feat: traverse JS files looking for import statements

Question

Closed this issue 8 months ago · 1 comments

Problem Statement

As of today, some JS files that are not directly "included" in HTML are found by looking into the dist/client/_astro directory.

This is not entirely correct for the following reasons:

As far as we know, that directory name could change, it's an implementation detail and we shouldn't rely on it.
The JS files that are directly included through HTML could be importing "cross origin" scripts, instead of the ones in dist/client/_astro.
The JS files that are directly included through HTML could be importing scripts from the public directory.
Or... we could have some JS files that are not imported at all (not even indirectly), and therefore we would be wasting resources by adding their hashes to our CSP policies.

We should look for (recursively) import statements (static & dynamic ones) in the JS files that are directly imported from HTML.

Note: This recursive traversing must be done as well for inlined scripts, as they can contain import statements too.

Answer 1 · 2024-03-16T10:14:28.000Z

We might come back to this idea later, but this particular issue does not accurately describe the current state of things nor a good-enough solution.