@secure-exec/core 0.1.0-rc.1 → 0.1.0-rc.3

package/dist/bridge/active-handles.d.ts

@@ -1,5 +1,6 @@
 /**
  * Register an active handle that keeps the sandbox alive.
+ * Throws if the handle cap (_maxHandles) would be exceeded.
  * @param id Unique identifier for the handle
  * @param description Human-readable description for debugging
  */

package/dist/bridge/active-handles.js

@@ -1,24 +1,19 @@
 import { exposeCustomGlobal } from "../shared/global-exposure.js";
-/**
- * Active Handles: Mechanism to keep the sandbox alive for async operations.
- *
- * isolated-vm doesn't have an event loop, so async callbacks (like child process
- * events) would never fire because the sandbox exits immediately after synchronous
- * code finishes. This module tracks active handles and provides a promise that
- * resolves when all handles complete.
- *
- * See: docs-internal/node/ACTIVE_HANDLES.md
- */
 // Map of active handles: id -> description (for debugging)
 const _activeHandles = new Map();
 // Resolvers waiting for all handles to complete
 let _waitResolvers = [];
 /**
  * Register an active handle that keeps the sandbox alive.
+ * Throws if the handle cap (_maxHandles) would be exceeded.
  * @param id Unique identifier for the handle
  * @param description Human-readable description for debugging
  */
 export function _registerHandle(id, description) {
+    // Enforce handle cap (skip check for re-registration of existing handle)
+    if (typeof _maxHandles !== "undefined" && !_activeHandles.has(id) && _activeHandles.size >= _maxHandles) {
+        throw new Error("ERR_RESOURCE_BUDGET_EXCEEDED: maximum active handles exceeded");
+    }
     _activeHandles.set(id, description);
 }
 /**

package/dist/bridge/child-process.d.ts

@@ -12,11 +12,15 @@ interface OutputStreamStub {
     readable: boolean;
     _listeners: Record<string, EventListener[]>;
     _onceListeners: Record<string, EventListener[]>;
+    _maxListeners: number;
+    _maxListenersWarned: Set<string>;
     on(event: string, listener: EventListener): OutputStreamStub;
     once(event: string, listener: EventListener): OutputStreamStub;
     emit(event: string, ...args: unknown[]): boolean;
     read(): null;
     setEncoding(): OutputStreamStub;
+    setMaxListeners(n: number): OutputStreamStub;
+    getMaxListeners(): number;
     pipe<T extends NodeJS.WritableStream>(dest: T): T;
 }
 /**
@@ -27,6 +31,8 @@ interface OutputStreamStub {
 declare class ChildProcess {
     private _listeners;
     private _onceListeners;
+    private _maxListeners;
+    private _maxListenersWarned;
     pid: number;
     killed: boolean;
     exitCode: number | null;
@@ -43,6 +49,9 @@ declare class ChildProcess {
     once(event: string, listener: EventListener): this;
     off(event: string, listener: EventListener): this;
     removeListener(event: string, listener: EventListener): this;
+    setMaxListeners(n: number): this;
+    getMaxListeners(): number;
+    private _checkMaxListeners;
     emit(event: string, ...args: unknown[]): boolean;
     kill(_signal?: NodeJS.Signals | number): boolean;
     ref(): this;

