@netlify/build 35.0.7 → 35.1.0

package/lib/plugins_core/edge_functions/index.js

@@ -4,7 +4,7 @@ import { bundle, find } from '@netlify/edge-bundler';
 import { pathExists } from 'path-exists';
 import { log, reduceLogLines } from '../../log/logger.js';
 import { logFunctionsToBundle } from '../../log/messages/core_steps.js';
-import { FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT, FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP, } from '../../utils/frameworks_api.js';
+import { FRAMEWORKS_API_EDGE_FUNCTIONS_PATH, FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP, } from '../../utils/frameworks_api.js';
 import { tagBundlingError } from './lib/error.js';
 import { validateEdgeFunctionsManifest } from './validate_manifest/validate_edge_functions_manifest.js';
 // TODO: Replace this with a custom cache directory.
@@ -18,12 +18,12 @@ const coreStep = async function ({ buildDir, packagePath, constants: { EDGE_FUNC
     const internalSrcPath = resolve(buildDir, internalSrcDirectory);
     const distImportMapPath = join(dirname(internalSrcPath), IMPORT_MAP_FILENAME);
     const srcPath = srcDirectory ? resolve(buildDir, srcDirectory) : undefined;
-    const frameworksAPISrcPath = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT);
+    const frameworksAPISrcPath = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_PATH);
     const generatedFunctionPaths = [internalSrcPath];
     if (await pathExists(frameworksAPISrcPath)) {
         generatedFunctionPaths.push(frameworksAPISrcPath);
     }
-    const frameworkImportMap = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT, FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP);
+    const frameworkImportMap = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_PATH, FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP);
     if (await pathExists(frameworkImportMap)) {
         importMapPaths.push(frameworkImportMap);
     }
@@ -104,7 +104,7 @@ const hasEdgeFunctionsDirectories = async function ({ buildDir, constants: { INT
     if (await pathExists(internalFunctionsSrc)) {
         return true;
     }
-    const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT);
+    const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_PATH);
     return await pathExists(frameworkFunctionsSrc);
 };
 const logFunctions = async ({ frameworksAPISrcPath, internalSrcDirectory, internalSrcPath, logs, srcDirectory: userFunctionsSrc, srcPath, }) => {

package/lib/plugins_core/frameworks_api/index.js

@@ -1,5 +1,9 @@
+import { promises as fs } from 'node:fs';
+import { dirname, resolve } from 'node:path';
 import { mergeConfigs } from '@netlify/config';
 import { getConfigMutations } from '../../plugins/child/diff.js';
+import { DEPLOY_CONFIG_DIST_PATH, FRAMEWORKS_API_SKEW_PROTECTION_PATH } from '../../utils/frameworks_api.js';
+import { loadSkewProtectionConfig } from './skew_protection.js';
 import { filterConfig, loadConfigFile } from './util.js';
 // The properties that can be set using this API. Each element represents a
 // path using dot-notation — e.g. `["build", "functions"]` represents the
@@ -19,9 +23,31 @@ const ALLOWED_PROPERTIES = [
 // values that should be evaluated before any user-defined values. They use
 // a special notation where `redirects!` represents "forced redirects", etc.
 const OVERRIDE_PROPERTIES = new Set(['redirects!']);
+// Looks for a skew protection configuration file. If found, the file is loaded
+// and validated against the schema, throwing a build error if validation
+// fails. If valid, the contents are written to the deploy config file.
+const handleSkewProtection = async (buildDir, packagePath) => {
+    const inputPath = resolve(buildDir, packagePath ?? '', FRAMEWORKS_API_SKEW_PROTECTION_PATH);
+    const outputPath = resolve(buildDir, packagePath ?? '', DEPLOY_CONFIG_DIST_PATH);
+    const skewProtectionConfig = await loadSkewProtectionConfig(inputPath);
+    if (!skewProtectionConfig) {
+        return;
+    }
+    const deployConfig = {
+        skew_protection: skewProtectionConfig,
+    };
+    try {
+        await fs.mkdir(dirname(outputPath), { recursive: true });
+        await fs.writeFile(outputPath, JSON.stringify(deployConfig));
+    }
+    catch (error) {
+        throw new Error('Failed to process skew protection configuration', { cause: error });
+    }
+};
 const coreStep = async function ({ buildDir, netlifyConfig, packagePath, systemLog = () => {
     // no-op
 }, }) {
+    await handleSkewProtection(buildDir, packagePath);
     let config;
     try {
         config = await loadConfigFile(buildDir, packagePath);

