genversion: client-safe version prop for npm modules

JavaScript modules published at the node package manager npm have a version string written in a file called package.json. Sometimes it is beneficial to bundle the version information into the source code itself, to be checked by another program or the developer. Although npm modules were targeted mostly for Node.js and server-side javascript in the past, today many of the modules are for client-side web applications too. This causes a problem. The package.json contains also other things addition to the version string and, due to the way how JavaScript modules are combined, those other things are imported into the client-side bundle, you wanted that or not.

Usually you do not want that. Every byte counts, especially if your client-side module wants to be as tight as possible. Also to prevent attacks, you do not want to expose the versions of your dependencies, which happen to be stored in the package.json. Sometimes the package.json contains dependencies of both the client-side and server-side, and thus you might expose your server’s security weaknesses through your client app.

To import only a version string and nothing more, I created an easy to use command tool called genversion. It is aimed to be placed in your build process. It reads the version string and generates a minimalistic version module file. The version module file contains only the version. By importing that new version module into your app, you have the version string and now without the extra.

See genversion at npm

See genversion source code at GitHub

Leave a Comment

Your email address will not be published. Required fields are marked *