package/dist/bridge/child-process.js

@@ -38,6 +38,21 @@ const childProcessDispatch = (sessionId, type, data) => {
     }
 };
 exposeCustomGlobal("_childProcessDispatch", childProcessDispatch);
+/** Warn when listener count exceeds max (Node.js: warn, don't crash) */
+function checkStreamMaxListeners(stream, event) {
+    if (stream._maxListeners > 0 && !stream._maxListenersWarned.has(event)) {
+        const total = (stream._listeners[event]?.length ?? 0) + (stream._onceListeners[event]?.length ?? 0);
+        if (total > stream._maxListeners) {
+            stream._maxListenersWarned.add(event);
+            const warning = `MaxListenersExceededWarning: Possible EventEmitter memory leak detected. ${total} ${event} listeners added. MaxListeners is ${stream._maxListeners}. Use emitter.setMaxListeners() to increase limit`;
+            if (typeof console !== "undefined" && console.error) {
+                console.error(warning);
+            }
+        }
+    }
+}
+// Monotonic counter for unique ChildProcess PIDs
+let _nextChildPid = 1000;
 /**
  * Polyfill of Node.js `ChildProcess`. Provides event-emitting stdin/stdout/stderr
  * streams. In streaming mode, data arrives via the `_childProcessDispatch` global
@@ -46,7 +61,9 @@ exposeCustomGlobal("_childProcessDispatch", childProcessDispatch);
 class ChildProcess {
     _listeners = {};
     _onceListeners = {};
-    pid = Math.floor(Math.random() * 10000) + 1000;
+    _maxListeners = 10;
+    _maxListenersWarned = new Set();
+    pid = _nextChildPid++;
     killed = false;
     exitCode = null;
     signalCode = null;
@@ -82,16 +99,20 @@ class ChildProcess {
             readable: true,
             _listeners: {},
             _onceListeners: {},
+            _maxListeners: 10,
+            _maxListenersWarned: new Set(),
             on(event, listener) {
                 if (!this._listeners[event])
                     this._listeners[event] = [];
                 this._listeners[event].push(listener);
+                checkStreamMaxListeners(this, event);
                 return this;
             },
             once(event, listener) {
                 if (!this._onceListeners[event])
                     this._onceListeners[event] = [];
                 this._onceListeners[event].push(listener);
+                checkStreamMaxListeners(this, event);
                 return this;
             },
             emit(event, ...args) {
@@ -110,6 +131,13 @@ class ChildProcess {
             setEncoding() {
                 return this;
             },
+            setMaxListeners(n) {
+                this._maxListeners = n;
+                return this;
+            },
+            getMaxListeners() {
+                return this._maxListeners;
+            },
             pipe(dest) {
                 return dest;
             },
@@ -119,16 +147,20 @@ class ChildProcess {
             readable: true,
             _listeners: {},
             _onceListeners: {},
+            _maxListeners: 10,
+            _maxListenersWarned: new Set(),
             on(event, listener) {
                 if (!this._listeners[event])
                     this._listeners[event] = [];
                 this._listeners[event].push(listener);
+                checkStreamMaxListeners(this, event);
                 return this;
             },
             once(event, listener) {
                 if (!this._onceListeners[event])
                     this._onceListeners[event] = [];
                 this._onceListeners[event].push(listener);
+                checkStreamMaxListeners(this, event);
                 return this;
             },
             emit(event, ...args) {
@@ -147,6 +179,13 @@ class ChildProcess {
             setEncoding() {
                 return this;
             },
+            setMaxListeners(n) {
+                this._maxListeners = n;
+                return this;
+            },
+            getMaxListeners() {
+                return this._maxListeners;
+            },
             pipe(dest) {
                 return dest;
             },
@@ -157,12 +196,14 @@ class ChildProcess {
         if (!this._listeners[event])
             this._listeners[event] = [];
         this._listeners[event].push(listener);
+        this._checkMaxListeners(event);
         return this;
     }
     once(event, listener) {
         if (!this._onceListeners[event])
             this._onceListeners[event] = [];
         this._onceListeners[event].push(listener);
+        this._checkMaxListeners(event);
         return this;
     }
     off(event, listener) {
@@ -176,6 +217,25 @@ class ChildProcess {
     removeListener(event, listener) {
         return this.off(event, listener);
     }
+    setMaxListeners(n) {
+        this._maxListeners = n;
+        return this;
+    }
+    getMaxListeners() {
+        return this._maxListeners;
+    }
+    _checkMaxListeners(event) {
+        if (this._maxListeners > 0 && !this._maxListenersWarned.has(event)) {
+            const total = (this._listeners[event]?.length ?? 0) + (this._onceListeners[event]?.length ?? 0);
+            if (total > this._maxListeners) {
+                this._maxListenersWarned.add(event);
+                const warning = `MaxListenersExceededWarning: Possible EventEmitter memory leak detected. ${total} ${event} listeners added to [ChildProcess]. MaxListeners is ${this._maxListeners}. Use emitter.setMaxListeners() to increase limit`;
+                if (typeof console !== "undefined" && console.error) {
+                    console.error(warning);
+                }
+            }
+        }
+    }
     emit(event, ...args) {
         let handled = false;
         if (this._listeners[event]) {
@@ -248,19 +308,23 @@ function exec(command, options, callback) {
     let stderrBytes = 0;
     let maxBufferExceeded = false;
     child.stdout.on("data", (data) => {
+        if (maxBufferExceeded)
+            return;
         const chunk = String(data);
         stdout += chunk;
         stdoutBytes += chunk.length;
-        if (stdoutBytes > maxBuffer && !maxBufferExceeded) {
+        if (stdoutBytes > maxBuffer) {
             maxBufferExceeded = true;
             child.kill("SIGTERM");
         }
     });
     child.stderr.on("data", (data) => {
+        if (maxBufferExceeded)
+            return;
         const chunk = String(data);
         stderr += chunk;
         stderrBytes += chunk.length;
-        if (stderrBytes > maxBuffer && !maxBufferExceeded) {
+        if (stderrBytes > maxBuffer) {
             maxBufferExceeded = true;
             child.kill("SIGTERM");
         }
@@ -422,7 +486,7 @@ function spawnSync(command, args, options) {
     }
     if (typeof _childProcessSpawnSync === "undefined") {
         return {
-            pid: 0,
+            pid: _nextChildPid++,
             output: [null, "", "child_process.spawnSync requires CommandExecutor to be configured"],
             stdout: "",
             stderr: "child_process.spawnSync requires CommandExecutor to be configured",
@@ -450,7 +514,7 @@ function spawnSync(command, args, options) {
             const err = new Error("stdout maxBuffer length exceeded");
             err.code = "ERR_CHILD_PROCESS_STDIO_MAXBUFFER";
             return {
-                pid: Math.floor(Math.random() * 10000) + 1000,
+                pid: _nextChildPid++,
                 output: [null, stdoutBuf, stderrBuf],
                 stdout: stdoutBuf,
                 stderr: stderrBuf,
@@ -460,7 +524,7 @@ function spawnSync(command, args, options) {
             };
         }
         return {
-            pid: Math.floor(Math.random() * 10000) + 1000,
+            pid: _nextChildPid++,
             output: [null, stdoutBuf, stderrBuf],
             stdout: stdoutBuf,
             stderr: stderrBuf,
@@ -473,7 +537,7 @@ function spawnSync(command, args, options) {
         const errMsg = err instanceof Error ? err.message : String(err);
         const stderrBuf = typeof Buffer !== "undefined" ? Buffer.from(errMsg) : errMsg;
         return {
-            pid: 0,
+            pid: _nextChildPid++,
             output: [null, "", stderrBuf],
             stdout: typeof Buffer !== "undefined" ? Buffer.from("") : "",
             stderr: stderrBuf,