package/lib/plugins_core/frameworks_api/skew_protection.d.ts

@@ -0,0 +1,48 @@
+import { z } from 'zod';
+declare const deployIDSourceTypeSchema: z.ZodEnum<["cookie", "header", "query"]>;
+declare const deployIDSourceSchema: z.ZodObject<{
+    type: z.ZodEnum<["cookie", "header", "query"]>;
+    name: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    type: "cookie" | "header" | "query";
+}, {
+    name: string;
+    type: "cookie" | "header" | "query";
+}>;
+declare const skewProtectionConfigSchema: z.ZodObject<{
+    patterns: z.ZodArray<z.ZodString, "many">;
+    sources: z.ZodArray<z.ZodObject<{
+        type: z.ZodEnum<["cookie", "header", "query"]>;
+        name: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        type: "cookie" | "header" | "query";
+    }, {
+        name: string;
+        type: "cookie" | "header" | "query";
+    }>, "many">;
+}, "strip", z.ZodTypeAny, {
+    patterns: string[];
+    sources: {
+        name: string;
+        type: "cookie" | "header" | "query";
+    }[];
+}, {
+    patterns: string[];
+    sources: {
+        name: string;
+        type: "cookie" | "header" | "query";
+    }[];
+}>;
+export type SkewProtectionConfig = z.infer<typeof skewProtectionConfigSchema>;
+export type DeployIDSource = z.infer<typeof deployIDSourceSchema>;
+export type DeployIDSourceType = z.infer<typeof deployIDSourceTypeSchema>;
+export declare const loadSkewProtectionConfig: (configPath: string) => Promise<{
+    patterns: string[];
+    sources: {
+        name: string;
+        type: "cookie" | "header" | "query";
+    }[];
+} | undefined>;
+export {};

package/lib/plugins_core/frameworks_api/skew_protection.js

@@ -0,0 +1,37 @@
+import { promises as fs } from 'node:fs';
+import { z } from 'zod';
+const deployIDSourceTypeSchema = z.enum(['cookie', 'header', 'query']);
+const deployIDSourceSchema = z.object({
+    type: deployIDSourceTypeSchema,
+    name: z.string(),
+});
+const skewProtectionConfigSchema = z.object({
+    patterns: z.array(z.string()),
+    sources: z.array(deployIDSourceSchema),
+});
+const validateSkewProtectionConfig = (input) => {
+    const { data, error, success } = skewProtectionConfigSchema.safeParse(input);
+    if (success) {
+        return data;
+    }
+    throw new Error(`Invalid skew protection configuration:\n\n${formatSchemaError(error)}`);
+};
+export const loadSkewProtectionConfig = async (configPath) => {
+    let parsedData;
+    try {
+        const data = await fs.readFile(configPath, 'utf8');
+        parsedData = JSON.parse(data);
+    }
+    catch (error) {
+        // If the file doesn't exist, this is a non-error.
+        if (error.code === 'ENOENT') {
+            return;
+        }
+        throw new Error('Invalid skew protection configuration', { cause: error });
+    }
+    return validateSkewProtectionConfig(parsedData);
+};
+const formatSchemaError = (error) => {
+    const lines = error.issues.map((issue) => `- ${issue.path.join('.')}: ${issue.message}`);
+    return lines.join('\n');
+};

package/lib/plugins_core/frameworks_api/util.js

@@ -1,9 +1,9 @@
 import { promises as fs } from 'fs';
 import { resolve } from 'path';
 import isPlainObject from 'is-plain-obj';
-import { FRAMEWORKS_API_CONFIG_ENDPOINT } from '../../utils/frameworks_api.js';
+import { FRAMEWORKS_API_CONFIG_PATH } from '../../utils/frameworks_api.js';
 export const loadConfigFile = async (buildDir, packagePath) => {
-    const configPath = resolve(buildDir, packagePath ?? '', FRAMEWORKS_API_CONFIG_ENDPOINT);
+    const configPath = resolve(buildDir, packagePath ?? '', FRAMEWORKS_API_CONFIG_PATH);
     try {
         const data = await fs.readFile(configPath, 'utf8');
         return JSON.parse(data);

