Don't reference package.json and using module field in package.sjon

[ChristianStornowski]

I'm using webpack 3 and bundle dependencies by using es2015 import and export statements. TypeScript is transcompiling everything.
Therefore the module field in proj4 package.json will lead webpack to lib/index.js and this uses version.js. My problem is now the version.js which reference to proj4js package.json. Because of this combination webpack is bundling package.json from proj4js for my app. npm 5 added some file system path information at installing proj4js.
So i will have a production app with a bundled proj4js package.json with lmy ocal file system path information. In my opinion this is a security issue.

[calvinmetcalf]

The security issue is in Webpack 3, as rollup which we use to build this,
and browserify before that don't include the path information

I thought we took some steps to make sure the package.json didn't get bundled, will look into this, though @ahocevar and I are both at a conf this week so it might not be until next week

[calvinmetcalf]

try building with the --optimize-minimize flag

[ChristianStornowski]

Thanks for helping me. I used this flag and my problem is not solved :-/
Also using -p like in documentation https://webpack.js.org/guides/production/ doesn't work.
I found an issue with module field in package.json and webpack 2 webpack/webpack#1979

[calvinmetcalf]

the issue is that the json loader doesn't support scope hosting, so I opened a pull to try to fix that

[calvinmetcalf]

you can also try pointing to a prebuild version of proj4, e.g. 'proj4/dist/proj4-src.js'

[ChristianStornowski]

you can also try pointing to a prebuild version of proj4, e.g. 'proj4/dist/proj4-src.js'
I tried this out and this works.

[kngai]

Has there been a fix to this? I'm getting the same issue. Proj4JS ^2.5.0 is in my dependency and using npm 5.6.0.

I'm using webpack 3.6 as well and on build, my resulting dist/static/js/app.js file includes the system file path (I'm using Windows; _where:"C:\\Users\\MyUserName\\path\\to\\application").

I tried using the prebuild version but it made no difference:
import proj4 from 'proj4/dist/proj4-src.js'