-
-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security and bundle size #177
Comments
For this and many other reasons, I'm currently in the process of splitting-up |
Hi @JamesMessinger, Are you still planning to work on this? Just checking... I know this is probably a personal project, so no pressure 🙂 |
The new libraries are something I’m taking a look at so we can figure out the next moves. They’re already pretty tasty from what I can tell but there’s been a lot of work required to get through issues and bugs. I’ve trimmed down the issue tracker and will keep doing that so we can make sure this one is doing alright, and make sure we’re not repeating any mistakes, and make the right choices for the new library. That said, meaningful refractors won’t be happening in here, so we can close this down and you’ll be aware of the replacements when they come through notices in NPM if nothing else. |
Okay, thanks 🙂 |
In our project, we never want the schema parser to automatically load files while parsing. Currently, local and remote file loading can be disabled by setting
file
andhttp
tofalse
inoptions
, but from a security perspective, I'd feel better if the code for including files weren't even present in my app. This would also reduce the bundle size :)My proposal is to split out the default file and http resolvers and YAML and JSON parsers into separate functions that are exported separately from $RefParser and then have the user pass those functions in as options if he wants to use them.
For example:
Also, ideally, the project would export separate functions for
dereference()
,parse()
, etc., instead of bundling them all into one $RefParser object. This would allow for better tree shaking and therefore a smaller bundle size.Putting these ideas all together, the final concept looks something like this:
In the above example, only the contents of
jsonSchemaDereference
,fileResolver
, andjsonParser
would need to be included in the final bundle, which should significantly reduce its size.For backwards compatibility, you could still provide a default export from your package that provided the old behavior, like so:
The text was updated successfully, but these errors were encountered: