@webjsdev/server 0.8.4 → 0.8.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@webjsdev/server",
-  "version": "0.8.4",
+  "version": "0.8.6",
   "type": "module",
   "description": "webjs dev/prod server: SSR, router, API, server actions, live reload",
   "main": "index.js",

package/src/dev.js

@@ -58,7 +58,7 @@ import {
 import { defaultLogger } from './logger.js';
 import { withRequest } from './context.js';
 import { attachWebSocket } from './websocket.js';
-import { scanBareImports, resolveVendorImports, serveDownloadedBundle, clearVendorCache, hasVendorPin, readPinFile } from './vendor.js';
+import { scanBareImports, resolveVendorImports, serveDownloadedBundle, clearVendorCache, hasVendorPin, readPinFile, prunePinToReachable } from './vendor.js';
 import { buildModuleGraph, transitiveDeps, reachableFromEntries, resolveImport } from './module-graph.js';
 import { primeComponentRegistry, findOrphanComponents, scanComponents } from './component-scanner.js';
 import { analyzeElision, elideImportsFromSource } from './component-elision.js';
@@ -282,11 +282,14 @@ export async function createRequestHandler(opts) {
   // platform's traffic and probes are the retry loop. `readyError` holds a
   // propagating analysis failure so /__webjs/ready can report it.
   let analysisDone = false;        // deterministic analysis complete (readiness gate)
-  // A pinned app already resolved + published its vendor map at boot (above), so
-  // the deferred vendor stage is a no-op from the start; an unpinned app starts
-  // false and resolves on the first request.
-  let vendorResolved = bootVendorPinned;      // vendor map fully resolved (or permanently tolerated)
-  let vendorAttemptedOnce = bootVendorPinned; // the first (blocking) vendor attempt has run
+  // A pinned app applied its FULL vendor map and published the build id at boot
+  // (above). The deferred vendor stage still runs once (and after every rebuild)
+  // to PRUNE that map to the elision-reachable specifiers, so a pinned app serves
+  // the same map an unpinned one does (#197); it does not re-publish the build id
+  // (the boot hash stays the deploy fingerprint). An unpinned app starts false and
+  // resolves live on the first request.
+  let vendorResolved = false;      // vendor map fully resolved/pruned (or permanently tolerated)
+  let vendorAttemptedOnce = false; // the first (blocking) vendor attempt has run
   let vendorGen = 0;               // bumped on rebuild; a stale resolve cannot flip vendorResolved
   let readyDone = false;           // mirrors analysisDone; the /__webjs/ready gate
   /** @type {unknown} */
@@ -314,7 +317,7 @@ export async function createRequestHandler(opts) {
     // served build id stays empty (reload-safe), so no navigation hard-reloads.
     if (analysisDone && vendorAttemptedOnce) {
       const gen = vendorGen;
-      resolveAndApplyVendor().then((ok) => { if (ok && gen === vendorGen) { vendorResolved = true; publishBuildId(); } }).catch(() => {});
+      resolveAndApplyVendor().then((ok) => { if (ok && gen === vendorGen) { vendorResolved = true; if (!bootVendorPinned) publishBuildId(); } }).catch(() => {});
       return;
     }
     // Otherwise run the (single-flighted) full warm: the analysis, then the
@@ -372,7 +375,11 @@ export async function createRequestHandler(opts) {
             // the importmap is now authoritatively final, so publish the build
             // id: from here every response advertises the same stable value and
             // the client router's deploy detection works without warmup drift.
-            if (ok && gen === vendorGen) { vendorResolved = true; publishBuildId(); }
+            // A pinned app published the build id at boot (hash of the committed
+            // pin) and the prune only shrinks the served map, so do NOT re-publish
+            // (that would drift the id mid-process). An unpinned app publishes its
+            // now-final live map here.
+            if (ok && gen === vendorGen) { vendorResolved = true; if (!bootVendorPinned) publishBuildId(); }
           }
           // Readiness reflects a FULLY warm instance: the deterministic analysis
           // AND the first vendor attempt have both completed (note: completed,
@@ -423,9 +430,20 @@ export async function createRequestHandler(opts) {
     if (vendorResolveInFlight) return vendorResolveInFlight;
     vendorResolveInFlight = (async () => {
       try {
-        const v = await resolveVendorImports(appDir,
-          () => scanBareImports(appDir, new Set([...state.elidableComponents, ...state.inertRouteModules])));
-        await setVendorEntries(v.imports, v.integrity);
+        const scan = () => scanBareImports(appDir, new Set([...state.elidableComponents, ...state.inertRouteModules]));
+        const v = await resolveVendorImports(appDir, scan);
+        let { imports, integrity } = v;
+        if (bootVendorPinned) {
+          // resolveVendorImports returns a committed pin VERBATIM (it never runs
+          // the scan for a pinned app). Prune it to the elision-reachable
+          // specifiers so a pinned app serves the same map an unpinned one does
+          // (#197): an elided-only dep like dayjs is dropped. One scan; the pin
+          // path skipped it. This runs on the first warm AND after every rebuild,
+          // so the pruned map is the single source of truth.
+          const reachable = await scan();
+          ({ imports, integrity } = prunePinToReachable(imports, integrity, reachable));
+        }
+        await setVendorEntries(imports, integrity);
         return v.ok;
       } catch (e) {
         logger.error?.(`[webjs] vendor resolve failed (will retry on the next request):`, e);
@@ -549,6 +567,16 @@ export async function createRequestHandler(opts) {
         }
         return Response.json({ status: 'ok' }, { headers: noStore });
       }
+      // Framework-internal static assets (the @webjsdev/core runtime, the dev
+      // reload client, downloaded vendor bundles) depend on neither the analysis
+      // nor the vendor importmap, so serve them BEFORE ensureReady(). Otherwise a
+      // cold instance blocks them behind the first vendor resolve (issue #190),
+      // and the core bundle is on every page's boot path, so that stalled first
+      // interactivity site-wide. Matched on the decoded path, like handleCore.
+      let assetPath = probePath;
+      try { assetPath = decodeURIComponent(probePath); } catch { /* keep raw on malformed escape */ }
+      const staticResp = await tryServeFrameworkStatic(assetPath, req.method.toUpperCase(), { coreDir, appDir, dev });
+      if (staticResp) return staticResp;
       // Build all whole-app analysis on the first request (memoized), before
       // any SSR, module serve, gate check, action dispatch, or middleware runs.
       await ensureReady();
@@ -775,23 +803,29 @@ export async function startServer(opts) {
  * @param {Request} req
  * @param {{state: any, appDir: string, coreDir: string, dev: boolean}} ctx
  */
-async function handleCore(req, ctx) {
-  const { state, appDir, coreDir, dev } = ctx;
-  const url = new URL(req.url);
-  // Decode percent-encoded characters so filesystem lookups match real
-  // filenames. Dynamic route segments like `[slug]` and route groups like
-  // `(marketing)` contain chars that browsers percent-encode in URLs
-  // (`%5B`, `%5D`, `%28`, `%29`). Without decoding, the server joins the
-  // encoded path with the app directory → file not found → 404 → no JS
-  // loads → no interactivity.
-  let path;
-  try { path = decodeURIComponent(url.pathname); } catch { path = url.pathname; }
-  const method = req.method.toUpperCase();
-
-  // Health / readiness probes (`/__webjs/health`, `/__webjs/ready`) are handled
-  // in `handle()` BEFORE ensureReady, so they are not repeated here.
+/**
+ * Serve framework-internal static assets that depend on NEITHER the whole-app
+ * analysis NOR the vendor importmap: the `@webjsdev/core` runtime files, the
+ * dev reload client, and (in `--download` pin mode) the committed vendor
+ * bundles. `handle()` calls this BEFORE `ensureReady()`, so a cold instance
+ * returns them immediately instead of blocking on the first vendor resolve
+ * (issue #190). The core bundle is on every page's boot path, so coupling it
+ * to the jspm resolve stalled first interactivity site-wide on a cold instance.
+ *
+ * Like the health / readiness probes (also answered pre-`ensureReady`), these
+ * bypass app middleware. That is correct: they are framework infrastructure the
+ * app needs to function, not app routes, and `state.middleware` is not even
+ * loaded until `ensureReady()` completes.
+ *
+ * @param {string} path decoded pathname
+ * @param {string} method upper-cased HTTP method
+ * @param {{ coreDir: string, appDir: string, dev: boolean }} ctx
+ * @returns {Promise<Response|null>} a Response, or null when path is not one of these assets
+ */
+async function tryServeFrameworkStatic(path, method, ctx) {
+  const { coreDir, appDir, dev } = ctx;
 
-  // Dev live-reload client
+  // Dev live-reload client.
   if (path === '/__webjs/reload.js') {
     if (!dev) return new Response('Not found', { status: 404 });
     return new Response(RELOAD_CLIENT_JS, {
@@ -802,35 +836,38 @@ async function handleCore(req, ctx) {
   // Core module: /__webjs/core/*
   //
   // ETag + ~1h max-age, NOT immutable. The URL path is un-versioned
-  // (`/__webjs/core/src/render-client.js` etc.), so bumping
-  // `@webjsdev/core` ships different bytes at the same URL. An
-  // `immutable` cache-control directive at an edge CDN (Cloudflare,
-  // Vercel, Fly) keeps the prior bytes pinned for up to a year, which
-  // silently bricks the next deploy: browsers load the old client
-  // renderer against a server emitting the new SSR shape, and any
-  // exports added in the bump (e.g., the slot.js entry points landed
+  // (`/__webjs/core/src/render-client.js` etc.), so bumping `@webjsdev/core`
+  // ships different bytes at the same URL. An `immutable` cache-control
+  // directive at an edge CDN (Cloudflare, Vercel, Fly) keeps the prior bytes
+  // pinned for up to a year, which silently bricks the next deploy: browsers
+  // load the old client renderer against a server emitting the new SSR shape,
+  // and any exports added in the bump (e.g., the slot.js entry points landed
   // for 0.6.0) resolve to undefined in the cached file.
   // Regression: 2026-05-20, ui.webjs.dev tier-2 components after
   // @webjsdev/core 0.5.0 -> 0.6.0 republish.
   if (path.startsWith('/__webjs/core/')) {
     const rel = path.slice('/__webjs/core/'.length);
     const abs = resolve(coreDir, rel);
-    if (!abs.startsWith(coreDir)) return new Response('forbidden', { status: 403 });
+    // Trailing-separator boundary check, not a raw string prefix: a raw
+    // `startsWith(coreDir)` would admit a sibling like `@webjsdev/core-evil`,
+    // reachable via an encoded slash (`..%2f`, which survives URL normalization
+    // and then decodes to `../`). Match the public-root branch's guard.
+    if (abs !== coreDir && !abs.startsWith(coreDir + sep)) {
+      return new Response('forbidden', { status: 403 });
+    }
     return fileResponse(abs, { dev, immutable: false });
   }
 
-  // Vendor URL handler for `webjs vendor pin --download` mode only.
-  // In default pin mode (or no-pin mode) the importmap routes bare
-  // imports straight to ga.jspm.io URLs and the browser bypasses this
-  // server entirely. When the user ran `webjs vendor pin --download`,
-  // the importmap has local `/__webjs/vendor/<file>.js` URLs and this
-  // handler serves the committed bundle files from `.webjs/vendor/`.
+  // Vendor URL handler for `webjs vendor pin --download` mode only. In default
+  // pin mode (or no-pin mode) the importmap routes bare imports straight to
+  // ga.jspm.io URLs and the browser bypasses this server entirely. When the
+  // user ran `webjs vendor pin --download`, the importmap has local
+  // `/__webjs/vendor/<file>.js` URLs and this serves the committed bundle files
+  // from `.webjs/vendor/`. These are read-only static content: allow GET/HEAD
+  // for the normal fetch, OPTIONS for any cross-origin preflight (204 with the
+  // same Allow header rather than 405, which some intermediaries treat as a
+  // hard failure even for a CORS probe), and 405 everything else.
   if (path.startsWith('/__webjs/vendor/') && path.endsWith('.js')) {
-    // Vendor bundles are read-only static content. Allow GET/HEAD for
-    // the normal fetch, OPTIONS for any cross-origin preflight (we
-    // return 204 with the same Allow header rather than 405, which
-    // some intermediaries treat as a hard failure even for a CORS
-    // probe), and 405 everything else.
     if (method === 'OPTIONS') {
       return new Response(null, { status: 204, headers: { allow: 'GET, HEAD, OPTIONS' } });
     }
@@ -846,6 +883,31 @@ async function handleCore(req, ctx) {
     return resp;
   }
 
