fix: replace Browserify with Webpack to resolve security vulnerabilities#399
Merged
DennisOSRM merged 7 commits intoProject-OSRM:gh-pagesfrom Apr 10, 2026
Merged
Conversation
Contributor
|
Fixes #395 |
There was a problem hiding this comment.
Pull request overview
Replaces the Browserify-based bundling pipeline with Webpack to eliminate vulnerable/unmaintained transitive dependencies in the frontend build.
Changes:
- Add a
webpack.config.jsthat buildssrc/index.jsinto a UMDbundle.jswith source maps. - Update
package.jsonto compile via Webpack and swap devDependencies from Browserify tooling towebpack/webpack-cli.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
webpack.config.js |
Introduces the Webpack production bundle configuration and output settings. |
package.json |
Switches compile to Webpack and updates devDependencies accordingly. |
Comments suppressed due to low confidence (1)
package.json:15
start-index/start-index-prodstill invokebudoand pipe tobistre, but both packages were removed fromdevDependencies. As-is,npm start,npm run start-index, andnpm run start-prodwill fail with "command not found". Either re-addbudo/bistre, or update these scripts to use a Webpack-based dev server (or another static server) consistent with the new bundling approach.
"compile": "webpack --config webpack.config.js",
"build": "npm run replace && npm run compile && cp node_modules/leaflet/dist/leaflet.css css/leaflet.css",
"start-index": "budo src/index.js --serve=bundle.js --live -d | bistre",
"start-index-prod": "budo src/index.js --serve=bundle.js -d | bistre",
"start": "npm run build && npm run start-index",
"start-prod": "npm run build && npm run start-index-prod",
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
package.json
Outdated
| "replace": "node ./scripts/replace.js", | ||
| "compile": "browserify -d src/index.js -s osrm > bundle.raw.js && uglifyjs bundle.raw.js -c -m --source-map filename=bundle.js.map -o bundle.js", | ||
| "compile": "webpack --config webpack.config.js", | ||
| "build": "npm run replace && npm run compile && cp node_modules/leaflet/dist/leaflet.css css/leaflet.css", |
There was a problem hiding this comment.
The previous Browserify build produced/updated bundle.raw.js, but the new Webpack compile script no longer touches it. Since bundle.raw.js is present at repo root, it will now become a stale artifact and can be mistaken as an input/output of the build. Consider removing it from the repo or adding an explicit clean step / .gitignore entry so only bundle.js (+ map) are treated as build outputs.
Suggested change
| "build": "npm run replace && npm run compile && cp node_modules/leaflet/dist/leaflet.css css/leaflet.css", | |
| "clean": "rm -f bundle.raw.js", | |
| "build": "npm run clean && npm run replace && npm run compile && cp node_modules/leaflet/dist/leaflet.css css/leaflet.css", |
- Add 'clean' script to remove stale bundle.raw.js artifact - Update 'build' script to run clean before replace and compile - Replace deprecated budo/bistre with webpack-dev-server for development - Add webpack-dev-server to devDependencies - Simplify start-prod to just run build - Configure webpack-dev-server to serve static files from project root Prevents stale Browserify output from being confused with active build artifacts. Addresses reviewer feedback on PR Project-OSRM#399 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace .eslintrc (deprecated) with eslint.config.js - Move ignore patterns from .eslintignore to ignores property - Update languageOptions with proper globals for Node and browser - Add type: module to package.json to eliminate Node warnings This resolves ESLint v10.2.0 compatibility issues. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The directive on line 2 was unused since the actual comparisons with null already have their own disable comments on lines 6 and 14. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adding type: module breaks CommonJS scripts used in the build process. ESLint can handle eslint.config.js as ESM without the type field. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Using .mjs extension explicitly marks the file as an ES module, eliminating the MODULE_TYPELESS_PACKAGE_JSON warning without requiring type: module in package.json (which breaks build scripts). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
DennisOSRM
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Browserify is unmaintained and causes 4 security vulnerabilities:
Solution
Result
0 vulnerabilities (previously 4)