Skip to content

Improve documentation: include usage of ES6 Modules in browser #4099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 3, 2024
Merged

Improve documentation: include usage of ES6 Modules in browser #4099

merged 5 commits into from
Nov 3, 2024

Conversation

@sudo-barun
Copy link
Contributor

@sudo-barun sudo-barun commented Aug 27, 2024

Changes

  1. change "Download prebuilt CDN assets" from h4 to h3
  2. include usage of ES Modules in browser

joshgoebel
joshgoebel reviewed Aug 27, 2024
View reviewed changes
README.md Outdated

```js
import hljs from './node_modules/@highlightjs/cdn-assets/es/core.js';
import javascript from './node_modules/@highlightjs/cdn-assets/es/languages/javascript.min.js';
Copy link
Member

@joshgoebel joshgoebel Aug 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this assuming a lot about someone's file structure? I feel like publishing node_modules onto a public site is a bit of a smell, is that normal these days?

Copy link
Member

@joshgoebel joshgoebel Aug 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah you addressed that below... I'll mull on this.

Copy link
Contributor Author

@sudo-barun sudo-barun Aug 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

First of all, use of web technologies (HTML, CSS, JS) is no longer limited to website/webapp. With the help of Electron, web technologies can used in desktop app as well. This means importing from node_modules is no longer a concern in desktop app.

Now, about the public site, you are right that it is not normal (or lets say, not common in practice) to publish node_modules. I think it is because of lack of awareness about different ways npm packages can be installed in a project. Most of people think that package.json stays at the root directory and all packages should be installed at the root directory. However, we can create separate package.json at public directory for browser specific packages.

/
/package.json          (may contain server-specific packages like Express, or may only contain devDependencies like Webpack in case the app is not using Node for server (for e.g. PHP app))
/node_modules/
/public/package.json          (contains browser-specific packages like highlight.js, bootstrap)
/public/node_modules/
/public/index.html

This way, packages at top level and any other server specific code does not get exposed to the public.

There is a change of security issue if a npm package contain file that can be directly executed by server (for e.g. PHP file). In that case, a CVE should be created.

Lastly, we can generate different code for the prod environment. Tools like Vite may be helpful regarding that. This way, we can use original code for development and generated code for production.

I can also update the doc to include warning:

Warning: publishing `node_modules` can lead to security problem. Use with caution.

If you think it is not a good idea at all to have node_modules being publicly exposed, I can update the doc to manually copy code from @highlightjs/cdn-assets package and paste in public directory (or create symlink).

Let me know what you think.

joshgoebel
joshgoebel reviewed Sep 20, 2024
View reviewed changes
README.md Outdated
To import the library and register only those languages that you need:

```js
import hljs from './node_modules/@highlightjs/cdn-assets/es/core.js';
Copy link
Member

@joshgoebel joshgoebel Sep 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the ./? Is this assuming a build system or nobuild? Don't real in-browser ES6 imports need to be full URLs?

Copy link
Contributor Author

@sudo-barun sudo-barun Sep 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to check this: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules#importing_features_into_your_script
Also check below for using bare specifier (import hljs from '@highlightjs/cdn-assets/es/core.js';) using importmap.
Code in @highlightjs/cdn-assets package is browser compatible, so nobuild.

Copy link

@tagliala tagliala Nov 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, is this change somehow related to rails/importmap-rails#270 ?

Copy link
Member

@joshgoebel joshgoebel Nov 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm familiar with this actually, I was thinking of someone pulling from from a CDN I suppose... I'll look at this and tweak the examples. I'm not going to recommend that people use node_modules though...

I was also thinking of the FIRST import, which is (surely?) going to be relative to the HTML file... relative references for assets are such a pain (IMHO) on a large website. I imagine named imports vs importmap solve a lot of that though.

Taking a look at this more now.

@joshgoebel
Copy link
Member

joshgoebel commented Nov 2, 2024

Thoughts?

@github-actions
Copy link

github-actions bot commented Nov 2, 2024

Build Size Report

Changes to minified artifacts in /build, after gzip compression.

1 file changed

Total change -1 B

View Changes
file base pr diff
highlight.min.js 8.22 KB 8.22 KB -1 B

sudo-barun
sudo-barun commented Nov 3, 2024
View reviewed changes
README.md Outdated
```

*Note: The above code works only when the file containing the JavaScript code and the `node_modules` folder are inside same folder. If that is not the case, you have to modify the path in import statement accordingly.*
*Note: The path to these files will depend on how your individiaul project is configured,
Copy link
Contributor Author

@sudo-barun sudo-barun Nov 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to this, I think it is better to be more explicit by including instruction to copy @highlightjs/cdn-assets from node_modules (or CDN) into assets/js/@highlightjs/cdn-assets.

@joshgoebel joshgoebel force-pushed the improve-documentation branch from 7b2a6de to b277876 Compare November 3, 2024 13:55
@github-actions
Copy link

github-actions bot commented Nov 3, 2024

Build Size Report

Changes to minified artifacts in /build, after gzip compression.

No changes

No existing files changed.

@github-actions
Copy link

github-actions bot commented Nov 3, 2024

Build Size Report

Changes to minified artifacts in /build, after gzip compression.

3 files changed

Total change -7 B

View Changes
file base pr diff
es/core.min.js 8.18 KB 8.18 KB -2 B
es/highlight.min.js 8.18 KB 8.18 KB -2 B
highlight.min.js 8.22 KB 8.22 KB -3 B

@joshgoebel joshgoebel merged commit e42dae5 into highlightjs:main Nov 3, 2024
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshgoebel joshgoebel joshgoebel approved these changes

+1 more reviewer

@tagliala tagliala tagliala left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sudo-barun @joshgoebel @tagliala