]+)?$': getMockFilePath('html.js'),
     '@elliemae/pui-user-monitoring': getMockFilePath('pui-user-monitoring.js'),
     '@elliemae/pui-app-loader': getMockFilePath('pui-app-loader.js'),

package/dist/esm/testing/jest.polyfills.cjs

@@ -1,5 +1,5 @@
 /**
- * @note The block below contains polyfills for Node.js globals
+ * The block below contains polyfills for Node.js globals
  * required for Jest to function when running JSDOM tests.
  * These HAVE to be require's and HAVE to be in this exact
  * order, since "undici" depends on the "TextEncoder" global API.

package/dist/esm/testing/mocks/iframe.js

@@ -0,0 +1,4 @@
+var iframe_default = "./iframe.html";
+export {
+  iframe_default as default
+};

package/dist/esm/testing/mocks/svg.js

@@ -1,4 +1,3 @@
-import * as React from "react";
 var svg_default = "SvgrURL";
 const ReactComponent = "div";
 export {

package/dist/esm/testing/resolver.cjs

@@ -32,7 +32,6 @@ module.exports = (request, options) => {
   }
   const resolution = resolutions.find(({ matcher }) => matcher.test(request));
   if (resolution) {
-    // eslint-disable-next-line no-restricted-syntax
     for (const extension of resolution.extensions) {
       try {
         return resolver(

package/dist/esm/testing/vitest.config.js

@@ -1,16 +1,13 @@
-import path from "node:path";
-import { fileURLToPath } from "node:url";
 import { defineConfig, configDefaults } from "vitest/config";
 import react from "@vitejs/plugin-react";
 import tsconfigPaths from "vite-tsconfig-paths";
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const vitestConfig = defineConfig({
+  // @ts-expect-error - `react` and `tsconfigPaths` are not part of the default config
   plugins: [react(), tsconfigPaths()],
   test: {
     globals: true,
     root: process.cwd(),
     environment: "happy-dom",
-    setupFiles: [path.resolve(__dirname, "./setup-test-env.js")],
     include: ["./{app,lib}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}"],
     exclude: [...configDefaults.exclude, ".idea", ".git", ".cache", "e2e"],
     coverage: {

package/dist/esm/transpile/.swcrc

@@ -4,6 +4,7 @@
       "syntax": "typescript",
       "jsx": true,
       "tsx": true,
+      "decorators": true,
       "dynamicImport": true
     },
     "target": "es2022"

package/dist/esm/utils.cjs

@@ -14,7 +14,7 @@ exports.getAppConfig = () => {
 
   if (!fs.existsSync(appConfigPath)) return '{}';
   const appConfig = fs.readFileSync(appConfigPath);
-  return appConfig || '{}';
+  return appConfig ?? '{}';
 };
 
 exports.isApp = isApp;

package/dist/esm/utils.js

@@ -2,6 +2,7 @@ import fs from "node:fs";
 import path from "node:path";
 const basePath = (process.env.BASE_PATH ?? "/").replace(/\/?$/, "/");
 const isApp = () => fs.existsSync(path.join(process.cwd(), "app"));
+const isHttps = () => process.env.HTTPS === "true";
 const getAppConfig = () => {
   const appConfigPath = path.join(
     process.cwd(),
@@ -15,5 +16,6 @@ const getAppConfig = () => {
 export {
   basePath,
   getAppConfig,
-  isApp
+  isApp,
+  isHttps
 };

package/dist/esm/webpack/csp-plugin.js

@@ -0,0 +1,49 @@
+import HtmlWebpackPlugin from "html-webpack-plugin";
+import { CSP } from "./csp.js";
+const defaultOptions = {
+  enableUnsafeEval: false
+};
+class CspPlugin {
+  #options = defaultOptions;
+  /**
+   * @param {object} options Additional options for this module.
+   */
+  constructor(options) {
+    this.#options = { ...this.#options, ...options ?? {} };
+  }
+  /**
+   * Processes HtmlWebpackPlugin's html data by adding the CSP
+   * @param _compilation
+   * @param htmlPluginData
+   * @param htmlPluginData.html
+   * @param compileCb
+   * @returns {*}
+   */
+  processCsp(_compilation, htmlPluginData, compileCb) {
+    const cspModule = new CSP(htmlPluginData.html);
+    cspModule.refactorSourcedScriptsForHashBasedCsp();
+    const scriptHashes = cspModule.hashAllInlineScripts();
+    const { enableUnsafeEval } = this.#options;
+    const strictCsp = CSP.getStrictCsp(scriptHashes, {
+      enableUnsafeEval
+    });
+    cspModule.addMetaTag(strictCsp);
+    htmlPluginData.html = cspModule.serializeDom();
+    return compileCb(null, htmlPluginData);
+  }
+  /**
+   * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+   * @param compiler
+   */
+  apply(compiler) {
+    compiler.hooks.compilation.tap("CspPlugin", (compilation) => {
+      HtmlWebpackPlugin.getCompilationHooks(compilation).beforeEmit.tapAsync(
+        "CspPlugin",
+        this.processCsp.bind(this, compilation)
+      );
+    });
+  }
+}
+export {
+  CspPlugin
+};

package/dist/esm/webpack/csp.js

@@ -0,0 +1,128 @@
+import * as crypto from "node:crypto";
+import * as cheerio from "cheerio";
+class CSP {
+  static HASH_FUNCTION = "sha256";
+  static INLINE_SCRIPT_SELECTOR = "script:not([src])";
+  static SOURCED_SCRIPT_SELECTOR = "script[src]";
+  $;
+  constructor(html) {
+    this.$ = cheerio.load(html);
+  }
+  serializeDom() {
+    return this.$.root().html() ?? "";
+  }
+  /**
+   * Returns a strict Content Security Policy for mittigating XSS.
+   * For more details read csp.withgoogle.com.
+   * If you modify this CSP, make sure it has not become trivially bypassable by
+   * checking the policy using csp-evaluator.withgoogle.com.
+   * @param hashes A list of sha-256 hashes of trusted inline scripts.
+   * @param cspOptions
+   * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+   * @param enableBrowserFallbacks If fallbacks for older browsers should be
+   *   added. This is will not weaken the policy as modern browsers will ignore
+   *   the fallbacks.
+   * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+   *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+   *   keyword which will make your policy slightly less secure.
+   * @param cspOptions.enableBrowserFallbacks
+   * @param cspOptions.enableTrustedTypes
+   * @param cspOptions.enableUnsafeEval
+   * @returns A strict Content Security Policy string.
+   */
+  static getStrictCsp(hashes, cspOptions = {
+    enableUnsafeEval: false
+  }) {
+    const strictCspTemplate = {
+      // 'strict-dynamic' allows hashed scripts to create new scripts.
+      "script-src": [`'strict-dynamic'`, ...hashes ?? []],
+      // Restricts `object-src` to disable dangerous plugins like Flash.
+      "object-src": [`'none'`],
+      // Restricts `base-uri` to block the injection of `<base>` tags. This
+      // prevents attackers from changing the locations of scripts loaded from
+      // relative URLs.
+      "base-uri": [`'self'`]
+    };
+    if (cspOptions.enableUnsafeEval) {
+      strictCspTemplate["script-src"].push(`'unsafe-eval'`);
+    }
+    return Object.entries(strictCspTemplate).map(([directive, values]) => `${directive} ${values.join(" ")};`).join("");
+  }
+  /**
+   * Enables a CSP via a meta tag at the beginning of the document.
+   * Warning: It's recommended to set CSP as HTTP response header instead of
+   * using a meta tag. Injections before the meta tag will not be covered by CSP
+   * and meta tags don't support CSP in report-only mode.
+   * @param csp A Content Security Policy string.
+   */
+  addMetaTag(csp) {
+    let metaTag = this.$('meta[http-equiv="Content-Security-Policy"]');
+    if (!metaTag.length) {
+      metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
+        "meta"
+      );
+      metaTag.prependTo(this.$("head"));
+    }
+    metaTag.attr("content", csp);
+  }
+  /**
+   * Replaces all sourced scripts with a single inline script that can be hashed
+   */
+  refactorSourcedScriptsForHashBasedCsp() {
+    const scriptInfoList = this.$(CSP.SOURCED_SCRIPT_SELECTOR).map((_i, script) => {
+      const src = this.$(script).attr("src") ?? "";
+      const type = this.$(script).attr("type") ?? "";
+      this.$(script).remove();
+      return { src, type };
+    }).toArray().filter((info) => info.src);
+    const loaderScript = CSP.createLoaderScript(scriptInfoList);
+    if (!loaderScript) {
+      return;
+    }
+    const newScript = cheerio.load("<script>")("script");
+    newScript.text(loaderScript);
+    newScript.appendTo(this.$("body"));
+  }
+  /**
+   * Returns a list of hashes of all inline scripts found in the HTML document.
+   * @returns A list of sha-256 hashes of inline scripts.
+   */
+  hashAllInlineScripts() {
+    return this.$(CSP.INLINE_SCRIPT_SELECTOR).map((_i, elem) => CSP.hashInlineScript(this.$(elem).html() ?? "")).get();
+  }
+  /**
+   * Returns JS code for dynamically loading sourced (external) scripts.
+   * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+   * @returns JS code for loading scripts.
+   */
+  static createLoaderScript(scriptInfoList) {
+    if (!scriptInfoList.length) {
+      return void 0;
+    }
+    return `
+    var scripts = ${JSON.stringify(scriptInfoList)};
+    scripts.forEach(function(scriptInfo) {
+      var s = document.createElement('script');
+      s.src = scriptInfo.src;
+      if (scriptInfo.type) {
+        s.type = scriptInfo.type;
+      }
+      s.async = false; // preserve execution order.
+      document.body.appendChild(s);
+    });
+    `;
+  }
+  /**
+   * Calculates a CSP compatible hash of an inline script.
+   * @param scriptText Text between opening and closing script tag. Has to
+   *     include whitespaces and newlines!
+   * @returns A sha-256 hash of the script.
+   */
+  static hashInlineScript(scriptText) {
+    const hash = crypto.createHash(CSP.HASH_FUNCTION).update(scriptText, "utf-8").digest("base64");
+    return `'${CSP.HASH_FUNCTION}-${hash}'`;
+  }
+}
+export {
+  CSP
+};

