npm - @nuxt/scripts - Versions diffs - 1.0.0-beta.3 → 1.0.0-beta.30 - Mend

@nuxt/scripts 1.0.0-beta.3 → 1.0.0-beta.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/dist/shared/scripts.ViOoYQXH.mjs ADDED Viewed

@@ -0,0 +1,381 @@
+const GA_COLLECT_RE = /([\w$])?"https:\/\/"\+\(.*?\)\+"\.google-analytics\.com\/g\/collect"/g;
+const GA_ANALYTICS_COLLECT_RE = /([\w$])?"https:\/\/"\+\(.*?\)\+"\.analytics\.google\.com\/g\/collect"/g;
+const FATHOM_SELF_HOSTED_RE = /\.src\.indexOf\("cdn\.usefathom\.com"\)\s*<\s*0/;
+const RYBBIT_HOST_SPLIT_RE = /\w+\.split\(["']\/script\.js["']\)\[0\]/g;
+const PRIVACY_NONE = { ip: false, userAgent: false, language: false, screen: false, timezone: false, hardware: false };
+const PRIVACY_FULL = { ip: true, userAgent: true, language: true, screen: true, timezone: true, hardware: true };
+const PRIVACY_HEATMAP = { ip: true, userAgent: false, language: true, screen: false, timezone: false, hardware: true };
+const PRIVACY_IP_ONLY = { ip: true, userAgent: false, language: false, screen: false, timezone: false, hardware: false };
+function deriveRewrites(domains, proxyPrefix) {
+  return domains.map(([domain, alias]) => ({
+    from: domain,
+    to: `${proxyPrefix}/${alias}`
+  }));
+}
+function deriveRoutes(domains, proxyPrefix) {
+  const routes = {};
+  const seen = /* @__PURE__ */ new Set();
+  for (const [domain, alias] of domains) {
+    if (seen.has(alias))
+      continue;
+    seen.add(alias);
+    routes[`${proxyPrefix}/${alias}/**`] = { proxy: `https://${domain}/**` };
+  }
+  return routes;
+}
+function fromDomains(domains, proxyPrefix, opts) {
+  const { extraRewrites, ...rest } = opts;
+  const rewrites = deriveRewrites(domains, proxyPrefix);
+  if (extraRewrites) {
+    for (const r of extraRewrites)
+      rewrites.push({ from: r.from, to: `${proxyPrefix}/${r.to}` });
+  }
+  return { rewrite: rewrites, routes: deriveRoutes(domains, proxyPrefix), ...rest };
+}
+function buildProxyConfig(proxyPrefix) {
+  return {
+    googleAnalytics: fromDomains(
+      [
+        ["www.google-analytics.com", "ga"],
+        ["analytics.google.com", "ga"],
+        ["stats.g.doubleclick.net", "ga-dc"],
+        ["pagead2.googlesyndication.com", "ga-syn"],
+        ["www.googleadservices.com", "ga-ads"],
+        ["googleads.g.doubleclick.net", "ga-gads"]
+      ],
+      proxyPrefix,
+      {
+        // GA4: screen/timezone/UA needed for device, time, and OS reports; rest anonymized safely
+        privacy: PRIVACY_HEATMAP,
+        extraRewrites: [
+          // Modern gtag.js uses www.google.com/g/collect
+          { from: "www.google.com/g/collect", to: "ga/g/collect" },
+          // Suffix patterns for dynamically constructed URLs
+          { from: ".google-analytics.com/g/collect", to: "ga/g/collect" },
+          { from: ".analytics.google.com/g/collect", to: "ga/g/collect" },
+          // Full domain + path patterns
+          { from: "www.google-analytics.com/g/collect", to: "ga/g/collect" },
+          { from: "analytics.google.com/g/collect", to: "ga/g/collect" },
+          // DoubleClick collect endpoint
+          { from: "stats.g.doubleclick.net/g/collect", to: "ga/g/collect" }
+        ],
+        // GA4 dynamically constructs collect URLs via string concatenation that can't be
+        // caught by AST rewriting. These regex patches handle the remaining patterns.
