Gathering detailed insights and metrics for webpack-target-webextension-v4
Gathering detailed insights and metrics for webpack-target-webextension-v4
WebExtension Target for Webpack 5. Supports code-splitting and HMR.
Installations
npm install webpack-target-webextension-v4Developer Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=10.0.0
Node Version
22.9.0
NPM Version
10.8.3
Releases
Unable to fetch releases
Languages
2
JavaScript
TypeScript
JavaScript (99.03%)
TypeScript (0.97%)
Developer
crimx
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
48 Stars
97 Commits
8 Forks
3 Watchers
4 Branches
5 Contributors
Updated on Apr 29, 2025
Maintainers
1
Package Meta Information
Latest Version
0.2.2
Package Id
webpack-target-webextension-v4@0.2.2
Unpacked Size
30.20 kB
Size
7.85 kB
File Count
8
NPM Version
10.8.3
Node Version
22.9.0
Published on
Nov 25, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
Dev Dependencies
3
webpack-target-webextension
WebExtension Target for Webpack 4. Supports code-splitting with native dynamic import(with tabs.executeScript as fallback).
You can use the neutrino-webextension preset directly which uses this library.
The code is based on the official web target.
Limitation
In content scripts native dynamic import subjects to target page content security policy. This library adds tabs.executeScript as fallback method should native dynamic import fails.
But do note that tabs.executeScript does not work for pages without tab, like background page and browser action page(also known as popup page). This is fine since they are all extension internal pages where native dynamic import should always work.
Caveats
Native dynamic import is buggy in Firefox. A workaround is to write a postbuild script targeting only Firefox build. It collects all the dynamic chunks and appends them to every entries in htmls and the manifest.json script lists.
The Firefox addons-linter is also making aggressive errors on dynamic import. A workaround is to just replace the import with other name. Since all the dynamic chunks are loaded in Firefox the import() code should never be run.
Installation
yarn
1yarn add webpack-target-webextension
npm
1npm install webpack-target-webextension
Usage
You might also need to remove the @babel/plugin-syntax-dynamic-import plugin.
1// webpack.config.js 2 3const path = require('path') 4const WebExtensionTarget = require('') 5 6// Optional webpack node config 7const nodeConfig = {} 8 9module.exports = { 10 node: nodeConfig 11 // Need to set these fields manually as their default values rely on `web` target. 12 // See https://v4.webpack.js.org/configuration/resolve/#resolvemainfields 13 resolve: { 14 mainFields: ['browser', 'module', 'main'], 15 aliasFields: ['browser'] 16 }, 17 output: { 18 globalObject: 'window' 19 // relative to extension root 20 publicPath: '/assets/', 21 }, 22 optimization: { 23 // Chrome bug https://bugs.chromium.org/p/chromium/issues/detail?id=1108199 24 splitChunks: { automaticNameDelimiter: '-' }, 25 }, 26 target: WebExtensionTarget(nodeConfig) 27}
1// manifest.json 2 3{ 4 // Make sure chunks are accessible. 5 // For example, if webpack outputs js and css to `assets`: 6 "web_accessible_resources": ["assets/*"], 7}
1// src/background.js 2 3// For fallback `tabs.executeScript` 4import 'webpack-target-webextension/lib/background' 5 6// ... your code
Hot Module Reload and development tips
This target supports HMR too, but you need to tweak manifest.json and open some webpack options to make it work.
Changes in manifest.json
Those changes are only needed in development!! Don't add them in production!!
Please include this line in the manifest to make sure HMR manifest and new chunks are able to downloaded.
1"web_accessible_resources": ["*.js", "*.json"],
Please include this line if you want to use eval based sourcemaps.
1"content_security_policy": "script-src 'self' blob: filesystem: 'unsafe-eval';",
Changes in webpack config
1devServer: { 2 // Have to write disk cause plugin cannot be loaded over network 3 writeToDisk: true, 4 hot: true, 5 hotOnly: true, 6 // WDS does not support chrome-extension:// browser-extension:// 7 disableHostCheck: true, 8 injectClient: true, 9 injectHot: true, 10 headers: { 11 // We're doing CORS request for HMR 12 'Access-Control-Allow-Origin': '*' 13 }, 14 // If the content script runs in https, webpack will connect https://localhost:HMR_PORT 15 // More on https://webpack.js.org/configuration/dev-server/#devserverhttps 16 https: true 17},
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
Found 2/30 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/nodejs.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/awesome-webextension/webpack-target-webextension/nodejs.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/awesome-webextension/webpack-target-webextension/nodejs.yml/master?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 8 are checked with a SAST tool
Reason
17 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
Score
2.5
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More