@harperfast/harper 5.0.0-beta.7 → 5.0.0-beta.8

package/security/jsLoader.ts

@@ -56,6 +56,9 @@ export async function scopedImport(filePath: string | URL, scope?: ApplicationSc
 			}
 			overridableProperty(Promise.prototype, 'then');
 			overridableProperty(Date, 'now');
+			for (let name of ['get', 'set', 'has', 'delete', 'clear', 'forEach', 'entries', 'keys', 'values']) {
+				overridableProperty(Map.prototype, name);
+			}
 			for (let Intrinsic of [
 				Object,
 				Array,
@@ -121,12 +124,13 @@ export async function scopedImport(filePath: string | URL, scope?: ApplicationSc
 
 let amaro: typeof import('amaro') | undefined;
 /**
- * Strip TypeScript types using the amaro library (what Node.js uses internally)
- * Falls back to regex-based stripping if amaro is not available
+ * Strip TypeScript types synchronously using the amaro library (what Node.js uses internally)
  */
-async function stripTypeScriptTypes(source: string): Promise<string> {
+function stripTypeScriptTypes(source: string): string {
 	// Use amaro - the library that Node.js uses internally for type stripping
-	amaro = await import('amaro');
+	if (!amaro) {
+		amaro = require('amaro');
+	}
 	return amaro.transformSync(source, { mode: 'strip-only' }).code;
 }
 
@@ -146,13 +150,27 @@ function parseJsonModule(source: string, url: string): any {
  * Load a module using Node's vm.Module API with (not really secure) sandboxing
  */
 async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
-	const moduleCache = new Map<string, Promise<SourceTextModule | SyntheticModule>>();
-	const linkingPromises = new Map<string, Promise<void>>();
-	const cjsCache = new Map<string, { exports: any }>();
-
-	// Create a secure context with limited globals
-	const contextObject = getGlobalObject(scope);
-	const context = createContext(contextObject);
+	// we want to retain the same module caches across any loading with the application scope
+	let moduleCaches = scope.moduleCache as {
+		moduleCache: Map<string, SourceTextModule | SyntheticModule | Promise<SourceTextModule | SyntheticModule>>;
+		linkingPromises: Map<string, Promise<void>>;
+		cjsCache: Map<string, { exports: any }>;
+		contextObject: any;
+		context: any;
+	};
+	if (!moduleCaches) {
+		// if they haven't been initialized, do so now
+		const contextObject = getGlobalObject(scope, true);
+		moduleCaches = scope.moduleCache = {
+			moduleCache: new Map(),
+			linkingPromises: new Map(),
+			cjsCache: new Map(),
+			// Create a secure context with limited globals
+			contextObject,
+			context: createContext(contextObject),
+		};
+	}
+	const { moduleCache, linkingPromises, cjsCache, contextObject, context } = moduleCaches;
 
 	/**
 	 * Resolve module specifier to absolute URL
@@ -298,9 +316,11 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 	}
 
 	/**
-	 * Linker function for module resolution during instantiation
+	 * Linker function for module resolution during instantiation.
+	 * This is synchronous because Node's module.link() requires the linker
+	 * to return modules synchronously.
 	 */
-	async function linker(specifier: string, referencingModule: SourceTextModule | SyntheticModule) {
+	function linker(specifier: string, referencingModule: SourceTextModule | SyntheticModule) {
 		const resolvedUrl = resolveModule(specifier, referencingModule.identifier);
 
 		// Determine if we should use VM containment for this module
@@ -316,15 +336,15 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 			}
 		}
 
-		// Return the module immediately (even if not yet linked) to support circular dependencies
-		return await getOrCreateModule(resolvedUrl, useContainment);
+		// Return the module
+		return getOrCreateModule(resolvedUrl, useContainment);
 	}
 
-	async function getOrCreateModule(
+	function getOrCreateModule(
 		url: string,
 		usePrivateGlobal: boolean
-	): Promise<SourceTextModule | SyntheticModule> {
-		// Check cache first - return cached module immediately (even if not linked yet)
+	): SourceTextModule | SyntheticModule | Promise<SourceTextModule | SyntheticModule> {
+		// Check if module is already created
 		if (moduleCache.has(url)) {
 			return moduleCache.get(url)!;
 		}
@@ -345,8 +365,15 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 		// Only link/evaluate once per module
 		if (!linkingPromises.has(url)) {
 			const linkingPromise = (async () => {
-				await module.link(linker);
-				await module.evaluate();
+				// Check module status - only link if it's 'unlinked'
+				// Status can be: 'unlinked', 'linking', 'linked', 'evaluating', 'evaluated'
+				if (module.status === 'unlinked') {
+					await module.link(linker);
+				}
+				// Only evaluate if not already evaluated
+				if (module.status === 'linked') {
+					await module.evaluate();
+				}
 			})();
 			linkingPromises.set(url, linkingPromise);
 		}
@@ -357,94 +384,107 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 		return module;
 	}
 	/**
-	 * Create a module from URL without linking or evaluating
+	 * Create a SyntheticModule from exported object
 	 */
-	async function createModule(url: string, usePrivateGlobal: boolean): Promise<SourceTextModule | SyntheticModule> {
-		let module: SourceTextModule | SyntheticModule;
-
-		// Handle special built-in modules
-		if (url === 'harper') {
-			let harperExports = getHarperExports(scope);
-			module = new SyntheticModule(
-				Object.keys(harperExports),
-				function () {
-					for (let key in harperExports) {
-						this.setExport(key, harperExports[key]);
-					}
-				},
-				{ identifier: url, context }
-			);
-		} else if (url.startsWith('file://') && usePrivateGlobal) {
-			checkAllowedModulePath(url, scope.verifyPath);
-			let source = await readFile(new URL(url), { encoding: 'utf-8' });
-
-			// Handle JSON modules as a SyntheticModule with a default export.
-			// JSON imports only support default exports per the ESM spec.
-			if (url.endsWith('.json')) {
-				const jsonData = parseJsonModule(source, url);
-				module = new SyntheticModule(
-					['default'],
-					function () {
-						this.setExport('default', jsonData);
-					},
-					{ identifier: url, context }
-				);
-			} else {
-				// Strip TypeScript types if this is a .ts file
-				if (url.endsWith('.ts') || url.endsWith('.tsx')) {
-					source = await stripTypeScriptTypes(source);
+	function createSyntheticModule(url: string, exportedObject: any): SyntheticModule {
+		const exportNames = Object.keys(exportedObject);
+		return new SyntheticModule(
+			exportNames,
+			function () {
+				for (const key of exportNames) {
+					this.setExport(key, exportedObject[key]);
 				}
+			},
+			{ identifier: url, context }
+		);
+	}
 
-				// Try CJS first since it will fail fast with clear syntax errors on ESM syntax
-				try {
-					module = loadCJSModule(url, source, usePrivateGlobal);
-				} catch {
-					// If CJS loading fails (likely due to ESM syntax like import/export), try ESM
-					try {
-						module = new SourceTextModule(source, {
-							identifier: url,
-							context,
-							initializeImportMeta(meta) {
-								meta.url = url;
-							},
-							async importModuleDynamically(specifier: string) {
-								const resolvedUrl = resolveModule(specifier, url);
-								const dynamicModule = await loadModuleWithCache(resolvedUrl, true);
-								return dynamicModule;
-							},
-						});
-					} catch (esmErr) {
-						// Both failed - throw the ESM error as it's likely more relevant
-						throw esmErr;
-					}
-				}
-			}
-		} else {
-			const replacedModule = checkAllowedModulePath(url, scope.verifyPath);
-			// For Node.js built-in modules (node:) and npm packages without dependency containment
-			// Always try require first to properly handle CJS modules with named exports
-			// Fall back to dynamic import for ESM packages
-			let importedModule = replacedModule ?? (await import(url));
-			const cjsModule = importedModule['module.exports'];
-			if (cjsModule) {
-				// back-compat import
-				importedModule = importedModule.default ? { default: importedModule.default, ...cjsModule } : cjsModule;
-			}
-			const exportNames = Object.keys(importedModule);
-			module = new SyntheticModule(
-				exportNames,
+	/**
+	 * Normalize imported module to ensure it has proper exports including default
+	 */
+	function normalizeImportedModule(importedModule: any): any {
+		const cjsModule = importedModule['module.exports'];
+		if (cjsModule) {
+			// back-compat import
+			importedModule = importedModule.default ? { default: importedModule.default, ...cjsModule } : cjsModule;
+		}
+		// Ensure there's a default export for ESM imports that expect it
+		if (!importedModule.default) {
+			importedModule = { default: importedModule, ...importedModule };
+		}
+		return importedModule;
+	}
+
+	/**
+	 * Create a SourceTextModule or SyntheticModule from source code
+	 */
+	function createModuleFromSource(
+		url: string,
+		source: string,
+		usePrivateGlobal: boolean
+	): SourceTextModule | SyntheticModule {
+		// Handle JSON modules
+		if (url.endsWith('.json')) {
+			const jsonData = parseJsonModule(source, url);
+			return new SyntheticModule(
+				['default'],
 				function () {
-					for (const key of exportNames) {
-						this.setExport(key, importedModule[key]);
-					}
+					this.setExport('default', jsonData);
 				},
 				{ identifier: url, context }
 			);
 		}
 
-		return module;
+		// Strip TypeScript types if this is a .ts file
+		if (url.endsWith('.ts') || url.endsWith('.tsx')) {
+			source = stripTypeScriptTypes(source);
+		}
+
+		// Try CJS first since it will fail fast with clear syntax errors on ESM syntax
+		try {
+			return loadCJSModule(url, source, usePrivateGlobal);
+		} catch {
+			// If CJS loading fails (likely due to ESM syntax like import/export), try ESM
+			return new SourceTextModule(source, {
+				identifier: url,
+				context,
+				initializeImportMeta(meta) {
+					meta.url = url;
+				},
+				importModuleDynamically(specifier: string) {
+					const resolvedUrl = resolveModule(specifier, url);
+					const useContainment = specifier.startsWith('.') || scope.dependencyContainment !== false;
+					return loadModuleWithCache(resolvedUrl, useContainment);
+				},
+			});
+		}
 	}
 
+	/**
+	 * Create a module from URL without linking or evaluating (async version for initial load)
+	 */
+	function createModule(
+		url: string,
+		usePrivateGlobal: boolean
+	): SourceTextModule | SyntheticModule | Promise<SourceTextModule | SyntheticModule> {
+		// Handle special built-in modules
+		if (url === 'harper') {
+			return createSyntheticModule(url, getHarperExports(scope));
+		}
+
+		if (url.startsWith('file://') && usePrivateGlobal) {
+			checkAllowedModulePath(url, scope.verifyPath);
+			const source = readFileSync(new URL(url), { encoding: 'utf-8' });
+			return createModuleFromSource(url, source, usePrivateGlobal);
+		}
+
+		// For Node.js built-in modules (node:) and npm packages without dependency containment
+		const replacedModule = checkAllowedModulePath(url, scope.verifyPath);
+		if (replacedModule) {
+			return createSyntheticModule(url, normalizeImportedModule(replacedModule));
+		}
+		return import(url).then((importedModule) => createSyntheticModule(url, normalizeImportedModule(importedModule)));
+	}
 	// Load the entry module
 	const entryModule = await loadModuleWithCache(moduleUrl, true);
 
@@ -490,8 +530,8 @@ async function getCompartment(scope: ApplicationScope, globals) {
 						},
 					};
 				} else if (moduleSpecifier.startsWith('file:') && !moduleSpecifier.includes('node_modules')) {
-					const moduleText = await readFile(new URL(moduleSpecifier), { encoding: 'utf-8' });
-					// Handle JSON files in comparttment mode the same way as in VM mode
+					let moduleText = await readFile(new URL(moduleSpecifier), { encoding: 'utf-8' });
+					// Handle JSON files in compartment mode the same way as in VM mode
 					if (moduleSpecifier.endsWith('.json')) {
 						const jsonData = parseJsonModule(moduleText, moduleSpecifier);
 						return {
@@ -502,6 +542,10 @@ async function getCompartment(scope: ApplicationScope, globals) {
 							},
 						};
 					}
+					// Strip TypeScript types if this is a .ts file
+					if (moduleSpecifier.endsWith('.ts') || moduleSpecifier.endsWith('.tsx')) {
+						moduleText = stripTypeScriptTypes(moduleText);
+					}
 					return new StaticModuleRecord(moduleText, moduleSpecifier);
 				} else {
 					checkAllowedModulePath(moduleSpecifier, scope.verifyPath);
@@ -536,6 +580,9 @@ function secureOnlyFetch(resource, options) {
 	return fetch(resource, options);
 }
 
+// These globals need to match the literals produced in the VM context
+const contextualizedJSGlobals = ['Object', 'Array', 'Function', 'globalThis'];
+
 let defaultJSGlobalNames: string[];
 // get the global variable names that are intrinsically present in a VM context (so we don't override them)
 function getDefaultJSGlobalNames() {
@@ -551,12 +598,13 @@ function getDefaultJSGlobalNames() {
 /**
  * Get the set of global variables that should be available to modules that run in scoped compartments/contexts.
  */
-function getGlobalObject(scope: ApplicationScope) {
+function getGlobalObject(scope: ApplicationScope, copyIntrinsics = false) {
 	const appGlobal = {};
 	// create the new global object, assigning all the global variables from this global
 	// except those that will be natural intrinsics of the new VM
+	const globalsToExclude = copyIntrinsics ? contextualizedJSGlobals : getDefaultJSGlobalNames();
 	for (let name of Object.getOwnPropertyNames(global)) {
-		if (getDefaultJSGlobalNames().includes(name)) continue;
+		if (globalsToExclude.includes(name)) continue;
 		appGlobal[name] = global[name];
 	}
 	// now assign Harper scope-specific variables

package/server/REST.ts

@@ -173,8 +173,18 @@ async function http(request: Context & Request, nextHandler) {
 				responseData.headers = responseHeaders;
 			// if no body, look for provided data to serialize
 			if (!responseData.body) {
-				if ('data' in responseData) responseData.body = serialize(responseData.data, request, responseData);
-				else responseData.body = serialize(responseData, request, responseData);
+				let body: any;
+				if ('data' in responseData) {
+					// a standard Response object does not have a setter for body, so we force it
+					body = serialize(responseData.data, request, responseData);
+				} else if (responseData.body === undefined) {
+					// if there is really no body, serialize this object into the body. Note that `new Response()` creates a response
+					// with a null body, and will not fall into this branch
+					body = serialize(responseData, request, responseData);
+				}
+				if (body) {
+					responseData = { status: responseData.status, headers: responseData.headers, body };
+				}
 			}
 			responseData.status ??= status ?? 200;
 			return responseData;

package/server/http.ts

@@ -35,6 +35,7 @@ const httpServers = {},
 	httpChain = {},
 	httpResponders = [];
 let httpOptions: HttpOptions = {};
+export const universalHeaders: [string, string][] = [];
 
 export function handleApplication(scope: Scope) {
 	httpOptions = scope.options.getAll() as HttpOptions;
@@ -269,7 +270,9 @@ function getHTTPServer(port: number, secure: boolean, options: ServerOptions) {
 				if (!response.headers?.set) {
 					response.headers = new Headers(response.headers);
 				}
-
+				for (let [key, value] of universalHeaders) {
+					response.headers.set(key, value);
+				}
 				if (response.status === -1) {
 					// This means the HDB stack didn't handle the request, and we can then cascade the request
 					// to the server-level handler, forming the bridge to the slower legacy fastify framework that expects