Can my JavaScript dependencies be delivered bundled with webpack?
Question
I use webpack to bundle my JavaScript dependencies. May my dependencies be delivered bundled for composition analysis?
Answer
The short answer is no. Multiple JavaScript dependencies may not be delivered bundled using either webpack or other bundling mechanisms.
The OWASP dependency-check tool cannot distinguish dependencies that have been bundled. When e.g. webpack processes your application, it builds a dependency graph then combines every module into one or more bundles as static assets to serve content from.
Accordingly for purposes of performing the ATO composition analysis activity, the dependencies must be delivered as individual JavaScript files. These may be delivered in their original node_modules directory or may be unbundled from the webpack bundle.