Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
webpack-node-externals
Advanced tools
What is webpack-node-externals?
The webpack-node-externals package is a utility for Webpack that allows you to exclude node_modules from your Webpack bundle. This is particularly useful for Node.js applications where you want to keep your bundle size small and avoid bundling dependencies that are already available in the node_modules directory.
What are webpack-node-externals's main functionalities?
Exclude node_modules
This feature allows you to exclude all modules in the node_modules directory from your Webpack bundle. This is useful for server-side applications where you don't want to bundle dependencies that are already available in the node_modules directory.
const nodeExternals = require('webpack-node-externals');
module.exports = {
// Other webpack configuration options
externals: [nodeExternals()]
};Whitelist specific modules
This feature allows you to specify certain modules that should not be excluded from the bundle, even if they are in the node_modules directory. This is useful if you have a module that you want to include in your bundle for some reason.
const nodeExternals = require('webpack-node-externals');
module.exports = {
// Other webpack configuration options
externals: [nodeExternals({
whitelist: ['module-name']
})]
};Custom file extensions
This feature allows you to read the list of modules to exclude from a file, such as package.json. This can be useful for more complex configurations where you want to manage the list of external modules in a separate file.
const nodeExternals = require('webpack-node-externals');
module.exports = {
// Other webpack configuration options
externals: [nodeExternals({
modulesFromFile: true
})]
};Other packages similar to webpack-node-externals
webpack-externals-plugin
The webpack-externals-plugin is another Webpack plugin that allows you to specify external dependencies that should not be bundled. It provides more flexibility in defining externals, including the ability to use regular expressions. However, it may require more configuration compared to webpack-node-externals.
webpack-common-shake
The webpack-common-shake plugin is designed to perform tree-shaking on CommonJS modules. While it is not a direct replacement for webpack-node-externals, it can help reduce bundle size by eliminating unused code. It is more focused on optimizing the code that is included in the bundle rather than excluding entire modules.
Webpack node modules externals
Easily exclude node modules in Webpack
Webpack allows you to define externals - modules that should not be bundled.
When bundling with Webpack for the backend - you usually don't want to bundle its node_modules dependencies.
This library creates an externals function that ignores node_modules when bundling in Webpack.
(Inspired by the great Backend apps with Webpack series)
Quick usage
npm install webpack-node-externals --save-dev
In your webpack.config.js:
const nodeExternals = require('webpack-node-externals');
...
module.exports = {
...
target: 'node', // in order to ignore built-in modules like path, fs, etc.
externals: [nodeExternals()], // in order to ignore all modules in node_modules folder
...
};
And that's it. All node modules will no longer be bundled but will be left as require('module').
Note: For Webpack 5, replace target: 'node' with the externalsPreset object:
// Webpack 5
const nodeExternals = require('webpack-node-externals');
...
module.exports = {
...
externalsPresets: { node: true }, // in order to ignore built-in modules like path, fs, etc.
externals: [nodeExternals()], // in order to ignore all modules in node_modules folder
...
};
Detailed overview
Description
This library scans the node_modules folder for all node_modules names, and builds an externals function that tells Webpack not to bundle those modules, or any sub-modules of theirs.
Configuration
This library accepts an options object.
options.allowlist (=[])
An array for the externals to allow, so they will be included in the bundle. Can accept exact strings ('module_name'), regex patterns (/^module_name/), or a function that accepts the module name and returns whether it should be included.
Important - if you have set aliases in your webpack config with the exact same names as modules in node_modules, you need to allowlist them so Webpack will know they should be bundled.
options.importType (='commonjs')
The method in which unbundled modules will be required in the code. Best to leave as commonjs for node modules.
May be one of documented options or function callback(moduleName) which returns custom code to be returned as import type, e.g:
options.importType = function (moduleName) {
return 'amd ' + moduleName;
}
options.modulesDir (='node_modules')
The folder in which to search for the node modules.
options.additionalModuleDirs (='[]')
Additional folders to look for node modules.
options.modulesFromFile (=false)
Read the modules from the package.json file instead of the node_modules folder.
Accepts a boolean or a configuration object:
{
modulesFromFile: true,
/* or */
modulesFromFile: {
fileName: /* path to package.json to read from */,
includeInBundle: [/* whole sections to include in the bundle, i.e 'devDependencies' */],
excludeFromBundle: [/* whole sections to explicitly exclude from the bundle, i.e only 'dependencies' */]
}
}
Usage example
var nodeExternals = require('webpack-node-externals');
...
module.exports = {
...
target: 'node', // important in order not to bundle built-in modules like path, fs, etc.
externals: [nodeExternals({
// this WILL include `jquery` and `webpack/hot/dev-server` in the bundle, as well as `lodash/*`
allowlist: ['jquery', 'webpack/hot/dev-server', /^lodash/]
})],
...
};
For most use cases, the defaults of importType and modulesDir should be used.
Q&A
Why not just use a regex in the Webpack config?
Webpack allows inserting regex in the externals array, to capture non-relative modules:
{
externals: [
// Every non-relative module is external
// abc -> require("abc")
/^[a-z\-0-9]+$/
]
}
However, this will leave unbundled all non-relative requires, so it does not account for aliases that may be defined in webpack itself.
This library scans the node_modules folder, so it only leaves unbundled the actual node modules that are being used.
How can I bundle required assets (i.e css files) from node_modules?
Using the allowlist option, this is possible. We can simply tell Webpack to bundle all files with extensions that are not js/jsx/json, using this regex:
...
nodeExternals({
// load non-javascript files with extensions, presumably via loaders
allowlist: [/\.(?!(?:jsx?|json)$).{1,5}$/i],
}),
...
Thanks @wmertens for this idea.
Why is not bundling node_modules a good thing?
When writing a node library, for instance, you may want to split your code to several files, and use Webpack to bundle them. However - you wouldn't want to bundle your code with its entire node_modules dependencies, for two reasons:
- It will bloat your library on npm.
- It goes against the entire npm dependencies management. If you're using Lodash, and the consumer of your library also has the same Lodash dependency, npm makes sure that it will be added only once. But bundling Lodash in your library will actually make it included twice, since npm is no longer managing this dependency.
As a consumer of a library, I want the library code to include only its logic, and just state its dependencies so they could me merged/resolved with the rest of the dependencies in my project. Bundling your code with your dependencies makes it virtually impossible.
In short: It's useful if your code is used by something that has dependencies managed by npm
Contribute
Contributions and pull requests are welcome. Please run the tests to make sure nothing breaks.
Test
npm run test
License
MIT
3.0.0 (2021-04-21)
Added
- Excluding Webpack 5 module federation (automatically adding to allowlist) from @jacob-ebey
Changed
- Better arguments handling for the exported function
- Changed code syntax to ES6
Removed
- Removed support for Node < 6
FAQs
Easily exclude node_modules in Webpack bundle
The npm package webpack-node-externals receives a total of 3,517,088 weekly downloads. As such, webpack-node-externals popularity was classified as popular.
We found that webpack-node-externals demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Apr 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024