socket-function 0.144.0 → 0.146.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -255,7 +255,7 @@ class RequireControllerBase {
|
|
|
255
255
|
originalId: module.id,
|
|
256
256
|
filename: module.filename,
|
|
257
257
|
// NOTE: Due to recursive sets of allowclient, it is very possible for allowclient && serveronly to be set.
|
|
258
|
-
allowclient: module
|
|
258
|
+
allowclient: getIsAllowClient(module),
|
|
259
259
|
serveronly: module.serveronly,
|
|
260
260
|
requests: Object.create(null),
|
|
261
261
|
seqNum: module.requireControllerSeqNum,
|
|
@@ -419,11 +419,7 @@ async function compressCached(bufferKey: string, buffer: () => Buffer): Promise<
|
|
|
419
419
|
}
|
|
420
420
|
|
|
421
421
|
export function getIsAllowClient(module: NodeJS.Module) {
|
|
422
|
-
//
|
|
423
|
-
if (module.filename.includes("node_modules")) {
|
|
424
|
-
// The packages are public anyway, so we might as well allow serving them client-side. They still need to be included server side, so this doesn't create any vulnerabilities.
|
|
425
|
-
return true;
|
|
426
|
-
}
|
|
422
|
+
// IMPORTANT! We do not allow everything in node modules by default, as most things in node modules, you don't want to import client-side, and it will break if you import it client-side. Many of these are imported, but will never end up being called client-side, so it's fine to exclude them.
|
|
427
423
|
return module.allowclient && !module.serveronly;
|
|
428
424
|
}
|
|
429
425
|
|