Does this security configuration allow both Babel and Sass?

Hello,
I came across a website Hugo asset pipeline security.exec.allow error | NotesToSelf.Dev that says I should add allow = ['^go$', '^npx$', '^postcss$', '^babel$'] rule to allow babel. I’m using Babel. I was wondering if that rule allows Sass as well. Any idea?

You can transpile Sass to CSS using either LibSass or Dart Sass.

LibSass

LibSass is the default transpiler, included with the extended version of Hugo. This is not an external executable—it does not require an entry in security.exec.allow.

Your template code will look something like this:

{{ with resources.Get "main.scss" | toCSS }}
  <link rel="stylesheet" href="{{ .RelPermalink }}">
{{ end }}

Dart Sass

You can use the Dart Sass transpiler with either the extended or non-extended version of Hugo. This is an external executable—it requires an entry in security.exec.allow. Please note that the default security configuration already includes an entry:

[security.exec]
  allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']

To install the Dart Sass transpiler on Linux:

base=https://github.com && temp=dart-sass-embedded.tar.gz
path=$(curl -sL https://github.com/sass/dart-sass-embedded/releases/latest | grep "href.*linux-x64.tar.gz" | awk -F'"' '{print $2}')
wget -qO $temp $base$path
tar -xvzf $temp
sudo mv sass_embedded/dart-sass-embedded /usr/local/bin/
sudo chmod 755 /usr/local/bin/dart-sass-embedded
rm $temp
rm -r sass_embedded/

Your template code will look something like this:

{{ with resources.Get "main.scss" | toCSS (dict "transpiler" "dartsass") }}
  <link rel="stylesheet" href="{{ .RelPermalink }}">
{{ end }}

See https://gohugo.io/hugo-pipes/scss-sass/#options

1 Like

Thank you. I’m using the LibSass. However, for Babel, I get an error message when launching the server. It is because of the security configuration.

I don’t understand. Is Hugo throwing an error despite a security entry for Babel, or have you resolved the problem?

1 Like

I don’t have any entry for Babel. Should I add ^babel$ to the allow list?

Yes. The error message describes what you need to do:

Error: Error building site: BABEL: failed to transform “main.js” (application/javascript): access denied: “babel” is not whitelisted in policy “security.exec.allow”;

Example:

[security.exec]
allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$', '^babel$']
1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.