+        postProcess(output, rewrites) {
+          const gaRewrite = rewrites.find((r) => r.from.includes("google-analytics.com/g/collect"));
+          if (gaRewrite) {
+            output = output.replace(
+              GA_COLLECT_RE,
+              (_, prevChar) => `${prevChar ? `${prevChar} ` : ""}self.location.origin+"${gaRewrite.to}"`
+            );
+            output = output.replace(
+              GA_ANALYTICS_COLLECT_RE,
+              (_, prevChar) => `${prevChar ? `${prevChar} ` : ""}self.location.origin+"${gaRewrite.to}"`
+            );
+          }
+          return output;
+        }
+      }
+    ),
+    googleTagManager: fromDomains(
+      [["www.googletagmanager.com", "gtm"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    metaPixel: fromDomains(
+      [
+        ["connect.facebook.net", "meta"],
+        ["www.facebook.com/tr", "meta-tr"],
+        ["facebook.com/tr", "meta-tr"],
+        ["pixel.facebook.com", "meta-px"],
+        ["www.facebook.com/plugins", "meta-plugins"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    tiktokPixel: fromDomains(
+      [["analytics.tiktok.com", "tiktok"]],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    segment: fromDomains(
+      [
+        ["api.segment.io", "segment"],
+        ["cdn.segment.com", "segment-cdn"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    xPixel: fromDomains(
+      [
+        ["analytics.twitter.com", "x"],
+        ["static.ads-twitter.com", "x-ads"],
+        ["t.co", "x-t"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    snapchatPixel: fromDomains(
+      [
+        ["sc-static.net", "snap-cdn"],
+        ["tr.snapchat.com", "snap"],
+        ["pixel.tapad.com", "snap-tapad"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    redditPixel: fromDomains(
+      [
+        ["www.redditstatic.com", "reddit-cdn"],
+        ["alb.reddit.com", "reddit"],
+        ["pixel-config.reddit.com", "reddit-cfg"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    clarity: fromDomains(
+      [
+        ["www.clarity.ms", "clarity"],
+        ["scripts.clarity.ms", "clarity-scripts"],
+        ["d.clarity.ms", "clarity-data"],
+        ["e.clarity.ms", "clarity-events"],
+        ["k.clarity.ms", "clarity-collect"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_HEATMAP }
+    ),
+    posthog: {
+      // No rewrites needed - PostHog uses NPM mode, SDK URLs are set via api_host config
+      privacy: PRIVACY_NONE,
+      routes: {
+        // US region
+        [`${proxyPrefix}/ph/static/**`]: { proxy: "https://us-assets.i.posthog.com/static/**" },
+        [`${proxyPrefix}/ph/**`]: { proxy: "https://us.i.posthog.com/**" },
+        // EU region
+        [`${proxyPrefix}/ph-eu/static/**`]: { proxy: "https://eu-assets.i.posthog.com/static/**" },
+        [`${proxyPrefix}/ph-eu/**`]: { proxy: "https://eu.i.posthog.com/**" }
+      },
+      autoInject: {
+        configField: "apiHost",
+        computeValue: (proxyPrefix2, config) => {
+          const region = config.region || "us";
+          return region === "eu" ? `${proxyPrefix2}/ph-eu` : `${proxyPrefix2}/ph`;
+        }
+      }
+    },
+    hotjar: fromDomains(
+      [
+        ["static.hotjar.com", "hotjar"],
+        ["script.hotjar.com", "hotjar-script"],
+        ["vars.hotjar.com", "hotjar-vars"],
+        ["in.hotjar.com", "hotjar-in"],
+        ["vc.hotjar.com", "hotjar-vc"],
+        ["vc.hotjar.io", "hotjar-vc"],
+        ["metrics.hotjar.io", "hotjar-metrics"],
+        ["insights.hotjar.com", "hotjar-insights"],
+        ["ask.hotjar.io", "hotjar-ask"],
+        ["events.hotjar.io", "hotjar-events"],
+        ["identify.hotjar.com", "hotjar-identify"],
+        ["surveystats.hotjar.io", "hotjar-surveys"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_HEATMAP }
+    ),
+    plausibleAnalytics: fromDomains(
+      [["plausible.io", "plausible"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        autoInject: {
+          configField: "endpoint",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/plausible/api/event`
+        }
+      }
+    ),
+    cloudflareWebAnalytics: fromDomains(
+      [
+        ["static.cloudflareinsights.com", "cfwa"],
+        ["cloudflareinsights.com", "cfwa-beacon"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    rybbitAnalytics: fromDomains(
+      [["app.rybbit.io", "rybbit"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        autoInject: {
+          configField: "analyticsHost",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/rybbit/api`
+        },
+        // Rybbit SDK derives API host via `e.split("/script.js")[0]` from the script tag's
+        // src attribute. When bundled, src becomes /_scripts/assets/<hash>.js so the split fails.
