-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recursive fastbootDependencies not discovered #188
Comments
You could argue that from a security perspective have some explicit opt-in in he consuming app is good, but having to dig around in all your deps and manually roll things up definitely doesn't feel like a great solution. One possible avenue to satisfy both concerns would be to require the addon that is being consumed in fastbootDeps and to recurse from there. |
My understanding is that fastbootDependencies exists not to protect against addon authors, but to minimize the amount of code accessible inside the fastboot VM that could be used by somebody who finds an XSS (which becomes server RCE in fastboot). Addon authors can run arbitrary code during the build step and monkey patch whatever they want, bypassing |
@ef4 Yes, I'd like to find time to revisit the entire system. I think it may be possible to track the call site that |
I think we may not even need to have |
I just ran into this issue. Is there a preferred way to solve or work around this? |
v1.2.1 package upgrades
It does not appear possible to use (for example)
ember-network
in an addon, because itsfastbootDependencies
configuration is not discovered by the top-level consuming application.As a workaround you can add the appropriate
fastbootDependencies
anddependencies
at the top level.The text was updated successfully, but these errors were encountered: