---
title: 'Security: check bundle content hash'
disqus: hackmd
---
# Security: check bundle content hash
I was analyzing the problem, this is what I did:
- I used two computers, two MAC, one with an M1 chip, the other with an intel chip.
- I installed the repository on both computers, I used the same version of node and yarn on both computers.
- I followed the following steps to make the build on both computers
```
1. yarn install
2. yarn build:crypto
3. yarn build:types
4. HARDHAT_NO_MNEMONIC=yes yarn run build:contracts
5. cd dapp
6. cp .env.production .env
7. yarn build:prod
```
- Perform a sha check, with the following command on both computers:
```
shasum -a 256 bundle.js
```
- Also, we can check the content with webpack, using the `contenthash` feature.
- I got different numbers for both bundles
- I started to think about how I could find out why they are different, the size differs, so I inspected the files and saw small differences.
- I thought to check the map file, I installed source-map-explorer to see the libraries.
- I noticed differences in the size of the libraries installed in both projects.
- For some reason at the moment of installing the libraries, and making the build, the size of the libraries differs and that affects the size of the bundle.
- I used source-map-explorer and the libraries seem to be fine, compare one by one and they match
- I compared the two builds with webstorm, and it shows a difference in a very large block of code, but it doesn't tell me exactly how it differs (I can tell it's Material UI stuff).
- I was checking the webpack config, regarding the env vars, this is the doc https://webpack.js.org/guides/environment-variables/ . Says that we need to use a function and pass the env as a parameter, we are using the NODE_ENV right there but is not working so, If I refactor the webpack config in this way https://gist.github.com/mariano-aguero/82e2c08fc3548e2aa7a51102106a8ee3 . I only wrapped the json config in a function, and use a couple of conditional variables just to check if is a production/development/staging enviroment
- As we know, when installing a package, some of them are compiled, like node-sass, and that depends a lot on the architecture we are using, intel, amd, m1, windows, linux, mac. The structure of the library can vary due to this compilation, and that can have consequences at the moment of generating the bundle, and differences in the content. On the other hand, it is necessary to consider that some libraries can be needing some external resource, obtaining assets, images, or another content at the moment of making the build, and this can make vary the content of the bundle also. Also to take into account, a file can vary its encoding, use UTF-8 or BOM, this can also generate discrepancies in the content.
- to continue, investigate more ...
Sign in with Wallet
Connect another wallet