+        postProcess(output, rewrites) {
+          const rybbitRewrite = rewrites.find((r) => r.from === "app.rybbit.io");
+          if (rybbitRewrite) {
+            output = output.replace(
+              RYBBIT_HOST_SPLIT_RE,
+              `self.location.origin+"${rybbitRewrite.to}/api"`
+            );
+          }
+          return output;
+        }
+      }
+    ),
+    umamiAnalytics: fromDomains(
+      [["cloud.umami.is", "umami"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        extraRewrites: [
+          { from: "api-gateway.umami.dev", to: "umami" }
+        ],
+        autoInject: {
+          configField: "hostUrl",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/umami`
+        }
+      }
+    ),
+    databuddyAnalytics: fromDomains(
+      [
+        ["cdn.databuddy.cc", "databuddy"],
+        ["basket.databuddy.cc", "databuddy-api"]
+      ],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        autoInject: {
+          configField: "apiUrl",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/databuddy-api`
+        }
+      }
+    ),
+    fathomAnalytics: fromDomains(
+      [["cdn.usefathom.com", "fathom"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        // Fathom SDK checks if script src contains "cdn.usefathom.com" to detect self-hosted
+        // mode, then overrides trackerUrl with the script host's root. After AST rewrite already
+        // set trackerUrl to the proxy URL, neutralize this check so it doesn't override it.
+        postProcess(output) {
+          return output.replace(
+            FATHOM_SELF_HOSTED_RE,
+            '.src.indexOf("cdn.usefathom.com")<-1'
+          );
+        }
+      }
+    ),
+    intercom: fromDomains(
+      [
+        ["widget.intercom.io", "intercom"],
+        ["api-iam.intercom.io", "intercom-api"],
+        ["api-iam.eu.intercom.io", "intercom-api-eu"],
+        ["api-iam.au.intercom.io", "intercom-api-au"],
+        ["js.intercomcdn.com", "intercom-cdn"],
+        ["downloads.intercomcdn.com", "intercom-downloads"],
+        ["video-messages.intercomcdn.com", "intercom-video"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    crisp: fromDomains(
+      [
+        ["client.crisp.chat", "crisp"],
+        ["client.relay.crisp.chat", "crisp-relay"],
+        ["assets.crisp.chat", "crisp-assets"],
+        ["go.crisp.chat", "crisp-go"],
+        ["image.crisp.chat", "crisp-image"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    vercelAnalytics: fromDomains(
+      [["va.vercel-scripts.com", "vercel"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    gravatar: fromDomains(
+      [
+        ["secure.gravatar.com", "gravatar"],
+        ["gravatar.com/avatar", "gravatar-avatar"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    carbonAds: fromDomains(
+      [["cdn.carbonads.com", "carbon"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    lemonSqueezy: fromDomains(
+      [["assets.lemonsqueezy.com", "lemonsqueezy"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    matomoAnalytics: fromDomains(
+      [["cdn.matomo.cloud", "matomo"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    stripe: fromDomains(
+      [["js.stripe.com", "stripe"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    paypal: fromDomains(
+      [["www.paypal.com", "paypal"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    youtubePlayer: fromDomains(
+      [["www.youtube.com", "youtube"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    vimeoPlayer: fromDomains(
+      [["player.vimeo.com", "vimeo"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    googleRecaptcha: {
+      privacy: PRIVACY_IP_ONLY,
+      rewrite: [
+        { from: "www.gstatic.com", to: `${proxyPrefix}/gstatic` },
+        // www.google.com is shared with GA — only rewrite /recaptcha paths
