@jsenv/core 41.2.7 → 41.2.8

package/dist/build/build.js

@@ -6411,7 +6411,30 @@ const jsenvPluginDirectoryListing = ({
       const { request, requestedUrl, mainFilePath, rootDirectoryUrl } =
         reference.ownerUrlInfo.context;
       if (!fsStat) {
-        if (!request || request.headers["sec-fetch-dest"] !== "document") {
+        if (!request) {
+          // no request we should not serve directoy listing
+          return null;
+        }
+        const secFetchDest = request.headers["sec-fetch-dest"];
+        if (secFetchDest && secFetchDest !== "document") {
+          // we have sec fetch dest and it's not document so it's not a navigation request, we should not serve directory listing
+          return null;
+        }
+        if (!secFetchDest) {
+          // beware we might end up here when nav context is not trusted (http, ip url etc)
+          // in that case we fallback to detecting if the request explicitly accepts html.
+          // browsers navigating to a page send "text/html,..." explicitly; programmatic
+          // fetch clients like Node.js send "*/*" which should NOT trigger directory listing.
+          // We must NOT use pickContentType here because it matches "text/html" via the
+          // "*/*" wildcard, causing programmatic fetches to receive the directory listing
+          // HTML page (status 200) instead of a 404.
+          const acceptHeader = request.headers.accept || "";
+          if (!acceptHeader.includes("text/html")) {
+            return null;
+          }
+        }
+        // requestedUrl must be a proper file:// URL (no encoded slashes)
+        if (requestedUrl.includes("%2F") || requestedUrl.includes("%2f")) {
           return null;
         }
         if (url !== requestedUrl) {

package/dist/build/jsenv_core_packages.js

@@ -5742,13 +5742,11 @@ const applyPackageResolve = (packageSpecifier, resolutionContext) => {
   if (packageSpecifier === "") {
     throw new Error("invalid module specifier");
   }
-  if (
-    conditions.includes("node") &&
-    isSpecifierForNodeBuiltin(packageSpecifier)
-  ) {
+  // "node:" prefixed specifiers always resolve to node builtins
+  if (packageSpecifier.startsWith("node:")) {
     return createResolutionResult({
       type: "node_builtin_specifier",
-      url: `node:${packageSpecifier}`,
+      url: packageSpecifier,
     });
   }
   let { packageName, packageSubpath } = parsePackageSpecifier(packageSpecifier);
@@ -5808,6 +5806,17 @@ const applyPackageResolve = (packageSpecifier, resolutionContext) => {
       packageJson,
     });
   }
+  // Bare builtin names (without "node:" prefix) are valid only if no local package found
+  // Local packages always take priority over builtins with the same name
+  if (
+    conditions.includes("node") &&
+    isSpecifierForNodeBuiltin(packageSpecifier)
+  ) {
+    return createResolutionResult({
+      type: "node_builtin_specifier",
+      url: `node:${packageSpecifier}`,
+    });
+  }
   throw createModuleNotFoundError(packageName, resolutionContext);
 };
 

package/dist/client/directory_listing/directory_listing.html

@@ -5,6 +5,7 @@
     <meta charset="utf-8">
     <link rel="icon" href="data:,">
     <link rel="stylesheet" href="./css/directory_listing.css">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
   </head>
 
   <body data-theme="dark">

package/dist/start_dev_server/jsenv_core_packages.js

@@ -5208,13 +5208,11 @@ const applyPackageResolve = (packageSpecifier, resolutionContext) => {
   if (packageSpecifier === "") {
     throw new Error("invalid module specifier");
   }
-  if (
-    conditions.includes("node") &&
-    isSpecifierForNodeBuiltin(packageSpecifier)
-  ) {
+  // "node:" prefixed specifiers always resolve to node builtins
+  if (packageSpecifier.startsWith("node:")) {
     return createResolutionResult({
       type: "node_builtin_specifier",
-      url: `node:${packageSpecifier}`,
+      url: packageSpecifier,
     });
   }
   let { packageName, packageSubpath } = parsePackageSpecifier(packageSpecifier);
@@ -5274,6 +5272,17 @@ const applyPackageResolve = (packageSpecifier, resolutionContext) => {
       packageJson,
     });
   }
+  // Bare builtin names (without "node:" prefix) are valid only if no local package found
+  // Local packages always take priority over builtins with the same name
+  if (
+    conditions.includes("node") &&
+    isSpecifierForNodeBuiltin(packageSpecifier)
+  ) {
+    return createResolutionResult({
+      type: "node_builtin_specifier",
+      url: `node:${packageSpecifier}`,
+    });
+  }
   throw createModuleNotFoundError(packageName, resolutionContext);
 };
 

package/dist/start_dev_server/start_dev_server.js

@@ -2471,7 +2471,30 @@ const jsenvPluginDirectoryListing = ({
       const { request, requestedUrl, mainFilePath, rootDirectoryUrl } =
         reference.ownerUrlInfo.context;
       if (!fsStat) {
-        if (!request || request.headers["sec-fetch-dest"] !== "document") {
+        if (!request) {
+          // no request we should not serve directoy listing
+          return null;
+        }
+        const secFetchDest = request.headers["sec-fetch-dest"];
+        if (secFetchDest && secFetchDest !== "document") {
+          // we have sec fetch dest and it's not document so it's not a navigation request, we should not serve directory listing
+          return null;
+        }
+        if (!secFetchDest) {
+          // beware we might end up here when nav context is not trusted (http, ip url etc)
+          // in that case we fallback to detecting if the request explicitly accepts html.
+          // browsers navigating to a page send "text/html,..." explicitly; programmatic
+          // fetch clients like Node.js send "*/*" which should NOT trigger directory listing.
+          // We must NOT use pickContentType here because it matches "text/html" via the
+          // "*/*" wildcard, causing programmatic fetches to receive the directory listing
+          // HTML page (status 200) instead of a 404.
+          const acceptHeader = request.headers.accept || "";
+          if (!acceptHeader.includes("text/html")) {
+            return null;
+          }
+        }
+        // requestedUrl must be a proper file:// URL (no encoded slashes)
+        if (requestedUrl.includes("%2F") || requestedUrl.includes("%2f")) {
           return null;
         }
         if (url !== requestedUrl) {
@@ -10148,7 +10171,7 @@ const startDevServer = async ({
   ignore,
   port = 3456,
   hostname,
-  acceptAnyIp,
+  acceptAnyIp = true,
   https,
   // it's better to use http1 by default because it allows to get statusText in devtools
   // which gives valuable information when there is errors

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsenv/core",
-  "version": "41.2.7",
+  "version": "41.2.8",
   "type": "module",
   "description": "Tool to develop, test and build js projects",
   "repository": {
@@ -72,14 +72,14 @@
     "test:snapshot_clear": "npx @jsenv/filesystem clear **/tests/**/side_effects/"
   },
   "dependencies": {
-    "@jsenv/ast": "6.8.1",
-    "@jsenv/js-module-fallback": "1.4.31",
-    "@jsenv/plugin-bundling": "2.10.11",
+    "@jsenv/ast": "6.8.2",
+    "@jsenv/js-module-fallback": "1.4.32",
+    "@jsenv/plugin-bundling": "2.10.12",
     "@jsenv/plugin-minification": "1.7.3",
-    "@jsenv/plugin-supervisor": "1.8.2",
-    "@jsenv/plugin-transpilation": "1.5.73",
+    "@jsenv/plugin-supervisor": "1.8.3",
+    "@jsenv/plugin-transpilation": "1.5.74",
     "@jsenv/server": "17.3.0",
-    "@jsenv/sourcemap": "1.3.17",
+    "@jsenv/sourcemap": "1.3.18",
     "react-table": "7.8.0"
   },
   "devDependencies": {

package/src/dev/start_dev_server.js

@@ -53,7 +53,7 @@ export const startDevServer = async ({
   ignore,
   port = 3456,
   hostname,
-  acceptAnyIp,
+  acceptAnyIp = true,
   https,
   // it's better to use http1 by default because it allows to get statusText in devtools
   // which gives valuable information when there is errors

package/src/plugins/protocol_file/client/directory_listing.html

@@ -5,6 +5,7 @@
     <meta charset="utf-8" />
     <link rel="icon" href="data:," />
     <link rel="stylesheet" href="./directory_listing.css" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
   </head>
 
   <body data-theme="dark">

package/src/plugins/protocol_file/jsenv_plugin_directory_listing.js

@@ -71,7 +71,30 @@ export const jsenvPluginDirectoryListing = ({
       const { request, requestedUrl, mainFilePath, rootDirectoryUrl } =
         reference.ownerUrlInfo.context;
       if (!fsStat) {
-        if (!request || request.headers["sec-fetch-dest"] !== "document") {
+        if (!request) {
+          // no request we should not serve directoy listing
+          return null;
+        }
+        const secFetchDest = request.headers["sec-fetch-dest"];
+        if (secFetchDest && secFetchDest !== "document") {
+          // we have sec fetch dest and it's not document so it's not a navigation request, we should not serve directory listing
+          return null;
+        }
+        if (!secFetchDest) {
+          // beware we might end up here when nav context is not trusted (http, ip url etc)
+          // in that case we fallback to detecting if the request explicitly accepts html.
+          // browsers navigating to a page send "text/html,..." explicitly; programmatic
+          // fetch clients like Node.js send "*/*" which should NOT trigger directory listing.
+          // We must NOT use pickContentType here because it matches "text/html" via the
+          // "*/*" wildcard, causing programmatic fetches to receive the directory listing
+          // HTML page (status 200) instead of a 404.
+          const acceptHeader = request.headers.accept || "";
+          if (!acceptHeader.includes("text/html")) {
+            return null;
+          }
+        }
+        // requestedUrl must be a proper file:// URL (no encoded slashes)
+        if (requestedUrl.includes("%2F") || requestedUrl.includes("%2f")) {
           return null;
         }
         if (url !== requestedUrl) {