feat: second-cut of using unenv to create a hybrid node.js compatibility setting (via inject) #5878
Conversation
🦋 Changeset detectedLatest commit: 8639e8b The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9963966 | Triggered | PostgreSQL Credentials | 61cbf9d | fixtures/nodejs-hybrid-app/wrangler.toml | View secret |
| 9963966 | Triggered | PostgreSQL Credentials | 61cbf9d | fixtures/nodejs-hybrid-app/worker-configuration.d.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
@petebacondarwin I rebased your PR but didn't want to force-push, so I'm creating a new PR. Let's chat tomorrow to discuss how we want to handle these PRs. |
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
|
A wrangler prerelease is available for testing. You can install this latest build in your project with: npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-wrangler-5878You can reference the automatically updated head of this PR with: npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/5878/npm-package-wrangler-5878Or you can use npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-wrangler-5878 dev path/to/script.jsAdditional artifacts:npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-create-cloudflare-5878 --no-auto-updatenpm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-cloudflare-kv-asset-handler-5878npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-miniflare-5878npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-cloudflare-pages-shared-5878npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/9403675692/npm-package-cloudflare-vitest-pool-workers-5878Note that these links will no longer work once the GitHub Actions artifact expires.
Please ensure constraints are pinned, and |
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
Build #9169531905 from cloudflare/workers-sdk#5878
IgorMinar
force-pushed
the
unenv-wrangler-inject
branch
from
069d84a to
ec101f3
Compare
IgorMinar
force-pushed
the
unenv-wrangler-inject
branch
from
df3a491 to
3347c14
Compare
| @@ -78,7 +78,8 @@ | |||
| "ink@3.2.0": "patches/ink@3.2.0.patch", | |||
| "toucan-js@3.2.2": "patches/toucan-js@3.2.2.patch", | |||
| "@cloudflare/component-listbox@1.10.6": "patches/@cloudflare__component-listbox@1.10.6.patch", | |||
| "capnp-ts@0.7.0": "patches/capnp-ts@0.7.0.patch" | |||
| "capnp-ts@0.7.0": "patches/capnp-ts@0.7.0.patch", | |||
| "pg@8.11.3": "patches/pg@8.11.3.patch" | |||
There was a problem hiding this comment.
TODO: remove this once it is fixed upstream
packages/wrangler/package.json
Outdated
| @@ -82,6 +82,7 @@ | |||
| "resolve.exports": "^2.0.2", | |||
| "selfsigned": "^2.0.1", | |||
| "source-map": "0.6.1", | |||
| "unenv": "npm:unenv-nightly@1.10.0-1717522572.87b9352", | |||
There was a problem hiding this comment.
TODO: update when this is released
There was a problem hiding this comment.
yeah. but this won't happen until shortly before we drop the experimental: prefix.
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Last small thing:
- a changeset (with a minor bump) - or are we claiming that since this is internal/experimental it should not appear in the changelog? I don't feel we should try to hide it by doing that: users can see the code being added so it is not a secret, and also no changeset means that the package will not be published.
There was a problem hiding this comment.
LGTM except for one regression that was introduced during the refactor. I didn't have enough time to debug it, but I discovered it in the matrix app and moved a reduction into the fixture as 0c2fc6d
somehow don't tell esbuild that node:assert is a built-in, so it freaks out when it's not resolved to an absolute path. did we somehow forget to configure externals?
… - use unenv instead
…pat_v2' accompanied by 'experimental'
…ng in the hybrid plugin
The previous test would pass/fail depending upon which timezone you are in when you run it.
currently this fails with: nodejs-hybrid-app:build: ✘ [ERROR] Plugin "unenv-cloudflare" returned a non-absolute path: node:assert (set a namespace if this is not a file path) nodejs-hybrid-app:build: nodejs-hybrid-app:build: src/index.ts:2:19: nodejs-hybrid-app:build: 2 │ import assert from "node:assert/strict"; nodejs-hybrid-app:build: ╵ ~~~~~~~~~~~~~~~~~~~~ nodejs-hybrid-app:build:
This was problematic because if you import from `node:assert/strict` there is no entry in the `external` map for that path, instead you need to map it to its alias first (e.g. `node:assert`).
petebacondarwin
force-pushed
the
unenv-wrangler-inject
branch
from
03fdb3a to
12b2b8e
Compare
… since it mutates compat flags
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Show resolved
Hide resolved
packages/wrangler/src/deployment-bundle/esbuild-plugins/hybrid-nodejs-compat.ts
Show resolved
Hide resolved
|
I'm going to override the GitGuardian check failure because it is picking up a DB secret that is actually a publicly accessible DB - so a false positive. |
| compatibilityFlags.includes("nodejs_compat_v2"); | ||
|
|
||
| if (nodejsCompatV2) { | ||
| // strip the "experimental:" prefix because workerd doesn't understand it yet. |
There was a problem hiding this comment.
Given the flag is no longer experimental in workerd, do we want to keep this prefix stripping?
There was a problem hiding this comment.
No we still want to require users of Wrangler to add this - it was orthogonal to workerd's experimental constraints - and is left here to avoid people trying to use this for production while we stabilize it.
rebased version of https://github.com/cloudflare/workers-sdk/pull/5220/files which uses unenv's
injectto introduce globalsAuthor has addressed the following