+  return null;
+}
+
+async function handleCore(req, ctx) {
+  const { state, appDir, coreDir, dev } = ctx;
+  const url = new URL(req.url);
+  // Decode percent-encoded characters so filesystem lookups match real
+  // filenames. Dynamic route segments like `[slug]` and route groups like
+  // `(marketing)` contain chars that browsers percent-encode in URLs
+  // (`%5B`, `%5D`, `%28`, `%29`). Without decoding, the server joins the
+  // encoded path with the app directory → file not found → 404 → no JS
+  // loads → no interactivity.
+  let path;
+  try { path = decodeURIComponent(url.pathname); } catch { path = url.pathname; }
+  const method = req.method.toUpperCase();
+
+  // Health / readiness probes (`/__webjs/health`, `/__webjs/ready`) and the
+  // framework-internal static assets (`/__webjs/core/*`, `/__webjs/reload.js`,
+  // downloaded `/__webjs/vendor/*`) are served in `handle()` BEFORE ensureReady,
+  // so they are not repeated here. This fallback covers the (currently
+  // unreachable) case of handleCore being entered for one of those assets, so
+  // the routing stays correct if a future caller bypasses the early path.
+  const frameworkStatic = await tryServeFrameworkStatic(path, method, { coreDir, appDir, dev });
+  if (frameworkStatic) return frameworkStatic;
+
   // Internal server-action RPC endpoint
   const actMatch = /^\/__webjs\/action\/([a-f0-9]+)\/([A-Za-z0-9_$]+)$/.exec(path);
   if (actMatch) {

package/src/vendor.js

@@ -1308,6 +1308,55 @@ function maxSemverVersion(versions) {
  *   on the unpinned path (so a pinned app never pays the whole-app walk).
  * @returns {Promise<{ imports: Record<string, string>, integrity: Record<string, string> }>}
  */
+/**
+ * Base package of a bare specifier: `dayjs` -> `dayjs`,
+ * `dayjs/plugin/utc` -> `dayjs`, `@scope/pkg/sub` -> `@scope/pkg`.
+ *
+ * @param {string} spec
+ * @returns {string}
+ */
+function basePackage(spec) {
+  const parts = spec.split('/');
+  return spec.startsWith('@') ? parts.slice(0, 2).join('/') : parts[0];
+}
+
+/**
+ * Prune a pinned import map to the vendor specifiers still reachable from
+ * NON-elided modules. A committed pin is the whole map, but elision can make
+ * a pinned package unreachable (its only importer is a display-only component
+ * that ships no JS, e.g. dayjs via the blog's vendor-badge). The live-resolve
+ * path prunes such a package by excluding elided components from the bare-
+ * import scan; this brings the pinned path to the same result, so a pinned app
+ * and an unpinned app serve the same import map (issue #197).
+ *
+ * Keeps an entry when its specifier is reachable, OR when its base package is
+ * the base of any reachable specifier (so a pinned base entry `dayjs` survives
+ * when code imports `dayjs/plugin/utc`, and vice versa). Integrity hashes for
+ * dropped URLs are pruned too.
+ *
+ * @param {Record<string, string>} imports  pin entries (specifier -> URL)
+ * @param {Record<string, string>} integrity  SRI hashes keyed by URL
+ * @param {Set<string>} reachable  bare specifiers used by non-elided modules
+ * @returns {{ imports: Record<string, string>, integrity: Record<string, string> }}
+ */
+export function prunePinToReachable(imports, integrity, reachable) {
+  const reachableBases = new Set([...reachable].map(basePackage));
+  /** @type {Record<string, string>} */
+  const keptImports = {};
+  for (const [spec, url] of Object.entries(imports || {})) {
+    if (reachable.has(spec) || reachableBases.has(basePackage(spec))) {
+      keptImports[spec] = url;
+    }
+  }
+  const keptUrls = new Set(Object.values(keptImports));
+  /** @type {Record<string, string>} */
+  const keptIntegrity = {};
+  for (const [url, hash] of Object.entries(integrity || {})) {
+    if (keptUrls.has(url)) keptIntegrity[url] = hash;
+  }
+  return { imports: keptImports, integrity: keptIntegrity };
+}
+
 export async function resolveVendorImports(appDir, getBareImports) {
   const file = await readPinFile(appDir);
   // A committed pin file IS the import map. The whole-app bare-import scan is