These are chat archives for webpack/webpack/dev

Dec 2017
Alexey Taktarov
Dec 14 2017 13:28
Hi everyone, sorry for bothering in advance, seems like the whole Webpack gitter is overloaded with questions. I was looking at how popular js libraries are bundled and noticed that it's possible to write a malicious client-side package that will define a custom loader inside. e.g. create a node_modules/evil-loader.js and require anything with inline loader syntax require('evil-loader!foo.js') -> execute arbitrary node.js code while bundling . What do you think about that? Shall it be considered as a possible security flaw?