package/dist/esm/webpack/helpers.js

@@ -15,7 +15,7 @@ const getNodeModulesRegEx = (modules) => modules.map(
 const excludeNodeModulesExcept = (modules) => {
   const moduleRegExps = getNodeModulesRegEx(modules);
   return function(modulePath) {
-    if (/node_modules/.test(modulePath)) {
+    if (modulePath.includes("node_modules")) {
       for (const moduleRegExp of moduleRegExps)
         if (moduleRegExp.test(modulePath)) return false;
       return true;
@@ -87,9 +87,9 @@ const getUserMonitoringFileName = () => {
   );
   if (!fs.existsSync(userMonLibPath)) return `${libName}.js`;
   const distJSFiles = fs.readdirSync(userMonLibPath);
-  return distJSFiles.filter(
-    (fName) => fName.match(/emuiUserMonitoring+((?!chunk).)*\.js$/)
-  )[0];
+  return distJSFiles.find(
+    (fName) => /emuiUserMonitoring+((?!chunk).)*\.js$/.exec(fName)
+  );
 };
 const getAppLoaderFileName = () => {
   const libName = "emuiAppLoader";
@@ -99,9 +99,9 @@ const getAppLoaderFileName = () => {
   );
   if (!fs.existsSync(appLoaderLibPath)) return `${libName}.js`;
   const distJSFiles = fs.readdirSync(appLoaderLibPath);
-  return distJSFiles.filter(
-    (fName) => fName.match(/emuiAppLoader+((?!chunk).)*\.js$/)
-  )[0];
+  return distJSFiles.find(
+    (fName) => /emuiAppLoader+((?!chunk).)*\.js$/.exec(fName)
+  );
 };
 const getDiagnosticsFileName = () => {
   const libName = "emuiDiagnostics";
@@ -111,9 +111,9 @@ const getDiagnosticsFileName = () => {
   );
   if (!fs.existsSync(libPath)) return `${libName}.js`;
   const distJSFiles = fs.readdirSync(libPath);
-  return distJSFiles.filter(
-    (fName) => fName.match(/emuiDiagnostics+((?!chunk).)*\.js$/)
-  )[0];
+  return distJSFiles.find(
+    (fName) => /emuiDiagnostics+((?!chunk).)*\.js$/.exec(fName)
+  );
 };
 const getENCWLoaderFileName = () => {
   const libName = "emuiEncwLoader";
@@ -123,13 +123,13 @@ const getENCWLoaderFileName = () => {
   );
   if (!fs.existsSync(appLoaderLibPath)) return `${libName}.js`;
   const distJSFiles = fs.readdirSync(appLoaderLibPath);
-  return distJSFiles.filter(
-    (fName) => fName.match(/emuiEncwLoader+((?!chunk).)*\.js$/)
-  )[0];
+  return distJSFiles.find(
+    (fName) => /emuiEncwLoader+((?!chunk).)*\.js$/.exec(fName)
+  );
 };
 const getAppVersion = () => {
   if (!process.env.APP_VERSION) return LATEST_VERSION;
-  const match = process.env.APP_VERSION.match(/^v?(\d+\.\d+)\..*$/);
+  const match = /^v?(\d+\.\d+)\..*$/.exec(process.env.APP_VERSION);
   return match?.[1] ?? LATEST_VERSION;
 };
 const getPaths = (latestVersion = true) => {

package/dist/esm/webpack/interceptor-middleware.js

@@ -0,0 +1,105 @@
+const VALID_PARAMS = ["isInterceptable", "intercept", "afterSend"];
+const validateParams = (methods) => {
+  Object.keys(methods).forEach((k) => {
+    if (!VALID_PARAMS.includes(k)) {
+      throw new Error(`${k} isn't a valid param (${VALID_PARAMS.join(", ")})`);
+    }
+  });
+  if (!("isInterceptable" in methods)) {
+    throw new Error("isInterceptable is a required param (function)");
+  }
+};
+const interceptorMiddleware = (fn) => (req, res, next) => {
+  const methods = fn(req, res);
+  validateParams(methods);
+  const originalEnd = res.end;
+  const originalWrite = res.write;
+  const chunks = [];
+  let isIntercepting;
+  let isFirstWrite = true;
+  function intercept(rawChunk, encoding) {
+    if (isFirstWrite) {
+      isFirstWrite = false;
+      isIntercepting = methods.isInterceptable();
+    }
+    if (isIntercepting) {
+      if (rawChunk) {
+        let tempChunk = rawChunk;
+        if (rawChunk !== null && !Buffer.isBuffer(tempChunk)) {
+          if (!encoding) {
+            tempChunk = Buffer.from(rawChunk);
+          } else {
+            tempChunk = Buffer.from(
+              rawChunk,
+              encoding
+            );
+          }
+        }
+        chunks.push(tempChunk);
+      }
+    }
+    return isIntercepting;
+  }
+  const newResWrite = (...args) => {
+    if (!intercept(args[0], args[1])) {
+      return originalWrite.apply(res, args);
+    }
+    return true;
+  };
+  res.write = newResWrite;
+  const afterSend = (oldBody, newBody) => {
+    if (typeof methods.afterSend === "function") {
+      process.nextTick(() => {
+        methods.afterSend?.(oldBody, newBody);
+      });
+    }
+  };
+  const newResEnd = (...args) => {
+    if (intercept(args[0], args[1])) {
+      isIntercepting = false;
+      const oldBody = Buffer.concat(chunks).toString("utf-8");
+      if (methods.intercept) {
+        if (typeof methods.intercept !== "function") {
+          throw new Error(
+            "`send` must be a function with the body to be sent as the only param"
+          );
+        }
+        res.removeHeader("Content-Length");
+        methods.intercept(oldBody, (newBody) => {
+          args[0] = newBody;
+          originalEnd.apply(res, args);
+          afterSend(oldBody, newBody);
+        });
+      } else {
+        afterSend(oldBody, oldBody);
+        originalEnd.apply(res, args);
+      }
+    } else {
+      originalEnd.apply(res, args);
+    }
+  };
+  res.end = newResEnd;
+  next();
+};
+const addCSPNonceMiddleware = (middlewares) => {
+  const index = middlewares.findIndex(
+    (middleware) => middleware.name === "webpack-dev-middleware"
+  );
+  middlewares.splice(index, 0, {
+    name: "csp-nonce-middleware",
+    middleware: interceptorMiddleware((_req, res) => ({
+      // Only HTML responses will be intercepted
+      isInterceptable() {
+        return (res.get("Content-Type") ?? "").includes("text/html");
+      },
+      // Appends a paragraph at the end of the response body
+      intercept(body, send) {
+        send(body.replace(/__CSP_NONCE__/g, res.locals.cspNonce));
+      }
+    }))
+  });
+};
+export {
+  addCSPNonceMiddleware,
+  interceptorMiddleware
+};

