-
Notifications
You must be signed in to change notification settings - Fork 3
HowDoI
You can regenerate generated/prod-sources.json which has a hash for every production source file.
If the hashes are out of date you will see those Blocking require log messages.
SOURCE_LIST_UP_TO_DATE=0 scripts/generate-production-source-list.js generated/prod-sourcesRunning npm test will also update it, but npm test runs some sloooow tests.
It's normal to see some log spam like
lib/framework/module-hooks/sensitive-module-hook.js: Blocking require("http") by
node_modules/clean-css/lib/reader/load-remote-resource.js
lib/framework/module-hooks/sensitive-module-hook.js: Blocking require("vm") by
node_modules/jsdom/lib/jsdom/browser/Window.js,
node_modules/jsdom/lib/jsdom/living/helpers/create-event-accessor.js,
node_modules/jsdom/lib/jsdom/living/nodes/HTMLScriptElement-impl.js
This happens because the DOMPurify, the HTML sanitizer used by lib/safe/html.js, parses HTML via a JavaScript DOM implementation which has the potential to fetch resources over the network, or load code found in <script> element bodies.
The target application doesn't need this part of jsdom so we intentionally did not allow access and these log messages indicate that the sensitive-module-hook is working as intended.
TODO: Maybe allow the sensitive module hook configuration to specify some known rejects so that we can avoid logging these messages or use console.info instead of console.warn.