package/lib/plugins_core/functions/index.js

@@ -5,7 +5,7 @@ import { addErrorInfo } from '../../error/info.js';
 import { log } from '../../log/logger.js';
 import { getGeneratedFunctions } from '../../steps/return_values.js';
 import { logBundleResults, logFunctionsNonExistingDir, logFunctionsToBundle } from '../../log/messages/core_steps.js';
-import { FRAMEWORKS_API_FUNCTIONS_ENDPOINT } from '../../utils/frameworks_api.js';
+import { FRAMEWORKS_API_FUNCTIONS_PATH } from '../../utils/frameworks_api.js';
 import { getZipError } from './error.js';
 import { getUserAndInternalFunctions, validateFunctionsSrc } from './utils.js';
 import { getZisiParameters } from './zisi.js';
@@ -88,7 +88,7 @@ const coreStep = async function ({ childEnv, constants: { INTERNAL_FUNCTIONS_SRC
     const functionsDist = resolve(buildDir, relativeFunctionsDist);
     const internalFunctionsSrc = resolve(buildDir, relativeInternalFunctionsSrc);
     const internalFunctionsSrcExists = await pathExists(internalFunctionsSrc);
-    const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_ENDPOINT);
+    const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_PATH);
     const frameworkFunctionsSrcExists = await pathExists(frameworkFunctionsSrc);
     const functionsSrcExists = await validateFunctionsSrc({ functionsSrc, relativeFunctionsSrc });
     const [userFunctions = [], internalFunctions = [], frameworkFunctions = []] = await getUserAndInternalFunctions({
@@ -161,7 +161,7 @@ const hasFunctionsDirectories = async function ({ buildDir, constants: { INTERNA
     if (await pathExists(internalFunctionsSrc)) {
         return true;
     }
-    const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_ENDPOINT);
+    const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_PATH);
     if (await pathExists(frameworkFunctionsSrc)) {
         return true;
     }

package/lib/plugins_core/pre_cleanup/index.js

@@ -1,9 +1,9 @@
 import { rm } from 'node:fs/promises';
 import { resolve } from 'node:path';
 import { getBlobsDirs } from '../../utils/blobs.js';
-import { FRAMEWORKS_API_ENDPOINT } from '../../utils/frameworks_api.js';
+import { FRAMEWORKS_API_PATH } from '../../utils/frameworks_api.js';
 const coreStep = async ({ buildDir, packagePath }) => {
-    const dirs = [...getBlobsDirs(buildDir, packagePath), resolve(buildDir, packagePath || '', FRAMEWORKS_API_ENDPOINT)];
+    const dirs = [...getBlobsDirs(buildDir, packagePath), resolve(buildDir, packagePath || '', FRAMEWORKS_API_PATH)];
     try {
         await Promise.all(dirs.map((dir) => rm(dir, { recursive: true, force: true })));
     }

package/lib/utils/blobs.js

@@ -2,7 +2,7 @@ import { readFile } from 'node:fs/promises';
 import path from 'node:path';
 import { fdir } from 'fdir';
 import { DEFAULT_API_HOST } from '../core/normalize_flags.js';
-import { FRAMEWORKS_API_BLOBS_ENDPOINT } from './frameworks_api.js';
+import { FRAMEWORKS_API_BLOBS_PATH } from './frameworks_api.js';
 const LEGACY_BLOBS_PATH = '.netlify/blobs/deploy';
 const DEPLOY_CONFIG_BLOBS_PATH = '.netlify/deploy/v1/blobs/deploy';
 /** Retrieve the absolute path of the deploy scoped internal blob directories */
@@ -36,7 +36,7 @@ export const getBlobsEnvironmentContext = ({ api = { host: DEFAULT_API_HOST, sch
  */
 export const scanForBlobs = async function (buildDir, packagePath) {
     // We start by looking for files using the Frameworks API.
-    const frameworkBlobsDir = path.resolve(buildDir, packagePath || '', FRAMEWORKS_API_BLOBS_ENDPOINT, 'deploy');
+    const frameworkBlobsDir = path.resolve(buildDir, packagePath || '', FRAMEWORKS_API_BLOBS_PATH, 'deploy');
     const frameworkBlobsDirScan = await new fdir().onlyCounts().crawl(frameworkBlobsDir).withPromise();
     if (frameworkBlobsDirScan.files > 0) {
         return {