package/dist/esm/webpack/webpack.dev.babel.js

@@ -6,6 +6,7 @@ import CircularDependencyPlugin from "circular-dependency-plugin";
 import MiniCssExtractPlugin from "mini-css-extract-plugin";
 import ReactRefreshWebpackPlugin from "@pmmmwh/react-refresh-webpack-plugin";
 import expressStaticGzip from "express-static-gzip";
+import { addCSPNonceMiddleware } from "./interceptor-middleware.js";
 import { setupDefaultMiddlewares } from "../server/middlewares.js";
 import { loadRoutes } from "../server/appRoutes.js";
 import {
@@ -16,6 +17,8 @@ import {
 import { baseConfig } from "./webpack.base.babel.js";
 import { wsPort } from "../server/utils.js";
 import { createWSServer } from "../server/wsServer.js";
+import { getCertOptions } from "../server/cert.js";
+import { isHttps } from "../utils.js";
 const __filename = fileURLToPath(import.meta.url);
 const {
   appVersion,
@@ -27,6 +30,10 @@ const {
   diagnosticsScriptPath,
   encwLoaderScriptPath
 } = getPaths();
+const serverOptions = {
+  type: "https",
+  options: getCertOptions()
+};
 const devConfig = {
   mode: "development",
   cache: {
@@ -70,7 +77,7 @@ const devConfig = {
   // Add development plugins
   plugins: [
     new HtmlWebpackPlugin({
-      inject: !isAppLoaderEnabled() ? "head" : false,
+      inject: !isAppLoaderEnabled() && process.env.CSP !== "true",
       // Inject all files that are generated by webpack, e.g. bundle.js
       template: !isAppLoaderEnabled() ? "app/index.html" : "app/index-app-loader.html",
       emui: {
@@ -81,10 +88,14 @@ const devConfig = {
         appLoaderScriptPath,
         diagnosticsScriptPath,
         encwLoaderScriptPath,
-        googleTagManager: isGoogleTagManagerEnabled()
+        googleTagManager: isGoogleTagManagerEnabled(),
+        csp: process.env.CSP === "true"
       },
       scriptLoading: "defer"
     }),
+    // new CspPlugin(HtmlWebpackPlugin, {
+    //   enableUnsafeEval: true,
+    // }),
     new CircularDependencyPlugin({
       exclude: /a\.(js|ts|jsx|tsx)|node_modules/,
       // exclude node_modules
@@ -117,11 +128,12 @@ const devConfig = {
     hot: true,
     open: [basePath],
     port: process.env.PORT ?? "auto",
+    server: isHttps() ? serverOptions : {},
     setupMiddlewares: (middlewares, devServer) => {
+      addCSPNonceMiddleware(middlewares);
       if (devServer.app) {
         setupDefaultMiddlewares(devServer.app);
-        loadRoutes(devServer.app).then(() => {
-        }).catch((err) => {
+        loadRoutes(devServer.app).catch((err) => {
           console.error(err);
         });
         const cdnRouter = expressStaticGzip("cdn", {});

package/dist/esm/webpack/webpack.lib.base.babel.js

@@ -39,13 +39,11 @@ const plugins = [
   new webpack.DefinePlugin({
     APP_CONFIG: getAppConfig()
   }),
-  /* eslint-disable indent */
   ...copyPluginPatterns.length > 0 ? [
     new CopyWebpackPlugin({
       patterns: copyPluginPatterns
     })
   ] : [],
-  /* eslint-enable indent */
   new webpack.optimize.LimitChunkCountPlugin({
     maxChunks: 1
   }),

package/dist/esm/webpack/webpack.lib.prod.babel.js

@@ -45,7 +45,9 @@ const prodConfig = {
     minimizer: [
       new EsbuildPlugin({
         target: browserslistToEsbuild(),
-        css: true
+        css: true,
+        pure: ["console.log", "console.warn"],
+        drop: ["debugger"]
       })
     ],
     nodeEnv: "production",

package/dist/esm/webpack/webpack.prod.babel.js

@@ -29,10 +29,13 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
+      // realContentHash: false,
       minimizer: [
         new EsbuildPlugin({
           target: browserslistToEsbuild(),
-          css: true
+          css: true,
+          pure: ["console.log", "console.warn"],
+          drop: ["debugger"]
         })
       ],
       runtimeChunk: true,
@@ -46,7 +49,8 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
           },
           vendors: {
             name: "vendors",
-            test: /[\\/]node_modules[\\/]/
+            test: /[\\/]node_modules[\\/]/,
+            enforce: true
           }
         }
       }
@@ -83,7 +87,7 @@ const {
   basePath
 } = getPaths();
 const htmlWebpackPlugin = new HtmlWebpackPlugin({
-  inject: !isAppLoaderEnabled() ? "head" : false,
+  inject: !isAppLoaderEnabled() && process.env.CSP !== "true",
   template: !isAppLoaderEnabled() ? "app/index.html" : "app/index-app-loader.html",
   minify: {
     removeComments: true,
@@ -105,12 +109,15 @@ const htmlWebpackPlugin = new HtmlWebpackPlugin({
     appLoaderScriptPath,
     diagnosticsScriptPath,
     encwLoaderScriptPath,
-    googleTagManager: isGoogleTagManagerEnabled()
+    googleTagManager: isGoogleTagManagerEnabled(),
+    csp: process.env.CSP === "true"
   },
   scriptLoading: "defer"
 });
 const config = baseConfig(getProdConfig());
-if (config.plugins) config.plugins.push(htmlWebpackPlugin);
+if (config.plugins) {
+  config.plugins.push(htmlWebpackPlugin);
+}
 var webpack_prod_babel_default = config;
 export {
   webpack_prod_babel_default as default