Use JSDOM alternative for deploying to Vercel

[Josehower]

Handover TODO's

• Solve Conflicts and update the branch
• Research if the problem with js-dom has been solved or new workarounds have been found for the community
• Verify the solution is still valid
• Update PR based on research
• Define if the PR is meant to be merged or maybe requires a different repo or just an independent branch than the main
• Polish and send to Peer review

---

This branch has been deployed here:

https://vuln-examples-next-postgres-jose-7nzgag60s-josehower.vercel.app/

---

When trying to deploy to Vercel multiple issues appear when using JSDOM.

1. JSDOM makes the Serverless function exceed the maximum size

Failed to process build result for "example-6-cross-site-scripting/solution-2.rsc". Data: {"type":"Lambda"}.
Error: The Serverless Function "example-6-cross-site-scripting/solution-2" is 54.64mb which exceeds the maximum size limit of 50mb. Learn More: https://vercel.link/serverless-function-size
NOW_SANDBOX_WORKER_MAX_LAMBDA_SIZE: The Serverless Function "example-6-cross-site-scripting/solution-2" is 54.64mb which exceeds the maximum size limit of 50mb.

This problem was solved by using a lightweight version of JSDOM like https://www.npmjs.com/package/jsdom-light

2. JSDOM using canvas missing dependencies in serverless environments

Error: /lib64/libz.so.1: version `ZLIB_1.2.9' not found (required by /vercel/path0/node_modules/.pnpm/canvas@2.11.2/node_modules/canvas/build/Release/libpng16.so.16)

Error: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /vercel/path0/node_modules/canvas/build/Release/libglib-2.0.so.0)

The way we solve it this was by using a JSDOM solution that was implementing a canvas version that was compatible with serverless environments:

https://www.npmjs.com/package/jsdom-napi-rs-canvas (published from Miggogee/jsdom)

Related Links:

• /~https://github.com/orgs/vercel/discussions/2867#discussioncomment-6182057
• Could NOT find ZLIB (missing: ZLIB_LIBRARY ZLIB_INCLUDE_DIR) jupp0r/prometheus-cpp#409
• node-canvas runtime error vercel/vercel#3460

[karlhorky]

can we use Boolean() here for expressiveness?

[Josehower]

c39d258

[karlhorky]

• I guess the contents of types/base.d.ts could be merged into this file?
• the filename can be jsdom-napi-rs-canvas.d.ts
• the file can be in the root of the project - until we have a more types

but not a big deal to make this super polished yet, we're not sure if we are staying with Vercel for this project

[Josehower]

a4be47b

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
server-only	0.0.1	None	+0	611 B	sebmarkbage
jsdom-napi-rs-canvas	19.0.0	eval, network, filesystem, shell	+18	6.06 MB	miggog

🚮 Removed packages: @types/jsdom@21.1.1, canvas@2.11.2, jsdom@22.1.0

[Josehower]

suggestions applied

[karlhorky]

Edit: The link below has problems, I changed it to https://vuln-examples-next-postgres-jose.vercel.app/

Seems like the Railway link ( https://vuln-examples-next-postgres-jose-production.up.railway.app ) that was in the About section doesn't currently work, so I used the Vercel link above instead ( https://vuln-examples-next-postgres-jose-7nzgag60s-josehower.vercel.app/ )

The deployed version on Fly.io ( https://security-vulnerability-examples-next-js-postgres.fly.dev/ ) has been crashing up until this point, but this may improve in the future

[karlhorky]

The deployed version on Fly.io ( security-vulnerability-examples-next-js-postgres.fly.dev ) has been crashing up until this point, but this may improve in the future

The version deployed on Fly.io is not crashing currently

https://security-vulnerability-examples-next-js-postgres.fly.dev/

[karlhorky]

@Josehower the JSDOM + DOMPurify example doesn't seem to work on Vercel currently - so maybe the approach in this PR doesn't work?

https://vuln-examples-next-postgres-jose-7nzgag60s-josehower.vercel.app/example-6-cross-site-scripting/solution-2

[karlhorky]

Oh, it seems there is another deployment at https://vuln-examples-next-postgres-jose.vercel.app/

The Example 6, Solution 2 page here works fine:

https://vuln-examples-next-postgres-jose.vercel.app/example-6-cross-site-scripting/solution-2

[Josehower]

Handover Comment for the PR:

What work has been done

• Update the content of the example to be deployed in Vercel
• Use a configuration that replaces js-dom for a version that supports serverless environments

What work is still open

• Handover TODO's section

who to take over

This can be handover by either @ProchaLu or @Eprince-hub

Where to start

A good place to start would be to get familiar with the changes in the PR and understand what is trying to be achieved. Get a conversation with @karlhorky to define if a PR to main is the best place to contain this deploy alternative or maybe it just needs another repo or just a branch.

Other details that you know that are not captured already in the issue / PR

Not really sure if this is a PR that wants to get merged to the main or have it as a backup in case fly.io doesn't work

This PR is an alternative to deploy the example on serverless environments. This was created since the version on fly.io was not working due to memory issues with Next.js