Large increase in size of oidc-client.rsa256.js

[notclive]

dist/oidc-client.rsa256.min.js jumped from 170 KB in 1.11.0 to 800 KB in 1.11.1

We used oidc-client.rsa256.min.js because it was significantly smaller than the other artifacts, my understanding is that oidc-client.rsa256.min.js is oidc-client without the jsrsasign library for clients that don't need to generate tokens.

I haven't been able to identify what change in 1.11.1 caused the jump in size.

[brockallen]

Hmm, odd. Thanks for letting me know. I'll have a look.

[notclive]

I've looked into this a little bit, the rsa file contains safe-buffer 5 times. safe-buffer appears to be a node.js library so probably shouldn't be included at all. I haven't worked out where it's coming from.

[brockallen]

I updated jsrsasign in 1.11.1 -- I bet it's something in there.

[brockallen]

Ok, the updated jsrsasign was not the issue. Part of it seems to be the update to cypto to v4.0.0 (to 470K), and webpack v4.46.0 (to 800K). I'm a bit confused why the slim is that size and the normal/core library is smaller... Feel free to investigate more. I am getting pulled onto other work ATM, so you might get to a solution faster than I.

[brockallen]

Hmm, and in fact if I leave webpack at the latest and revert crypto back to the (vulnerable) "crypto-js": "^3.1.9-1" then it's back down to 170K. So yea, I guess it's something specifically in the crypto package.

[brockallen]

Looks like they're aware of the issue: https://github.com/brix/crypto-js/issues/321. So there's not much to do here until they fix/update I think.