Skip to content

Overhaul CloudFlare worker Node implementation#90

Merged
philpennock merged 4 commits into
mainfrom
pdp/overhaul-node-nightlies
Jul 2, 2026
Merged

Overhaul CloudFlare worker Node implementation#90
philpennock merged 4 commits into
mainfrom
pdp/overhaul-node-nightlies

Conversation

@philpennock

Copy link
Copy Markdown
Contributor

This consists of three commits which should be kept distinct, not squashed:

  • nightlies-serving: replace TS/webpack build with dependency-free worker
  • nightlies-serving: clear dev-dep audit advisories via vitest 4 upgrade
  • docs: show how to test the real KV store

The core routing logic is unchanged, but the implementation is overhauled entirely. It's now pure JS, with no runtime dependencies, so any supply chain issues will affect local dev but will not affect production deploys, ever. The local dev dependency set is significantly reduced too.

This is smaller, lighter, and less exposed to supply chain forced bumps.

Along the way, we updated things such as Wrangler versions and so forth, and overhauled the docs, so that we will hopefully be good for another few years without needing to focus on this again.

Phil's AI Bot Account and others added 3 commits July 1, 2026 16:08
The worker is ~40 lines of edge code, but carried a full node/webpack/
TypeScript/itty-router/jest/eslint toolchain inherited from the
worker-typescript-template. That toolchain shipped nothing to the edge yet
was a perpetual source of npm audit churn, and finally hit irreconcilable
upstream version conflicts (jest 30 vs ts-jest 27 among them). None of it
earned its keep.

Rather than keep patching the build, remove it. Go-compiled-to-WASM was
considered and rejected: Workers have no native Go runtime, so it needs a
third-party bridge (syumai/workers) plus TinyGo and a build step -- a heavier
toolchain, not a lighter one. Plain JavaScript with no build step is the
smaller, simpler target.

Worker:
  - Rewrite src/handler.ts + index.ts as a single dependency-free ES module,
    src/worker.js (export default { fetch }). ASSETS moves from a service-worker
    global to the env binding. Behaviour is preserved: GET|HEAD /current-nightly,
    GET /nightly/:id with an extension-derived Content-Type, 404 otherwise.
  - Routing is now two pathname checks; itty-router is dropped.
  - No bundler: wrangler uploads the one file directly (dry-run: 2.10 KiB).
  - Type safety retained via // @ts-check + JSDoc, checked by `tsc --noEmit`
    (checkJs), so there is still no build artifact.

Config / tests:
  - wrangler.toml modernised for wrangler 4: `main`, per-route `zone_id`,
    dropped the top-level `zone_id`, `[build]`, and service-worker upload format.
  - Replace the jest + service-worker-mock suite (whose one test was dead: it
    asserted a response the handler never produced) with a vitest smoke suite
    that runs against the real workerd runtime via
    @cloudflare/vitest-pool-workers, seeding an in-memory KV per test.
  - Delete webpack.config.js, jestconfig.json, .prettierrc, .cargo-ok, and the
    old src/*.ts. tsconfig.json becomes typecheck-only.

The result has zero runtime dependencies; the remaining npm packages (wrangler,
vitest) are dev-only and never reach the edge. `npm test` passes 5/5 in workerd
and `tsc` is clean.

Docs:
  - Top-level README: deploy via `npm install` / `npm run deploy`, not
    `cargo install wrangler` / `wrangler publish`; the open "switch to a WASM
    language?" question is resolved inline.
  - CLOUDFLARE.md: describe the current single-file worker instead of the old
    handler.ts/webpack setup, and rewrite the credentials guidance to bias
    toward a scoped token in CLOUDFLARE_API_TOKEN sourced from a secrets
    manager, over long-lived credentials left on disk by `wrangler login`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
`npm audit` reported 6 advisories (5 high), all confined to dev/test
tooling — esbuild, undici, ws — pulled in transitively. None ship in the
deployed worker (src/worker.js is dependency-free) and the esbuild
advisory is a Windows-only dev-server issue, so production exposure was
nil; this is hygiene, not an incident.

`npm audit fix` couldn't act on them: every vulnerable copy came from
@cloudflare/vitest-pool-workers pinning an older nested wrangler +
miniflare, and the fix (0.17.0) sits outside the declared `^0.12.0`
range, so the non-forced fixer just re-printed the report. The top-level
wrangler was already clean.

Bumping vitest-pool-workers to ^0.17.0 pulls clean esbuild 0.28.1 /
miniflare 4.20260630.0 (undici 7.28.0, ws 8.21.0) / wrangler 4.106.0,
but 0.17 peers on vitest 4, forcing a coupled major with two breaking
API changes:

- vitest.config.js: the `/config` subpath and defineWorkersConfig are
  gone; migrate to cloudflareTest() as a plugin over defineConfig, per
  the shipped vitest-v3-to-v4 codemod.
- tsconfig.json: the `cloudflare:test` ambient types moved to the
  /types export; add it to the types array.
- test/env.d.ts: `env` is now typed as Cloudflare.Env rather than
  ProvidedEnv; retarget the ASSETS binding augmentation accordingly.

audit clean (0 vulnerabilities), tsc --noEmit clean, 5/5 tests pass on
Node 24.9.0 / npm 11.6.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors the nightlies-serving Cloudflare Worker to a dependency-free, single-file ES module (no TS/webpack/router at runtime), modernizes the local tooling around Wrangler v4 + Vitest pool-workers, and updates documentation for deployment and real-KV testing.

Changes:

  • Replace the previous TypeScript + webpack + itty-router worker with a single src/worker.js ES module uploaded directly by Wrangler.
  • Swap Jest/service-worker-mock tests for Vitest running against the real workerd runtime via @cloudflare/vitest-pool-workers, plus TS checking of JSDoc-typed JS.
  • Update docs and Wrangler configuration to align with the new deploy/test workflow and token-based auth guidance.

Reviewed changes

Copilot reviewed 16 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
README.md Updates top-level Cloudflare Workers deployment instructions and rationale for the new implementation.
CLOUDFLARE.md Expands guidance around Wrangler auth (tokens vs persisted login) and documents the worker/toolchain overhaul.
nightlies-serving/wrangler.toml Switches to main = src/worker.js, updates compatibility date, and uses per-route zone_id format for Wrangler v4.
nightlies-serving/package.json Removes build/bundle/runtime deps; adds Wrangler/Vitest tooling and typecheck/dev scripts; sets ESM module type.
nightlies-serving/tsconfig.json Moves to JS+JSDoc typechecking (allowJs/checkJs/noEmit) and adds Vitest pool-workers types.
nightlies-serving/vitest.config.js Adds Vitest configuration to run the worker under workerd with an in-memory KV namespace.
nightlies-serving/src/worker.js New dependency-free worker implementation with minimal routing and KV-backed responses.
nightlies-serving/test/worker.test.js New smoke tests using cloudflare:test + workerd runtime and seeded KV.
nightlies-serving/test/env.d.ts Adds type augmentation for Cloudflare.Env to expose ASSETS binding in tests.
nightlies-serving/README.md Replaces template README with project-specific design/dev/live-testing documentation.
nightlies-serving/.gitignore Removes dist/transpiled ignores; adds .wrangler.
nightlies-serving/webpack.config.js Deleted (no longer bundling).
nightlies-serving/src/index.ts Deleted (no longer using addEventListener/service-worker style entry).
nightlies-serving/src/handler.ts Deleted (removed itty-router/TS handler).
nightlies-serving/src/bindings.d.ts Deleted (bindings now modeled via env + test type augmentation).
nightlies-serving/test/handler.test.ts Deleted (replaced by Vitest/workerd tests).
nightlies-serving/jestconfig.json Deleted (Jest removed).
nightlies-serving/.prettierrc Deleted (formatting tooling removed from this package).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread nightlies-serving/src/worker.js
Comment thread nightlies-serving/test/worker.test.js Outdated
Comment thread README.md Outdated
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploying nats-tools with  Cloudflare Pages  Cloudflare Pages

Latest commit: df8da28
Status: ✅  Deploy successful!
Preview URL: https://bc7453a4.nats-tools.pages.dev
Branch Preview URL: https://pdp-overhaul-node-nightlies.nats-tools.pages.dev

View logs

@escidmore escidmore left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@philpennock philpennock added this pull request to the merge queue Jul 2, 2026
Merged via the queue into main with commit af08267 Jul 2, 2026
3 checks passed
@philpennock philpennock deleted the pdp/overhaul-node-nightlies branch July 2, 2026 18:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants