@lwrjs/loader 0.22.10 → 0.22.11

package/build/modules/lwr/loaderLegacy/utils/validation.js

@@ -0,0 +1,114 @@
+/**
+ * Validation logic for LWR.importMap() API
+ *
+ * This module provides validation functions to ensure that import map updates:
+ * 1. Do not remap protected system modules (lwc, lwr/*, etc.)
+ * 2. Do not use dangerous URL schemes (blob:, data:)
+ * 3. Have well-formed specifiers and URIs
+ */
+import { hasConsole } from '../utils/dom.js';
+/**
+ * List of protected module patterns that cannot be remapped.
+ * Uses case-insensitive matching to prevent bypass attempts (e.g., HF-1027).
+ */
+const PROTECTED_PATTERNS = [
+    /^lwc$/i,
+    /^lwc\/v\//i,
+    /^@lwc\//i,
+    /^lightningmobileruntime\//i, // Lightning mobile runtime
+];
+/**
+ * Checks if a specifier matches any protected module pattern.
+ *
+ * @param specifier - The module specifier to check
+ * @returns true if the specifier is protected, false otherwise
+ */
+export function isProtectedSpecifier(specifier) {
+    return PROTECTED_PATTERNS.some((pattern) => pattern.test(specifier));
+}
+/**
+ * Validates that a URI does not use dangerous URL schemes.
+ *
+ * Blocks:
+ * - blob: URLs (HF-1027 bypass prevention) - case-insensitive
+ * - data: URLs (inline code injection) - case-insensitive
+ *
+ * @param uri - The URI to validate
+ * @param specifier - The specifier being mapped (for error messages)
+ * @throws Error if the URI uses a dangerous scheme
+ */
+export function validateMappingUri(uri, specifier) {
+    const lowerUri = uri.toLowerCase();
+    if (lowerUri.startsWith('blob:')) {
+        throw new Error(`Cannot map ${specifier} to blob: URL`);
+    }
+    if (lowerUri.startsWith('data:')) {
+        throw new Error(`Cannot map ${specifier} to data: URL`);
+    }
+}
+/**
+ * Validates that a specifier is well-formed and not protected.
+ *
+ * @param specifier - The module specifier to validate
+ * @throws Error if the specifier is invalid or protected
+ */
+export function validateSpecifier(specifier) {
+    if (typeof specifier !== 'string' || specifier.length === 0) {
+        throw new Error('Specifier must be a non-empty string');
+    }
+    if (isProtectedSpecifier(specifier)) {
+        throw new Error(`Cannot remap protected module: ${specifier}`);
+    }
+}
+/**
+ * Validates and converts an ImportMapUpdate to ImportMap format.
+ *
+ * Performs validation checks and then converts from:
+ *   { moduleScriptURL: [moduleName1, moduleName2] }
+ * To:
+ *   { imports: { moduleName1: moduleScriptURL, moduleName2: moduleScriptURL } }
+ *
+ * @param update - The ImportMapUpdate object to validate and convert
+ * @returns The converted ImportMap, or null if the update is empty
+ * @throws Error if any validation fails
+ */
+export function validateAndConvertImportMapUpdate(update) {
+    if (!update || typeof update !== 'object') {
+        throw new Error('LWR.importMap() requires an object argument');
+    }
+    // Check if update is empty
+    const entries = Object.entries(update);
+    if (entries.length === 0) {
+        if (hasConsole) {
+            // eslint-disable-next-line lwr/no-unguarded-apis
+            console.warn('LWR.importMap() called with empty update object');
+        }
+        return null;
+    }
+    const convertedImports = {};
+    for (const [moduleScriptURL, moduleNames] of entries) {
+        if (!Array.isArray(moduleNames)) {
+            throw new Error('moduleNames must be an array');
+        }
+        if (!moduleScriptURL || typeof moduleScriptURL !== 'string') {
+            throw new Error('moduleScriptURL must be a string');
+        }
+        validateMappingUri(moduleScriptURL, moduleScriptURL);
+        for (const moduleName of moduleNames) {
+            validateSpecifier(moduleName);
+            if (moduleName in convertedImports) {
+                if (hasConsole) {
+                    // eslint-disable-next-line lwr/no-unguarded-apis
+                    console.warn(`LWR.importMap(): duplicate module "${moduleName}" — already mapped to "${convertedImports[moduleName]}", ignoring mapping to "${moduleScriptURL}"`);
+                }
+            }
+            else {
+                convertedImports[moduleName] = moduleScriptURL;
+            }
+        }
+    }
+    return {
+        imports: convertedImports,
+    };
+}
+//# sourceMappingURL=validation.js.map

package/build/shim-legacy/shimLegacy.d.ts

@@ -6,6 +6,7 @@ export default class LoaderShim {
     private loaderModule;
     private defineCache;
     private orderedDefs;
+    private importMapUpdatesCache;
     private errorHandler?;
     private watchdogTimerId?;
     constructor(global: GlobalThis);
@@ -20,6 +21,19 @@ export default class LoaderShim {
      *          the order in which the modules were defined
      */
     private tempDefine;
+    /**
+     * Create a temporary LWR.importMap() function which captures all
+     * import map updates that occur BEFORE the full loader module is available
+     *
+     * Each import map update is validated, converted to moduleName -> URL mapping,
+     * and merged into the importMapUpdatesCache with write-once protection
+     */
+    private tempImportMap;
+    /**
+     * Apply all cached import map updates and merge with bootstrap import map
+     * Returns merged import map
+     */
+    private getImportMappingsWithUpdates;
     private postCustomInit;
     private initApp;
     private waitForBody;

package/build/shim-legacy/shimLegacy.js

@@ -4,6 +4,8 @@ import { logOperationStart, logOperationEnd } from 'lwr/profiler';
 import { createLoader } from './loaderLegacy.js';
 import { REQUIRED_MODULES_TIMEOUT } from '../shim/constants.js';
 import { customInit } from '../shim/customInit.js';
+import { validateAndConvertImportMapUpdate } from '../modules/lwr/loaderLegacy/utils/validation.js';
+import { mergeImportMapEntry } from '../modules/lwr/loaderLegacy/importMap/utils.js';
 /* eslint-disable lwr/no-unguarded-apis */
 const hasSetTimeout = typeof setTimeout === 'function';
 const hasConsole = typeof console !== 'undefined';
@@ -13,6 +15,7 @@ export default class LoaderShim {
     constructor(global) {
         this.defineCache = {};
         this.orderedDefs = [];
+        this.importMapUpdatesCache = {};
         // Start watchdog timer
         if (hasSetTimeout) {
             this.watchdogTimerId = this.startWatchdogTimer();
@@ -23,9 +26,11 @@ export default class LoaderShim {
         this.loaderModule = 'lwr/loaderLegacy/v/__VERSION__';
         // Set up error handler
         this.errorHandler = this.config.onError;
-        // Set up the temporary LWR.define function and customInit hook
+        // Set up the temporary LWR.define and LWR.importMap functions
         const tempDefine = this.tempDefine.bind(this);
         global.LWR.define = tempDefine;
+        const tempImportMapMethod = this.tempImportMap.bind(this);
+        global.LWR.importMap = tempImportMapMethod;
         this.bootReady = this.config.autoBoot;
         try {
             this.createProfilerModule(global.LWR.define);
@@ -73,6 +78,48 @@ export default class LoaderShim {
             this.initApp();
         }
     }
+    /**
+     * Create a temporary LWR.importMap() function which captures all
+     * import map updates that occur BEFORE the full loader module is available
+     *
+     * Each import map update is validated, converted to moduleName -> URL mapping,
+     * and merged into the importMapUpdatesCache with write-once protection
+     */
+    tempImportMap(importMapUpdate) {
+        try {
+            // Validate and convert the import map update to { imports: { moduleName: moduleScriptURL } }
+            const importMap = validateAndConvertImportMapUpdate(importMapUpdate);
+            // Early return if update was empty
+            if (!importMap) {
+                return;
+            }
+            // Merge into cache with write-once protection
+            for (const [moduleName, moduleScriptURL] of Object.entries(importMap.imports)) {
+                mergeImportMapEntry(moduleName, moduleScriptURL, this.importMapUpdatesCache);
+            }
+        }
+        catch (e) {
+            this.enterErrorState(e);
+        }
+    }
+    /**
+     * Apply all cached import map updates and merge with bootstrap import map
+     * Returns merged import map
+     */
+    getImportMappingsWithUpdates() {
+        // Start with bootstrap import map
+        // Cast importMappings from object to ImportMap to access properties
+        const bootstrapMappings = this.config.importMappings;
+        // Merge with write-once protection: bootstrap mappings take precedence
+        const mergedImports = { ...(bootstrapMappings?.imports || {}) };
+        for (const [specifier, uri] of Object.entries(this.importMapUpdatesCache)) {
+            mergeImportMapEntry(specifier, uri, mergedImports);
+        }
+        return {
+            ...(bootstrapMappings || {}),
+            imports: mergedImports,
+        };
+    }
     // Called by the customInit hook via lwr.initializeApp()
     postCustomInit() {
         this.bootReady = true;
@@ -155,10 +202,12 @@ export default class LoaderShim {
     }
     // Set up the application globals, import map, root custom element...
     mountApp(loader) {
-        const { bootstrapModule, rootComponent, importMappings, rootComponents, serverData, endpoints } = this.config;
+        const { bootstrapModule, rootComponent, rootComponents, serverData, endpoints } = this.config;
+        const importMappings = this.getImportMappingsWithUpdates();
         // Set global LWR.define to loader.define
         this.global.LWR = Object.freeze({
             define: loader.define.bind(loader),
+            importMap: loader.importMap.bind(loader),
             rootComponent,
             rootComponents,
             serverData: serverData || {},