package/lib/utils/frameworks_api.d.ts

@@ -1,9 +1,11 @@
-export declare const FRAMEWORKS_API_ENDPOINT = ".netlify/v1";
-export declare const FRAMEWORKS_API_BLOBS_ENDPOINT = ".netlify/v1/blobs";
-export declare const FRAMEWORKS_API_CONFIG_ENDPOINT = ".netlify/v1/config.json";
-export declare const FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT = ".netlify/v1/edge-functions";
+export declare const FRAMEWORKS_API_PATH = ".netlify/v1";
+export declare const FRAMEWORKS_API_BLOBS_PATH = ".netlify/v1/blobs";
+export declare const FRAMEWORKS_API_CONFIG_PATH = ".netlify/v1/config.json";
+export declare const FRAMEWORKS_API_EDGE_FUNCTIONS_PATH = ".netlify/v1/edge-functions";
 export declare const FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP = "import_map.json";
-export declare const FRAMEWORKS_API_FUNCTIONS_ENDPOINT = ".netlify/v1/functions";
+export declare const FRAMEWORKS_API_FUNCTIONS_PATH = ".netlify/v1/functions";
+export declare const FRAMEWORKS_API_SKEW_PROTECTION_PATH = ".netlify/v1/skew-protection.json";
+export declare const DEPLOY_CONFIG_DIST_PATH = ".netlify/deploy-config/deploy-config.json";
 type DirectoryTreeFiles = Map<string, string[]>;
 /**
  * Traverses a directory tree in search of leaf files. The key of each leaf

package/lib/utils/frameworks_api.js

@@ -1,11 +1,13 @@
 import { basename, dirname, resolve, sep } from 'node:path';
 import { fdir } from 'fdir';
-export const FRAMEWORKS_API_ENDPOINT = '.netlify/v1';
-export const FRAMEWORKS_API_BLOBS_ENDPOINT = `${FRAMEWORKS_API_ENDPOINT}/blobs`;
-export const FRAMEWORKS_API_CONFIG_ENDPOINT = `${FRAMEWORKS_API_ENDPOINT}/config.json`;
-export const FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT = `${FRAMEWORKS_API_ENDPOINT}/edge-functions`;
+export const FRAMEWORKS_API_PATH = '.netlify/v1';
+export const FRAMEWORKS_API_BLOBS_PATH = `${FRAMEWORKS_API_PATH}/blobs`;
+export const FRAMEWORKS_API_CONFIG_PATH = `${FRAMEWORKS_API_PATH}/config.json`;
+export const FRAMEWORKS_API_EDGE_FUNCTIONS_PATH = `${FRAMEWORKS_API_PATH}/edge-functions`;
 export const FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP = 'import_map.json';
-export const FRAMEWORKS_API_FUNCTIONS_ENDPOINT = `${FRAMEWORKS_API_ENDPOINT}/functions`;
+export const FRAMEWORKS_API_FUNCTIONS_PATH = `${FRAMEWORKS_API_PATH}/functions`;
+export const FRAMEWORKS_API_SKEW_PROTECTION_PATH = `${FRAMEWORKS_API_PATH}/skew-protection.json`;
+export const DEPLOY_CONFIG_DIST_PATH = '.netlify/deploy-config/deploy-config.json';
 /**
  * Traverses a directory tree in search of leaf files. The key of each leaf
  * file is determined by its path relative to the base directory.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@netlify/build",
-  "version": "35.0.7",
+  "version": "35.1.0",
   "description": "Netlify build module",
   "type": "module",
   "exports": "./lib/index.js",
@@ -69,7 +69,7 @@
     "@bugsnag/js": "^8.0.0",
     "@netlify/blobs": "^10.0.8",
     "@netlify/cache-utils": "^6.0.4",
-    "@netlify/config": "^24.0.2",
+    "@netlify/config": "^24.0.3",
     "@netlify/edge-bundler": "14.5.2",
     "@netlify/functions-utils": "^6.2.2",
     "@netlify/git-utils": "^6.0.2",
@@ -115,7 +115,8 @@
     "typescript": "^5.0.0",
     "uuid": "^11.0.0",
     "yaml": "^2.8.0",
-    "yargs": "^17.6.0"
+    "yargs": "^17.6.0",
+    "zod": "^3.25.76"
   },
   "devDependencies": {
     "@netlify/nock-udp": "^5.0.1",
@@ -151,5 +152,5 @@
   "engines": {
     "node": ">=18.14.0"
   },
-  "gitHead": "e1251f7e7c36b6de4cf0d88777b9f362817520f3"
+  "gitHead": "27ed650158778bb4c3fd917f505b1676551013c8"
 }