perf: use filters for plugin hooks

[pi0]

Using regex filters for plugin hooks can help to avoid unnecessary calls.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
nitro.build	Ready	Preview	Comment	Dec 1, 2025 10:43am

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Refactors several Rollup-style build plugins to use explicit filter+handler hook objects and standardizes internal virtual-module prefixes to nitro:/\0nitro:. oxc transform/renderChunk, raw asset handling, route-meta parsing, virtual prefixes, and a resolve import-prefix check were updated to the new hook pattern and naming.

Changes

Cohort / File(s)	Summary
oxc plugin (transform + renderChunk) src/build/plugins/oxc.ts	Replaces inline transform with transform: { filter, handler } (regex to match JS/TS/JSX/TSX excluding node_modules); handler delegates to existing transform with merged options and sourcemap. Removes inline filter; changes renderChunk from async to non-async while preserving minify call. Adjusts imports (type-only MinifyOptions).
raw asset plugin (prefixes & transform handler) src/build/plugins/raw.ts	Switches to plugin name "nitro:raw" and uses raw: / \0nitro:raw: prefixes. resolveId, load, and transform become filter+handler hooks; transform slices updated prefix, detects binary/text by MIME, emits JS that base64-decodes binaries and returns text modules. getHelpers returns helper code without String.raw.
route-meta plugin (filter+handler + safe regex) src/build/plugins/route-meta.ts	Replaces resolveId, load, and transform with { filter, handler } hooks using regex filters built with escapeRegExp and a PREFIX constant. Transform parses AST to extract defineRouteMeta, wrapped in try/catch with warning and fallback default export on failure.
virtual plugin (prefix update & filter simplification) src/build/plugins/virtual.ts	Changes internal prefix from \0virtual: to \0nitro:virtual: and simplifies resolveId filter from an object with id.include to a direct id RegExp while preserving matching semantics.
resolve plugin (import-prefix check update) src/build/plugins/resolve.ts	Updates import-prefix check from \0virtual:#nitro-internal-virtual to `\0nitro:virtual:`#nitro-internal-virtual in Nitro resolver condition; logic otherwise unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Pay attention to sourcemap propagation and option merging in oxc transform handler and renderChunk.
• Verify prefix slicing, helper import paths, and base64 emission in raw.ts.
• Check route-meta AST parsing error handling and correct use of escapeRegExp.
• Confirm consistent use of nitro: / \0nitro: prefixes across plugins and resolver.

Possibly related PRs

• perf: use filters for plugin hooks #3820 — Makes the same change replacing inline plugin hooks with filter+handler objects across multiple plugins; directly related.
• perf!: resolve virtual templates with single plugin #3819 — Refactors virtual/VFS handling (consolidates virtual plugins, changes VFS structure); related to prefix and virtual plugin updates.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'perf: use filters for plugin hooks' follows the conventional commits format with 'perf' type and accurately summarizes the main changes across all modified files.
Description check	✅ Passed	The description directly relates to the changeset, explaining the purpose of using regex filters for plugin hooks to avoid unnecessary calls.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf77a40 and bf7bf8e.

📒 Files selected for processing (1)

• src/build/plugins/oxc.ts (1 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

src/build/plugins/route-meta.ts (2)

13-28: ResolveId regex and PREFIX wiring look correct; adjust lint suppression for Biome if needed.

The resolveId handler correctly targets non-virtual ?meta imports and rewrites them to PREFIX + resolved.id. If Biome is part of your toolchain, the current // eslint-disable-next-line no-control-regex won’t silence lint/suspicious/noControlCharactersInRegex; consider adding a Biome-specific ignore comment above the regex while keeping the pattern as‑is.

-    resolveId: {
-      // eslint-disable-next-line no-control-regex
-      filter: { id: /^(?!\u0000)(.+)\?meta$/ },
+    resolveId: {
+      // biome-ignore lint/suspicious/noControlCharactersInRegex: allow matching non-virtual ?meta imports
+      // eslint-disable-next-line no-control-regex
+      filter: { id: /^(?!\u0000)(.+)\?meta$/ },

---

31-72: Load/transform filters are safe; consider fixing the log message typo.