package/build/types.d.ts

@@ -4,6 +4,7 @@ import type { ProfilerAPI, LogDispatcher } from 'lwr/profiler';
 export type GlobalThis = {
     LWR: Partial<ClientBootstrapConfig> & {
         define: LoaderDefine;
+        importMap?: LwrImportMapUpdateMethod;
     };
     [key: string]: unknown;
 };
@@ -30,6 +31,8 @@ export interface ResolvedLoader {
 export type LoaderClass = {
     new (config?: LoaderConfig): LoaderAPI;
 };
+export type ImportMapUpdate = Record<string, string[]>;
+export type LwrImportMapUpdateMethod = (update: ImportMapUpdate) => void;
 export interface BaseLoaderAPI {
     define: LoaderDefine;
     load(id: string): Promise<unknown>;
@@ -40,6 +43,7 @@ export interface BaseLoaderAPI {
 }
 export interface LoaderAPI extends BaseLoaderAPI {
     registerImportMappings(mappings?: ImportMap): Promise<void>;
+    importMap: LwrImportMapUpdateMethod;
 }
 export type LoaderConfig = {
     baseUrl?: string;

package/package.json

@@ -5,7 +5,7 @@
     "publishConfig": {
         "access": "public"
     },
-    "version": "0.22.10",
+    "version": "0.22.11",
     "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
     "repository": {
         "type": "git",
@@ -61,16 +61,16 @@
     },
     "devDependencies": {
         "@locker/trusted-types": "0.26.4",
-        "@lwrjs/diagnostics": "0.22.10",
-        "@lwrjs/types": "0.22.10",
+        "@lwrjs/diagnostics": "0.22.11",
+        "@lwrjs/types": "0.22.11",
         "@rollup/plugin-node-resolve": "^15.2.3",
         "@rollup/plugin-sucrase": "^5.0.2",
         "@rollup/plugin-terser": "^0.4.4",
         "rollup": "^2.80.0"
     },
     "dependencies": {
-        "@lwrjs/client-modules": "0.22.10",
-        "@lwrjs/shared-utils": "0.22.10"
+        "@lwrjs/client-modules": "0.22.11",
+        "@lwrjs/shared-utils": "0.22.11"
     },
     "lwc": {
         "modules": [
@@ -90,5 +90,5 @@
     "volta": {
         "extends": "../../../package.json"
     },
-    "gitHead": "52b77087a10567ad62b48bde04607c627580105d"
+    "gitHead": "85710371aa359747e08a064d4b4a2b3dfed1d30a"
 }