@webjsdev/server 0.8.2 → 0.8.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/check.js +12 -0
- package/src/module-graph.js +26 -0
package/package.json
CHANGED
package/src/check.js
CHANGED
|
@@ -957,6 +957,17 @@ export async function checkConventions(appDir, opts) {
|
|
|
957
957
|
const hasGitignore = await pathExists(join(appDir, '.gitignore'));
|
|
958
958
|
if (hasGit && hasGitignore) {
|
|
959
959
|
const { spawnSync } = await import('node:child_process');
|
|
960
|
+
// Strip inherited git env vars so `cwd` is the sole authority on
|
|
961
|
+
// which repo `git check-ignore` consults. Git exports GIT_DIR /
|
|
962
|
+
// GIT_WORK_TREE / GIT_INDEX_FILE / GIT_PREFIX into hook processes
|
|
963
|
+
// (notably a pre-commit hook run from a linked worktree exports
|
|
964
|
+
// GIT_WORK_TREE), and those OVERRIDE cwd-based discovery, so
|
|
965
|
+
// without this the probe would consult the outer repo instead of
|
|
966
|
+
// `appDir`. See the gitignore-vendor-not-ignored regression test.
|
|
967
|
+
const {
|
|
968
|
+
GIT_DIR: _gd, GIT_WORK_TREE: _gwt, GIT_INDEX_FILE: _gif, GIT_PREFIX: _gp,
|
|
969
|
+
...gitEnv
|
|
970
|
+
} = process.env;
|
|
960
971
|
// Check two representative paths: the pin manifest AND a sample
|
|
961
972
|
// downloaded bundle. A `.gitignore` that allows the manifest
|
|
962
973
|
// but blocks bundles (e.g. `*.js` higher up) would still break
|
|
@@ -970,6 +981,7 @@ export async function checkConventions(appDir, opts) {
|
|
|
970
981
|
const result = spawnSync('git', ['check-ignore', '-q', probe], {
|
|
971
982
|
cwd: appDir,
|
|
972
983
|
stdio: 'pipe',
|
|
984
|
+
env: gitEnv,
|
|
973
985
|
});
|
|
974
986
|
if (result.status === 0) {
|
|
975
987
|
violations.push({
|
package/src/module-graph.js
CHANGED
|
@@ -14,6 +14,7 @@
|
|
|
14
14
|
import { readFile, readdir, stat } from 'node:fs/promises';
|
|
15
15
|
import { existsSync } from 'node:fs';
|
|
16
16
|
import { join, resolve, dirname, extname, sep } from 'node:path';
|
|
17
|
+
import { redactStringsAndTemplates } from './js-scan.js';
|
|
17
18
|
|
|
18
19
|
/** @type {RegExp} match static `import … from '…'` and `import '…'` */
|
|
19
20
|
const IMPORT_RE = /\bimport\s+(?:(?:[\w*{}\s,]+)\s+from\s+)?['"]([^'"]+)['"]/g;
|
|
@@ -104,6 +105,17 @@ export function transitiveDeps(graph, entryFiles, appDir, skip) {
|
|
|
104
105
|
if (dep.startsWith(appDir)) {
|
|
105
106
|
result.push(dep);
|
|
106
107
|
}
|
|
108
|
+
// Stop at server-file boundaries, exactly like reachableFromEntries
|
|
109
|
+
// (the authorization gate). The browser fetches a `.server.*` URL as
|
|
110
|
+
// an RPC or throw-at-load stub, never its source, so the server
|
|
111
|
+
// file's own imports are never fetched. Following them would emit
|
|
112
|
+
// modulepreload hints for server-only modules that the gate then
|
|
113
|
+
// 404s (a preload set wider than the servable set). The `.server.*`
|
|
114
|
+
// file itself stays in the result; the preload emitter filters it via
|
|
115
|
+
// the server-file index. A file imported through BOTH a server file
|
|
116
|
+
// and a real client path is still reached via the client path, so it
|
|
117
|
+
// is not wrongly dropped.
|
|
118
|
+
if (SERVER_FILE_RE.test(dep)) continue;
|
|
107
119
|
queue.push(dep);
|
|
108
120
|
}
|
|
109
121
|
}
|
|
@@ -247,9 +259,23 @@ async function parseFile(file, appDir, graph, seen) {
|
|
|
247
259
|
try { src = await readFile(file, 'utf8'); }
|
|
248
260
|
catch { return; }
|
|
249
261
|
|
|
262
|
+
// Mask of `src` with all string / template-literal / comment / regex
|
|
263
|
+
// CONTENT blanked to spaces (positions preserved). Used to reject an
|
|
264
|
+
// `import '…'` / `export … from '…'` that appears as TEXT inside a
|
|
265
|
+
// template literal (e.g. example code shown in a `<pre>` inside an
|
|
266
|
+
// `html\`\`` template, as the docs site does) rather than as a real
|
|
267
|
+
// statement. We still read the specifier from the RAW `src` (the
|
|
268
|
+
// specifier is itself a string, blanked in the mask), and only consult
|
|
269
|
+
// the mask to confirm the `import` / `export` KEYWORD survived
|
|
270
|
+
// redaction, i.e. sits in code position and not inside a literal.
|
|
271
|
+
const masked = redactStringsAndTemplates(src);
|
|
250
272
|
const deps = new Set();
|
|
251
273
|
for (const re of [IMPORT_RE, EXPORT_FROM_RE]) {
|
|
252
274
|
for (const m of src.matchAll(re)) {
|
|
275
|
+
// m.index is the keyword start (`\bimport` / `\bexport`). If that
|
|
276
|
+
// position is blanked in the mask, the match lives inside a literal
|
|
277
|
+
// and is not a real import edge.
|
|
278
|
+
if (masked[m.index] === ' ') continue;
|
|
253
279
|
const spec = m[1];
|
|
254
280
|
// Only resolve relative imports within the project.
|
|
255
281
|
if (!spec.startsWith('.') && !spec.startsWith('/')) continue;
|