fix(runtime): stub node:/bun: built-ins in dev module server (#2315)#2318
Merged
Conversation
The dev module server tried to auto-install node:* and bun:* built-in modules from npm when the browser requested them via /@deps/. These are server-only modules that should never be resolved from the registry. - Add is_runtime_builtin() check in handle_deps_request() to return empty ES module stubs for node:* and bun:* specifiers - Short-circuit import rewriter for node:/bun: prefixes to skip unnecessary filesystem resolution Closes #2315 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…on, tests - Add console.warn to stub so devs know imports were stubbed (#2315) - Switch from /* */ to // comments to prevent comment injection - Add sanitization for specifier in JS string literal - Add injection attack test and is_runtime_builtin unit tests - Write review to reviews/fix-runtime-builtins/ Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Apr 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
node:*andbun:*specifiers as runtime built-ins and returns empty ES module stubs instead of attempting to auto-install them from npmconsole.warn()so developers know imports were stubbed for the browser//line comments and specifier sanitizationRoot Cause
When
@vertz/db(or any server-side package) is transitively pulled into the client bundle, its top-levelimport { ... } from "node:fs/promises"gets rewritten to/@deps/node:fs/promises. The module server'shandle_deps_request()had no check for built-in modules, so it:node_modules/Changes
native/vtz/src/server/module_server.rsis_runtime_builtin()+runtime_builtin_stub()helpers, early return inhandle_deps_request()native/vtz/src/compiler/import_rewriter.rsnode:/bun:inrewrite_specifier_inner()Public API Changes
None — internal runtime behavior only.
Test plan
test_handle_deps_request_node_builtin_returns_stub—node:fsreturns 200 with stubtest_handle_deps_request_node_builtin_subpath_returns_stub—node:fs/promisesreturns 200test_handle_deps_request_bun_builtin_returns_stub—bun:sqlitereturns 200 withconsole.warn+export defaulttest_handle_deps_request_node_crypto_returns_stub—node:cryptoreturns 200test_handle_deps_request_node_module_returns_stub—node:modulereturns 200test_handle_deps_request_regular_package_still_404— non-builtins still 404test_handle_deps_request_builtin_stub_no_comment_injection— craftednode:*/alert(1)//does not executetest_is_runtime_builtin_positive/test_is_runtime_builtin_negative— predicate unit testsnode:*,bun:*, subpaths, and full-code integrationcargo test --all && cargo clippy --release -- -D warnings && cargo fmt --checkCloses #2315
🤖 Generated with Claude Code