RFC: Defaulting to vue.runtime.esm.js instead of vue.esm.js

[Lyrkan]

Someone on Slack had a CSP issue with Vue.js caused by the fact we alias vue$ to the full Vue.js build (vue.esm.js) that compiles templates on the client instead of using the runtime-only build (vue.runtime.esm.js).

As explained in Vue.js documentation (https://vuejs.org/v2/guide/installation.html#CSP-environments):

Some environments, such as Google Chrome Apps, enforce Content Security Policy (CSP), which prohibits the use of new Function() for evaluating expressions. The full build depends on this feature to compile templates, so is unusable in these environments.

On the other hand, the runtime-only build is fully CSP-compliant. When using the runtime-only build with Webpack + vue-loader or Browserify + vueify, your templates will be precompiled into render functions which work perfectly in CSP environments.

They also recommend using the runtime-only build:

Since the runtime-only builds are roughly 30% lighter-weight than their full-build counterparts, you should use it whenever you can. If you still wish to use the full build instead, you need to configure an alias in your bundler:

Based on those two sections I can't see any reason not to switch to vue.runtime.esm.js, but maybe I'm missing something?

[esynaps]

Current work-arround #625

[stof]

that would actually be a matter of removing the alias, as module in the vue package.json already defaults to vue.runtime.esm.js according to their doc.

[esynaps]

Yes, it’s up to Vue to take responsibility for choosing which is the default js

[FireLizard]

Hi @esynaps ,
why is it Vue's responsibility? Changing the alias described in the workaround is not working but how can we resolve the origin issue by @Lyrkan and his/her proposed solution?

Thank you for clarification :)

[stof]

@FireLizard the rigth sentence should be it should be Vue's responsibility. The current status is that Encore overrides the configuration done by Vue in their metadata.