package/dist/bridge/fs.js

@@ -2,7 +2,8 @@
 // This module runs inside the isolate and provides Node.js fs API compatibility
 // It communicates with the host via the _fs Reference object
 import { Buffer } from "buffer";
-// File descriptor table
+// File descriptor table — capped to prevent resource exhaustion
+const MAX_BRIDGE_FDS = 1024;
 const fdTable = new Map();
 let nextFd = 3;
 const O_RDONLY = 0;
@@ -387,6 +388,7 @@ class ReadStream {
 }
 // WriteStream class for createWriteStream
 // This provides a type-safe implementation that satisfies nodeFs.WriteStream
+const MAX_WRITE_STREAM_BYTES = 16 * 1024 * 1024; // 16MB cap to prevent memory exhaustion
 // We use 'as' assertion at the return site since the full interface is complex
 class WriteStream {
     // WriteStream-specific properties
@@ -452,6 +454,18 @@ class WriteStream {
         else {
             data = Buffer.from(String(chunk));
         }
+        // Cap buffered data to prevent memory exhaustion
+        if (this.writableLength + data.length > MAX_WRITE_STREAM_BYTES) {
+            const err = new Error(`WriteStream buffer exceeded ${MAX_WRITE_STREAM_BYTES} bytes`);
+            this.errored = err;
+            this.destroyed = true;
+            this.writable = false;
+            const cb = typeof encodingOrCallback === "function" ? encodingOrCallback : callback;
+            if (cb)
+                Promise.resolve().then(() => cb(err));
+            Promise.resolve().then(() => this.emit("error", err));
+            return false;
+        }
         this._chunks.push(data);
         this.bytesWritten += data.length;
         this.writableLength += data.length;
@@ -674,7 +688,7 @@ function canWrite(flags) {
 function createFsError(code, message, syscall, path) {
     const err = new Error(message);
     err.code = code;
-    err.errno = code === "ENOENT" ? -2 : code === "EACCES" ? -13 : code === "EBADF" ? -9 : -1;
+    err.errno = code === "ENOENT" ? -2 : code === "EACCES" ? -13 : code === "EBADF" ? -9 : code === "EMFILE" ? -24 : -1;
     err.syscall = syscall;
     if (path)
         err.path = path;
@@ -775,10 +789,13 @@ function _globGetBase(pattern) {
 }
 // Recursively walk VFS directory and collect matching paths
 // We use a reference to `fs` via late-binding in the fs object method
+const MAX_GLOB_DEPTH = 100; // Prevent stack overflow on deeply nested trees
 function _globCollect(pattern, results) {
     const regex = _globToRegex(pattern);
     const base = _globGetBase(pattern);
-    const walk = (dir) => {
+    const walk = (dir, depth) => {
+        if (depth > MAX_GLOB_DEPTH)
+            return;
         let entries;
         try {
             entries = _globReadDir(dir);
@@ -796,7 +813,7 @@ function _globCollect(pattern, results) {
             try {
                 const stat = _globStat(fullPath);
                 if (stat.isDirectory()) {
-                    walk(fullPath);
+                    walk(fullPath, depth + 1);
                 }
             }
             catch {
@@ -814,7 +831,7 @@ function _globCollect(pattern, results) {
                 return;
             }
         }
-        walk(base);
+        walk(base, 0);
     }
     catch {
         // Base doesn't exist — no matches
@@ -1123,6 +1140,10 @@ const fs = {
     },
     // File descriptor methods
     openSync(path, flags, _mode) {
+        // Enforce bridge-side FD limit
+        if (fdTable.size >= MAX_BRIDGE_FDS) {
+            throw createFsError("EMFILE", "EMFILE: too many open files, open '" + toPathString(path) + "'", "open", toPathString(path));
+        }
         const rawPath = toPathString(path);
         const pathStr = rawPath;
         const numFlags = parseFlags(flags);
@@ -1984,15 +2005,78 @@ const fs = {
         }
     },
     realpathSync: Object.assign(function realpathSync(path) {
-        // In our virtual fs, just normalize the path (keep /data prefix for consistency)
-        return toPathString(path)
-            .replace(/\/\/+/g, "/")
-            .replace(/\/$/, "") || "/";
+        // Resolve symlinks by walking each path component via lstat + readlink
+        const MAX_SYMLINK_DEPTH = 40;
+        let symlinksFollowed = 0;
+        const raw = toPathString(path);
+        // Build initial queue: normalize . and .. segments
+        const pending = [];
+        for (const seg of raw.split("/")) {
+            if (!seg || seg === ".")
+                continue;
+            if (seg === "..") {
+                if (pending.length > 0)
+                    pending.pop();
+            }
+            else
+                pending.push(seg);
+        }
+        // Walk each component, resolving symlinks via a queue
+        const resolved = [];
+        while (pending.length > 0) {
+            const seg = pending.shift();
+            if (seg === ".")
+                continue;
+            if (seg === "..") {
+                if (resolved.length > 0)
+                    resolved.pop();
+                continue;
+            }
+            resolved.push(seg);
+            const currentPath = "/" + resolved.join("/");
+            try {
+                const stat = fs.lstatSync(currentPath);
+                if (stat.isSymbolicLink()) {
+                    if (++symlinksFollowed > MAX_SYMLINK_DEPTH) {
+                        const err = new Error(`ELOOP: too many levels of symbolic links, realpath '${raw}'`);
+                        err.code = "ELOOP";
+                        err.syscall = "realpath";
+                        err.path = raw;
+                        throw err;
+                    }
+                    const target = fs.readlinkSync(currentPath);
+                    // Prepend target segments to pending for re-resolution
+                    const targetSegs = target.split("/").filter(Boolean);
+                    if (target.startsWith("/")) {
+                        // Absolute symlink — restart from root
+                        resolved.length = 0;
+                    }
+                    else {
+                        // Relative symlink — drop current component
+                        resolved.pop();
+                    }
+                    // Prepend target segments so they're processed next
+                    pending.unshift(...targetSegs);
+                }
+            }
+            catch (e) {
+                const err = e;
+                if (err.code === "ELOOP")
+                    throw e;
+                if (err.code === "ENOENT" || err.code === "ENOTDIR") {
+                    const enoent = new Error(`ENOENT: no such file or directory, realpath '${raw}'`);
+                    enoent.code = "ENOENT";
+                    enoent.syscall = "realpath";
+                    enoent.path = raw;
+                    throw enoent;
+                }
+                break;
+            }
+        }
+        return "/" + resolved.join("/") || "/";
     }, {
         native(path) {
-            return toPathString(path)
-                .replace(/\/\/+/g, "/")
-                .replace(/\/$/, "") || "/";
+            return fs.realpathSync(path);
         }
     }),
     realpath: Object.assign(function realpath(path, callback) {

