veryfront 0.1.1009 → 0.1.1010

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/esm/deno.js CHANGED
@@ -1,6 +1,6 @@
1
1
  export default {
2
2
  "name": "veryfront",
3
- "version": "0.1.1009",
3
+ "version": "0.1.1010",
4
4
  "license": "Apache-2.0",
5
5
  "nodeModulesDir": "auto",
6
6
  "minimumDependencyAge": {
@@ -1 +1 @@
1
- {"version":3,"file":"esbuild-plugin.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/esbuild-plugin.ts"],"names":[],"mappings":"AACA,OAAO,EAML,KAAK,eAAe,EAErB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,sCAAsC,CAAC;AAO5E,UAAU,iBAAiB;IACzB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA8GD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,MAAM,EAAE,GAAG,MAAM,CA6Q9E"}
1
+ {"version":3,"file":"esbuild-plugin.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/esbuild-plugin.ts"],"names":[],"mappings":"AACA,OAAO,EAML,KAAK,eAAe,EAErB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,sCAAsC,CAAC;AAQ5E,UAAU,iBAAiB;IACzB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA8GD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,MAAM,EAAE,GAAG,MAAM,CAsR9E"}
@@ -2,6 +2,7 @@ import * as dntShim from "../../../../_dnt.shims.js";
2
2
  import { computeHash, computeIntegrity, createLockfileManager, HTTP_MODULE_FETCH_TIMEOUT_MS, HTTP_NETWORK_CONNECT_TIMEOUT, serverLogger, } from "../../../utils/index.js";
3
3
  import { createFileSystem } from "../../../platform/compat/fs.js";
4
4
  import * as pathHelper from "../../../platform/compat/path/index.js";
5
+ import { isAllowedRemoteHost } from "./http-validator.js";
5
6
  const logger = serverLogger.component("api");
6
7
  const HTTP_MODULE_CACHE_DIR = ".veryfront/cache/api-http-imports";
7
8
  const HTTP_MODULE_FETCH_MAX_ATTEMPTS = 3;
@@ -111,15 +112,25 @@ export function createHTTPPlugin(options) {
111
112
  const name = error.name || "Error";
112
113
  return typeof code === "string" && code ? `${name}(${code})` : name;
113
114
  }
115
+ function isReadOnlyFileSystemError(error) {
116
+ if (error == null)
117
+ return false;
118
+ const message = error instanceof Error ? error.message : String(error);
119
+ if (/read-only file ?system|os error 30|erofs/i.test(message))
120
+ return true;
121
+ return error instanceof Error && isReadOnlyFileSystemError(error.cause);
122
+ }
114
123
  async function persistLockfileEntry(url, entry) {
115
124
  if (!lockfile)
116
125
  return;
126
+ await lockfile.set(url, entry);
117
127
  try {
118
- await lockfile.set(url, entry);
119
128
  await lockfile.flush();
120
129
  logger.debug(`[http] lockfile updated: ${url} -> ${entry.resolved}`);
121
130
  }
122
131
  catch (error) {
132
+ if (!isReadOnlyFileSystemError(error))
133
+ throw error;
123
134
  logger.warn(`[http] could not persist lockfile entry for ${url}: ${describePersistenceError(error)}`);
124
135
  }
125
136
  }
@@ -177,14 +188,12 @@ export function createHTTPPlugin(options) {
177
188
  try {
178
189
  const u = new URL(args.path);
179
190
  if (allowedHosts?.length) {
180
- const hostUrl = `${u.protocol}//${u.host}`;
181
- const isAllowed = allowedHosts.some((h) => hostUrl.startsWith(h));
182
- if (!isAllowed) {
183
- const remediation = `Add "${hostUrl}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
191
+ if (!isAllowedRemoteHost(u, allowedHosts)) {
192
+ const remediation = `Add "${u.origin}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
184
193
  return {
185
194
  errors: [
186
195
  {
187
- text: `Remote import blocked by allow-list: ${hostUrl}. ${remediation}`,
196
+ text: `Remote import blocked by allow-list: ${u.origin}. ${remediation}`,
188
197
  },
189
198
  ],
190
199
  };
@@ -1,2 +1,3 @@
1
+ export declare function isAllowedRemoteHost(url: URL, allowedHosts: string[]): boolean;
1
2
  export declare function validateHTTPImports(source: string, allowedHosts: string[]): void;
2
3
  //# sourceMappingURL=http-validator.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"http-validator.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/http-validator.ts"],"names":[],"mappings":"AAEA,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,CAmChF"}
1
+ {"version":3,"file":"http-validator.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/http-validator.ts"],"names":[],"mappings":"AAEA,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,OAAO,CAQ7E;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,CAiChF"}
@@ -1,4 +1,14 @@
1
1
  import { createError, toError } from "../../../errors/veryfront-error.js";
2
+ export function isAllowedRemoteHost(url, allowedHosts) {
3
+ return allowedHosts.some((host) => {
4
+ try {
5
+ return new URL(host).origin === url.origin;
6
+ }
7
+ catch (_) {
8
+ return false;
9
+ }
10
+ });
11
+ }
2
12
  export function validateHTTPImports(source, allowedHosts) {
3
13
  if (!allowedHosts?.length)
4
14
  return;
@@ -9,22 +19,20 @@ export function validateHTTPImports(source, allowedHosts) {
9
19
  const url = match[0].match(/https?:\/\/[^'"]+/)?.[0];
10
20
  if (!url)
11
21
  continue;
12
- let hostUrl;
22
+ let u;
13
23
  try {
14
- const u = new URL(url);
15
- hostUrl = `${u.protocol}//${u.host}`;
24
+ u = new URL(url);
16
25
  }
17
26
  catch (_) {
18
27
  /* expected: URL may be malformed */
19
28
  continue;
20
29
  }
21
- const isAllowed = allowedHosts.some((h) => hostUrl.startsWith(h));
22
- if (isAllowed)
30
+ if (isAllowedRemoteHost(u, allowedHosts))
23
31
  continue;
24
- const remediation = `Add "${hostUrl}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
32
+ const remediation = `Add "${u.origin}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
25
33
  throw toError(createError({
26
34
  type: "api",
27
- message: `[API] handler build failed: Remote import blocked by allow-list: ${hostUrl}. ${remediation}`,
35
+ message: `[API] handler build failed: Remote import blocked by allow-list: ${u.origin}. ${remediation}`,
28
36
  }));
29
37
  }
30
38
  }
@@ -1,3 +1,3 @@
1
1
  /** Shared version value. */
2
- export declare const VERSION = "0.1.1009";
2
+ export declare const VERSION = "0.1.1010";
3
3
  //# sourceMappingURL=version-constant.d.ts.map
@@ -1,4 +1,4 @@
1
1
  // Keep in sync with deno.json version.
2
2
  // scripts/release.ts updates this constant during releases.
3
3
  /** Shared version value. */
4
- export const VERSION = "0.1.1009";
4
+ export const VERSION = "0.1.1010";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "veryfront",
3
- "version": "0.1.1009",
3
+ "version": "0.1.1010",
4
4
  "description": "The simplest way to build AI-powered apps",
5
5
  "keywords": [
6
6
  "react",