+        { from: "www.google.com/recaptcha", to: `${proxyPrefix}/grecaptcha` },
+        { from: "www.recaptcha.net/recaptcha", to: `${proxyPrefix}/grecaptcha` }
+      ],
+      routes: {
+        [`${proxyPrefix}/gstatic/**`]: { proxy: "https://www.gstatic.com/**" },
+        [`${proxyPrefix}/grecaptcha/**`]: { proxy: "https://www.google.com/recaptcha/**" }
+      }
+    },
+    googleSignIn: fromDomains(
+      [["accounts.google.com", "gsignin"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    )
+  };
+}
+function getAllProxyConfigs(proxyPrefix) {
+  return buildProxyConfig(proxyPrefix);
+}
+const PROXY_URL_RE = /^https?:\/\/([^/]+)(\/.*)?\/\*\*$/;
+const ROUTE_WILDCARD_RE = /\/\*\*$/;
+function routesToInterceptRules(routes) {
+  const rules = [];
+  for (const [localPath, { proxy }] of Object.entries(routes)) {
+    const match = proxy.match(PROXY_URL_RE);
+    if (match?.[1]) {
+      const domain = match[1];
+      const pathPrefix = match[2] || "";
+      const target = localPath.replace(ROUTE_WILDCARD_RE, "");
+      rules.push({ pattern: domain, pathPrefix, target });
+    }
+  }
+  return rules;
+}
+export { getAllProxyConfigs as g, routesToInterceptRules as r };

package/dist/stats.d.mts ADDED Viewed

@@ -0,0 +1,202 @@
+type TrackedDataType = 'page-views' | 'events' | 'conversions' | 'user-identity' | 'session-replay' | 'heatmaps' | 'clicks' | 'scrolls' | 'retargeting' | 'audiences' | 'form-submissions' | 'video-engagement' | 'transactions' | 'errors' | 'tag-injection' | 'ab-testing';
+interface ScriptPrivacy {
+    ip: boolean;
+    userAgent: boolean;
+    language: boolean;
+    screen: boolean;
+    timezone: boolean;
+    hardware: boolean;
+}
+interface ScriptSizeDetail {
+    url: string;
+    transferKb: number;
+    decodedKb: number;
+    encoding: string;
+    durationMs: number;
+    initiatorType: string;
+    protocol: string;
+}
+interface ScriptApis {
+    cookies: boolean;
+    localStorage: boolean;
+    sessionStorage: boolean;
+    indexedDB: boolean;
+    canvas: boolean;
+    webgl: boolean;
+    audioContext: boolean;
+    userAgent: boolean;
+    doNotTrack: boolean;
+    hardwareConcurrency: boolean;
+    deviceMemory: boolean;
+    plugins: boolean;
+    languages: boolean;
+    screen: boolean;
+    timezone: boolean;
+    platform: boolean;
+    vendor: boolean;
+    connection: boolean;
+    maxTouchPoints: boolean;
+    devicePixelRatio: boolean;
+    mediaDevices: boolean;
+    getBattery: boolean;
+    referrer: boolean;
+    windowName: boolean;
+    rtcPeerConnection: boolean;
+    geolocation: boolean;
+    serviceWorker: boolean;
+    cacheApi: boolean;
+    sendBeacon: boolean;
+    fetch: boolean;
+    xhr: boolean;
+    websocket: boolean;
+    mutationObserver: boolean;
+    performanceObserver: boolean;
+    intersectionObserver: boolean;
+}
+type PrivacyGrade = 'A+' | 'A' | 'B' | 'C' | 'D' | 'F';
+interface PrivacyRating {
+    /** Overall letter grade */
+    grade: PrivacyGrade;
+    /** 0–100, higher = more invasive */
+    score: number;
+    /** Breakdown by privacy concern category */
+    breakdown: {
+        /** Browser fingerprinting APIs — entropy-weighted per AmIUnique/Panopticlick research (0–30) */
+        fingerprinting: {
+            score: number;
+            apis: string[];
+        };
+        /** Persistent storage + cookie tracking (0–25) */
+        persistence: {
+            score: number;
+            thirdPartyCookies: number;
+            longLivedCookies: number;
+            storageApis: string[];
+        };
+        /** Cross-domain data exfiltration & tracking network (0–25) */
+        network: {
+            score: number;
+            domains: number;
+            outboundBytes: number;
+            trackingPixels: number;
+        };
