Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Path of Vue component file is exposed by __vue_options__.__file. #516

Closed
songsiqi opened this issue Dec 2, 2016 · 9 comments
Closed

Path of Vue component file is exposed by __vue_options__.__file. #516

songsiqi opened this issue Dec 2, 2016 · 9 comments

Comments

@songsiqi
Copy link

songsiqi commented Dec 2, 2016

I use vue-loader@^9.

__vue_options__.__file = "/Users/username/Documents/path/to/component.vue"
__vue_options__.render = __vue_template__.render
__vue_options__.staticRenderFns = __vue_template__.staticRenderFns

How to avoid this?
@LinusBorg
Copy link
Member

This is disabled in production and is used in development to provide better error messages.

@mactive mactive mentioned this issue Feb 17, 2017
Closed
@fritx
Copy link

fritx commented Nov 28, 2017

Excuse me, how to turn that minimize on ???

@LinusBorg
Copy link
Member

Just minimize your code, e.g. with uglify webpack plugin. We already do or in our template.

@justblender
Copy link

I'm sorry for bumping this old issue, but is there any reason why even production builds now expose component's filename? Maybe there should be a way to disable this behavior?

@LinusBorg
Copy link
Member

See:

vue-loader/lib/index.js

Lines 178 to 186 in f0beed3

// Expose filename. This is used by the devtools and Vue runtime warnings.
code += `\ncomponent.options.__file = ${
isProduction
// For security reasons, only expose the file's basename in production.
? JSON.stringify(filename)
// Expose the file's full path in development, so that it can be opened
// from the devtools.
: JSON.stringify(rawShortFilePath.replace(/\\/g, '/'))
}`

@justblender
Copy link

I've seen this code multiple times. I just want to have a way to disable this behaviour since I don't rely on devtools and runtime warnings in production 😞 Maybe I shouldn't have migrated to Webpack 4..

@LinusBorg
Copy link
Member

LinusBorg commented Sep 3, 2018
edited
Loading

you can always

  • Fork vue-loader
  • Remove the code you don't like.

If you actually want to make an effort to have this changed in vue-loader itself, please open a feature request with an explanation about why this is a problem for you and why offering a way to remove it is valuable to you, and if you want to help us even more, send a PR.

Debates in months-old, closed issues easily get lost.

@apertureless apertureless mentioned this issue Nov 20, 2018
Closed
@ghost
Copy link

ghost commented Dec 4, 2018

I have created #1446 to document the behavior.

@ghost ghost mentioned this issue Dec 4, 2018
Closed
@2-5
Copy link

2-5 commented Dec 10, 2018
edited
Loading

For those who inspected their minified bundles and were most surprised by this undocumented sensitive information leak, here is how to fix it if you use webpack. We are going to go over the vue-loader output and strip it with a regular expression, with the help of the string-replace-loader plugin:

npm install --save-dev string-replace-loader

And in your webpack config:

module: {
  rules: [
    {
      test: /\.vue$/,
      use: [
        {
          loader: 'string-replace-loader',
          options: {
            search: '\\.options\\.__file = ".*"',
            replace: '.options.__file = "a.vue"',
            flags: '',
          },
        },
        { loader: 'vue-loader' },
      ],
    },
  ],
},

Of course, it's relatively fragile, so check periodically that it's still working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@LinusBorg @songsiqi @2-5 @justblender @fritx