The load/transform hooks correctly gate on PREFIX using escapeRegExp, so the “regex from variable” warnings are benign here given the constant, internal PREFIX. One small polish item is the warning message text.

-        } catch (error) {
-          nitro.logger.warn(
-            `[handlers-meta] Cannot extra route meta for: ${id}: ${error}`
-          );
-        }
+        } catch (error) {
+          nitro.logger.warn(
+            `[handlers-meta] Cannot extract route meta for: ${id}: ${error}`
+          );
+        }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2989d6b and 457a18b.

📒 Files selected for processing (4)

• src/build/plugins/oxc.ts (1 hunks)
• src/build/plugins/raw.ts (2 hunks)
• src/build/plugins/route-meta.ts (1 hunks)
• src/build/plugins/virtual.ts (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

src/build/plugins/oxc.ts (1)

src/types/rollup.ts (1)

• OXCOptions (20-23)

src/build/plugins/virtual.ts (1)

src/utils/regex.ts (1)

• escapeRegExp (1-3)

src/build/plugins/route-meta.ts (1)

src/utils/regex.ts (1)

• escapeRegExp (1-3)

🪛 ast-grep (0.40.0)

src/build/plugins/raw.ts

[warning] 14-14: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${HELPER_ID}$)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 14-14: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${PREFIX})
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 34-34: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${HELPER_ID}$)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 34-34: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${RESOLVED_PREFIX})
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 52-52: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${RESOLVED_PREFIX})
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

src/build/plugins/route-meta.ts

[warning] 31-31: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${escapeRegExp(PREFIX)})
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 42-42: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${escapeRegExp(PREFIX)})
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🪛 Biome (2.1.2)

src/build/plugins/route-meta.ts

[error] 15-15: Unexpected control character in a regular expression.

Control characters are unusual and potentially incorrect inputs, so they are disallowed.

(lint/suspicious/noControlCharactersInRegex)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: tests-rolldown (windows-latest)
• GitHub Check: tests-rollup (ubuntu-latest)
• GitHub Check: tests-rollup (windows-latest)

🔇 Additional comments (2)

src/build/plugins/virtual.ts (1)

4-4: PREFIX and resolveId filter are consistent and efficient.

Using a single PREFIX and precomputed id regexp over the modules keys cleanly limits resolveId to known virtual IDs, and escapeRegExp prevents any regex metacharacter issues from custom IDs. The behavior lines up with the load hook’s PREFIX usage, so no changes are needed here.

Also applies to: 31-33

src/build/plugins/raw.ts (1)

5-8: Raw plugin prefixes and filters look coherent; regex-from-variable warnings are safe here.

The new HELPER_ID/RESOLVED_PREFIX/PREFIX flow in resolveId, load, and transform cleanly isolates raw assets and the helper module, so only the relevant IDs hit these hooks. The new RegExp(\^${...}`)` usages are all built from internal constants (not user input), so the ReDoS-style “regexp-from-variable” warnings are effectively false positives in this context; no changes are strictly necessary.

Also applies to: 14-16, 34-36, 52-57, 85-96

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/nitrojs/nitro@3820

commit: cf77a40

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

src/build/plugins/oxc.ts (1)

8-10: Past review comment is outdated.

The previous review flagged that oxc() returns Promise<Plugin> and requires async handling in getRollupConfig. However, the current implementation shows oxc() is synchronous and returns Plugin directly (not a Promise). The concerns raised in the past review are not applicable to this version.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 457a18b and cf77a40.

📒 Files selected for processing (2)

• src/build/plugins/oxc.ts (1 hunks)
• src/build/plugins/resolve.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/build/plugins/oxc.ts (1)

src/types/rollup.ts (1)

• OXCOptions (20-23)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: tests-rolldown (windows-latest)

🔇 Additional comments (2)

src/build/plugins/resolve.ts (1)

19-19: LGTM! Prefix update aligns with new virtual module convention.

The prefix change correctly reflects the new \0nitro:virtual: convention introduced in the virtual.ts plugin refactoring.

src/build/plugins/oxc.ts (1)

1-6: LGTM! Clean import reorganization.

The type-only import for MinifyOptions and the separated imports for transform and minify follow best practices.