Autoreload
Deploying to mainnet with AZLE_AUTORELOAD=true will expose your canister to arbitrary untrusted JavaScript code execution
You can turn on automatic reloading of your canister's final compiled JavaScript by using the AZLE_AUTORELOAD
environment variable during deploy:
AZLE_AUTORELOAD=true dfx deploy
The autoreload feature watches all .ts
and .js
files recursively in the directory with your dfx.json
file (the root directory of your project), excluding files found in .azle
, .dfx
, and node_modules
.
Autoreload only works properly if you do not change the methods of your canister. HTTP-based canisters will generally work well with autoreload as the query and update methods http_request
and http_request_update
will not need to change often. Candid-based canisters with explicit query
and update
methods may require manual deploys more often.
Autoreload will not reload assets uploaded through the assets
property of your dfx.json
.
It is extremely important to keep in mind that setting AZLE_AUTORELOAD=true
will create an update method in your canister called reload_js
that has no authorization built into it. If you deploy this to mainnet, anyone will be able to call this method and change the JavaScript of your canister.