package/dist/bridge/network.js

@@ -1392,15 +1392,15 @@ exposeCustomGlobal("_httpsModule", https);
 exposeCustomGlobal("_http2Module", http2);
 exposeCustomGlobal("_dnsModule", dns);
 exposeCustomGlobal("_httpServerDispatch", dispatchServerRequest);
-// Make fetch API available globally
-globalThis.fetch = fetch;
-globalThis.Headers = Headers;
-globalThis.Request = Request;
-globalThis.Response = Response;
+// Harden fetch API globals (non-writable, non-configurable)
+exposeCustomGlobal("fetch", fetch);
+exposeCustomGlobal("Headers", Headers);
+exposeCustomGlobal("Request", Request);
+exposeCustomGlobal("Response", Response);
 if (typeof globalThis.Blob === "undefined") {
     // Minimal Blob stub used by server frameworks for instanceof checks.
-    globalThis.Blob = class BlobStub {
-    };
+    exposeCustomGlobal("Blob", class BlobStub {
+    });
 }
 export default {
     fetch,

package/dist/bridge/process.js

@@ -85,14 +85,47 @@ export class ProcessExitError extends Error {
 }
 // Make available globally
 exposeCustomGlobal("ProcessExitError", ProcessExitError);
+// Signal name → number mapping (POSIX standard)
+const _signalNumbers = {
+    SIGHUP: 1, SIGINT: 2, SIGQUIT: 3, SIGILL: 4, SIGTRAP: 5, SIGABRT: 6,
+    SIGBUS: 7, SIGFPE: 8, SIGKILL: 9, SIGUSR1: 10, SIGSEGV: 11, SIGUSR2: 12,
+    SIGPIPE: 13, SIGALRM: 14, SIGTERM: 15, SIGCHLD: 17, SIGCONT: 18,
+    SIGSTOP: 19, SIGTSTP: 20, SIGTTIN: 21, SIGTTOU: 22, SIGURG: 23,
+    SIGXCPU: 24, SIGXFSZ: 25, SIGVTALRM: 26, SIGPROF: 27, SIGWINCH: 28,
+    SIGIO: 29, SIGPWR: 30, SIGSYS: 31,
+};
+function _resolveSignal(signal) {
+    if (signal === undefined || signal === null)
+        return 15; // default SIGTERM
+    if (typeof signal === "number")
+        return signal;
+    const num = _signalNumbers[signal];
+    if (num !== undefined)
+        return num;
+    throw new Error("Unknown signal: " + signal);
+}
 const _processListeners = {};
 const _processOnceListeners = {};
+let _processMaxListeners = 10;
+const _processMaxListenersWarned = new Set();
 function _addListener(event, listener, once = false) {
     const target = once ? _processOnceListeners : _processListeners;
     if (!target[event]) {
         target[event] = [];
     }
     target[event].push(listener);
+    // Warn when exceeding maxListeners (Node.js behavior: warn, don't crash)
+    if (_processMaxListeners > 0 && !_processMaxListenersWarned.has(event)) {
+        const total = (_processListeners[event]?.length ?? 0) + (_processOnceListeners[event]?.length ?? 0);
+        if (total > _processMaxListeners) {
+            _processMaxListenersWarned.add(event);
+            const warning = `MaxListenersExceededWarning: Possible EventEmitter memory leak detected. ${total} ${event} listeners added to [process]. MaxListeners is ${_processMaxListeners}. Use emitter.setMaxListeners() to increase limit`;
+            // Use console.error to emit warning without recursion risk
+            if (typeof _error !== "undefined") {
+                _error.applySync(undefined, [warning]);
+            }
+        }
+    }
     return process;
 }
 function _removeListener(event, listener) {
@@ -385,6 +418,28 @@ const process = {
         return _cwd;
     },
     chdir(dir) {
+        // Validate directory exists in VFS before setting cwd
+        let statJson;
+        try {
+            statJson = _fs.stat.applySyncPromise(undefined, [dir]);
+        }
+        catch {
+            const err = new Error(`ENOENT: no such file or directory, chdir '${dir}'`);
+            err.code = "ENOENT";
+            err.errno = -2;
+            err.syscall = "chdir";
+            err.path = dir;
+            throw err;
+        }
+        const parsed = JSON.parse(statJson);
