Unable to use with Webpack when targeting Node

[markmcdowell]

Hello! I see you've just updated to Bowser 2.5.1 and we now hit this bug:

bowser-js/bowser#339

Could you bump again to 2.5.2?

Thanks!

[markmcdowell]

Sorry same bug different version, I'll check it with Bowser. Actually 2.6.1

[EvanHahn]

What error are you seeing in this package?

[markmcdowell]

TypeError: Bowser.getParser is not a function
    at csp (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/helmet-csp/dist/index.js:32:34)
    at Layer.handle [as handle_request] (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/express/lib/router/index.js:317:13)
    at eval (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/express/lib/router/index.js:284:7)
    at Function.process_params (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/express/lib/router/index.js:335:12)
    at next (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/express/lib/router/index.js:275:10)
    at internalNext (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/helmet/index.js:47:33)
    at xXssProtection (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/x-xss-protection/dist/index.js:47:13)
    at internalNext (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/helmet/index.js:51:7)
    at nosniff (Users/Mark/Developer/reactivemarkets/gitlab/crossfire/ui/node_modules/dont-sniff-mimetype/dist/index.js:5:9)

[markmcdowell]

I'll raise an issue with Bowser, for a quick fix i've moved Bowser back to 2.5.4 locally and all is working again.

[EvanHahn]

Could you post a code snippet that reproduces this? I'm not able to replicate the issue myself.

[markmcdowell]

It's because we use a bundler, webpack in this case. This change https://github.com/lancedikson/bowser/blob/bc2d51a8f9a715d91b715214ee0c19b1ca3f3838/package.json#L25 in bowser causes the imports to be incorrect.

[EvanHahn]

Ah, interesting—I take it you're doing some bundling on the Node side, then? Could you share that setup (unless you're confident that this is a Bowser issue)?

[barnesdc]

TypeError: Bowser.getParser is not a function
at csp (webpack:///./node_modules/helmet-csp/dist/index.js?:32:34)
at internalNext (webpack:///./node_modules/helmet/index.js?:51:7)
at helmet (webpack:///./node_modules/helmet/index.js?:54:5)
at Layer.handle [as handle_request] (webpack:///./node_modules/express/lib/router/layer.js?:95:5)
at trim_prefix (webpack:///./node_modules/express/lib/router/index.js?:317:13)
at eval (webpack:///./node_modules/express/lib/router/index.js?:284:7)
at Function.process_params (webpack:///./node_modules/express/lib/router/index.js?:335:12)
at next (webpack:///./node_modules/express/lib/router/index.js?:275:10)
at compression (webpack:///./node_modules/compression/index.js?:220:5)
at Layer.handle [as handle_request] (webpack:///./node_modules/express/lib/router/layer.js?:95:5)
at trim_prefix (webpack:///./node_modules/express/lib/router/index.js?:317:13)
at eval (webpack:///./node_modules/express/lib/router/index.js?:284:7)
at Function.process_params (webpack:///./node_modules/express/lib/router/index.js?:335:12)
at next (webpack:///./node_modules/express/lib/router/index.js?:275:10)
at expressInit (webpack:///./node_modules/express/lib/middleware/init.js?:40:5)

I am seeing this error while running Helmet: 3.21.1, Helmet: 2.9.2, and Bowser: 2.6.1

[EvanHahn]

This appears to be happening because you're using Webpack for your Node server. Is that correct? If so, do you think that's something Helmet should be concerning itself with? To my eye, that's arguably an issue with a nonstandard build setup, which I'm hesitant to support. What do you think? In any case, it seems like it's a downstream issue with Bowser, but let me know if that's wrong.

[gunnarvelle]

This will affect everyone using helmet and webpack, targeting node environments.

Downgrading helmet to 4.20.0, helmet-csp to 2.8.0 and removing bowser from yarn.lock fixed this for us for now.

[EvanHahn]

It looks like Bowser is now at version 2.7.0. I plan to upgrade this module, but if you'd like to submit a pull request sooner, I'd appreciate it.

[barnesdc]

Pull request #94 submitted

[EvanHahn]

I've updated to the latest version of bowser in helmet-csp@2.9.4 and helmet@3.21.2 (thanks @barnesdc!).

Does this fix anyone's issues?

[barnesdc]

@EvanHahn It did not for me personally.

What I am seeing now.

[elvismercado]

I recently update helmet from 3.19.0 to 3.21.2 due to a recommendatiopn of npm audit.
After doing this i have experience the axact same behaviour and error.

I have seen this happening before with webpack and redis npm package.
To solve this I configured redis as external commonjs package.

Doing this with helmet also avoids the TypeError and you can continue your work.

Here is an example webpack config.

module.exports = function(env, argv) {
  return = {
    mode: 'none',
    entry: { server: `./pat-to-server.ts` },
    externals: { helmet: 'commonjs helmet' },
    target: 'node',

    // other configs removed for example
    // ...
  };
};

[EvanHahn]

I've renamed this because it seems like this is an issue with Webpack. Lemme know if that's wrong.

It also seems like there's a fix (thanks @elvismercado), which is good for now.

[patrickmichalina]

The bundle I am using has this issue as well. A quick fix was to change the package.json pointer.

  "main": "es5.js",
  "module": "src/bowser.js",

Having the bundler point to es5.js fixed it right up. For some reason the module path is not working.

[EvanHahn]

I believe this is fixed in helmet-csp@2.9.5 and helmet@3.21.3. Could someone test and let me know if they run into any issues?