+        /** Behavioral observation APIs (0–10) */
+        monitoring: {
+            score: number;
+            apis: string[];
+        };
+        /** Data collection scope — what types of data are tracked (0–10) */
+        dataScope: {
+            score: number;
+            types: string[];
+        };
+        /** Fingerprint exfiltration — heavy FP APIs combined with outbound channels (0–25) */
+        fpExfiltration: {
+            score: number;
+            heavyApis: string[];
+        };
+    };
+}
+interface ScriptCookie {
+    name: string;
+    domain: string;
+    path: string;
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: string;
+    session: boolean;
+    lifetimeDays: number;
+    firstParty: boolean;
+}
+interface NetworkSummary {
+    requestCount: number;
+    domains: string[];
+    outboundBytes: number;
+    inboundBytes: number;
+    injectedElements: {
+        tag: string;
+        src: string;
+    }[];
+}
+interface CwvEstimate {
+    /** Estimated LCP delay: scriptDurationMs blocks rendering during page load */
+    lcpImpactMs: number;
+    /** CLS risk: true if script injects visible DOM elements (iframes, images) without reserved space */
+    clsRisk: boolean;
+    /** Number of visible elements injected that could cause layout shifts */
+    clsElements: number;
+    /** INP risk level based on script weight + DOM observation */
+    inpRiskLevel: 'low' | 'medium' | 'high';
+}
+interface PerformanceSummary {
+    taskDurationMs: number;
+    scriptDurationMs: number;
+    heapDeltaKb: number;
+}
+type PerformanceGrade = 'A+' | 'A' | 'B' | 'C' | 'D' | 'F';
+interface PerformanceRating {
+    /** Overall letter grade */
+    grade: PerformanceGrade;
+    /** 0–100, higher = worse performance impact */
+    score: number;
+    /** Breakdown by impact area */
+    breakdown: {
+        /** Network cost — transfer size relative to performance budgets (0–30) */
+        networkCost: {
+            score: number;
+            transferKb: number;
+        };
+        /** Main thread blocking — task duration that delays interactivity (0–30) */
+        mainThread: {
+            score: number;
+            taskDurationMs: number;
+            scriptDurationMs: number;
+        };
+        /** Memory pressure — heap allocation impact (0–20) */
+        memory: {
+            score: number;
+            heapDeltaKb: number;
+        };
+        /** Connection overhead — additional HTTP requests (0–10) */
+        connections: {
+            score: number;
+            requestCount: number;
+        };
+        /** CWV risk — estimated Core Web Vitals impact (0–10) */
+        cwvRisk: {
+            score: number;
+            lcpImpactMs: number;
+            clsRisk: boolean;
+            inpRiskLevel: string;
+        };
+    };
+}
+interface ScriptStats {
+    id: string;
+    label: string;
+    category: string;
+    scripts: ScriptSizeDetail[];
+    totalTransferKb: number;
+    totalDecodedKb: number;
+    trackedData: TrackedDataType[];
+    collectsWebVitals: boolean;
+    apis: ScriptApis;
+    privacyRating: PrivacyRating;
+    cookies: ScriptCookie[];
+    network: NetworkSummary;
+    performance: PerformanceSummary;
+    performanceRating: PerformanceRating;
+    cwvEstimate: CwvEstimate;
+    hasBundling: boolean;
+    hasProxy: boolean;
+    proxyDomains: string[];
+    proxyEndpoints: number;
+    privacy: ScriptPrivacy | null;
+    privacyLevel: 'full' | 'partial' | 'none' | 'unknown';
+    loadingMethod: 'cdn' | 'npm' | 'dynamic';
+}
+declare function getScriptStats(): Promise<ScriptStats[]>;
+export { getScriptStats };
+export type { CwvEstimate, NetworkSummary, PerformanceGrade, PerformanceRating, PerformanceSummary, PrivacyGrade, PrivacyRating, ScriptApis, ScriptCookie, ScriptPrivacy, ScriptSizeDetail, ScriptStats, TrackedDataType };