+        if (!parsed.isDirectory) {
+            const err = new Error(`ENOTDIR: not a directory, chdir '${dir}'`);
+            err.code = "ENOTDIR";
+            err.errno = -20;
+            err.syscall = "chdir";
+            err.path = dir;
+            throw err;
+        }
         _cwd = dir;
     },
     get exitCode() {
@@ -499,11 +554,10 @@ const process = {
             err.syscall = "kill";
             throw err;
         }
-        // Self-kill - treat as exit
-        if (!signal || signal === "SIGTERM" || signal === 15) {
-            process.exit(143);
-        }
-        return true;
+        // Resolve signal name to number (default SIGTERM)
+        const sigNum = _resolveSignal(signal);
+        // Self-kill - exit with 128 + signal number (POSIX convention)
+        return process.exit(128 + sigNum);
     },
     // EventEmitter methods
     on(event, listener) {
@@ -566,11 +620,12 @@ const process = {
             ]),
         ];
     },
-    setMaxListeners() {
+    setMaxListeners(n) {
+        _processMaxListeners = n;
         return process;
     },
     getMaxListeners() {
-        return 10;
+        return _processMaxListeners;
     },
     rawListeners(event) {
         return process.listeners(event);
@@ -588,33 +643,11 @@ const process = {
         const msg = typeof warning === "string" ? warning : warning.message;
         _emit("warning", { message: msg, name: "Warning" });
     },
-    binding(name) {
-        // Return stub implementations for common bindings
-        const stubs = {
-            fs: {},
-            buffer: {
-                Buffer: globalThis.Buffer,
-                constants: BUFFER_CONSTANTS,
-                kMaxLength: BUFFER_MAX_LENGTH,
-                kStringMaxLength: BUFFER_MAX_STRING_LENGTH,
-            },
-            process_wrap: {},
-            natives: {},
-            config: {},
-            uv: { UV_UDP_REUSEADDR: 4 },
-            constants: {
-                MAX_LENGTH: BUFFER_MAX_LENGTH,
-                MAX_STRING_LENGTH: BUFFER_MAX_STRING_LENGTH,
-                buffer: BUFFER_CONSTANTS,
-            },
-            crypto: {},
-            string_decoder: {},
-            os: {},
-        };
-        return stubs[name] || {};
+    binding(_name) {
+        throw new Error("process.binding is not supported in sandbox");
     },
-    _linkedBinding(name) {
-        return process.binding(name);
+    _linkedBinding(_name) {
+        throw new Error("process._linkedBinding is not supported in sandbox");
     },
     dlopen() {
         throw new Error("process.dlopen is not supported");
@@ -757,7 +790,8 @@ export function setInterval(callback, delay, ...args) {
     const id = ++_timerId;
     const handle = new TimerHandle(id);
     _intervals.set(id, handle);
-    const actualDelay = delay ?? 0;
+    // Enforce minimum 1ms delay to prevent microtask CPU spin
+    const actualDelay = Math.max(1, delay ?? 0);
     // Schedule interval execution
     const scheduleNext = () => {
         if (!_intervals.has(id))
@@ -831,6 +865,10 @@ export const cryptoPolyfill = {
         if (typeof _cryptoRandomFill === "undefined") {
             throwUnsupportedCryptoApi("getRandomValues");
         }
+        // Web Crypto API spec caps getRandomValues at 65536 bytes.
+        if (array.byteLength > 65536) {
+            throw new RangeError(`The ArrayBufferView's byte length (${array.byteLength}) exceeds the number of bytes of entropy available via this API (65536)`);
+        }
         const bytes = new Uint8Array(array.buffer, array.byteOffset, array.byteLength);
         try {
             const base64 = _cryptoRandomFill.applySync(undefined, [bytes.byteLength]);