Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(nitro): include nested layers in nitro transforms#35327

Merged
danielroe merged 1 commit into
mainfrom
fix/nested-layer-transform
Jun 10, 2026
Merged

fix(nitro): include nested layers in nitro transforms#35327
danielroe merged 1 commit into
mainfrom
fix/nested-layer-transform

Conversation

@danielroe

Copy link
Copy Markdown
Member

πŸ”— Linked issue

resolves #35324

πŸ“š Description

this handles nested node_modules dirs with both pnpm + npm

@github-actions github-actions Bot added 5.x πŸ› bug Something isn't working as expected labels Jun 10, 2026
@pkg-pr-new

pkg-pr-new Bot commented Jun 10, 2026

Copy link
Copy Markdown

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@35327

@nuxt/nitro-server

npm i https://pkg.pr.new/@nuxt/nitro-server@35327

nuxt

npm i https://pkg.pr.new/nuxt@35327

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@35327

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@35327

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@35327

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@35327

commit: eeadba8

@coderabbitai

This comment has been minimized.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

πŸ€– Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/nitro-server/src/utils.ts`:
- Around line 31-38: The generated node_modules exclusion RegExp is too
permissive because entries from excludePaths are inserted as raw suffixes (used
in NODE_MODULES_RE), allowing partial matches like "foo" to also match "foobar";
update the regex construction so each excludePaths entry is escaped and anchored
to a path segment boundary (e.g., transform each entry via escapeRE and append
(?:\/|$) or equivalent) before joining, so the returned RegExp uses
node_modules\\/(?!<anchored-alternatives>) and only exempts exact package path
prefixes.
πŸͺ„ Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
βš™οΈ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9e83896e-9cad-43b9-8350-3b507e2037f1

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between a9f522c and eeadba8.

πŸ“’ Files selected for processing (3)
  • packages/nitro-server/src/index.ts
  • packages/nitro-server/src/utils.test.ts
  • packages/nitro-server/src/utils.ts

Comment on lines +31 to +38
excludePaths.push(escapeRE(suffix))
}
NODE_MODULES_RE.lastIndex = match.index + 1
}
}
return excludePaths.length
? new RegExp(`node_modules\\/(?!${excludePaths.join('|')})`)
: /node_modules/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚑ Quick win

Regex lookahead is over-broad and lets non-layer packages bypass exclusion.

At Line 37, the alternatives are inserted as raw suffixes (for example foo), so node_modules/(?!foo) also exempts node_modules/foobar/**. This causes unrelated dependencies to be transformed as if they were layer-owned.

Suggested fix
-      if (suffix) {
-        excludePaths.push(escapeRE(suffix))
-      }
+      if (suffix) {
+        excludePaths.push(`${escapeRE(suffix)}(?:\\/|$)`)
+      }
🧰 Tools
πŸͺ› ast-grep (0.43.0)

[warning] 36-36: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(node_modules\\/(?!${excludePaths.join('|')}))
Note: [CWE-1333] Inefficient Regular Expression Complexity

(regexp-from-variable)

πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/nitro-server/src/utils.ts` around lines 31 - 38, The generated
node_modules exclusion RegExp is too permissive because entries from
excludePaths are inserted as raw suffixes (used in NODE_MODULES_RE), allowing
partial matches like "foo" to also match "foobar"; update the regex construction
so each excludePaths entry is escaped and anchored to a path segment boundary
(e.g., transform each entry via escapeRE and append (?:\/|$) or equivalent)
before joining, so the returned RegExp uses
node_modules\\/(?!<anchored-alternatives>) and only exempts exact package path
prefixes.

@codspeed-hq

codspeed-hq Bot commented Jun 10, 2026

Copy link
Copy Markdown

Merging this PR will improve performance by 16.68%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚑ 1 improved benchmark
βœ… 19 untouched benchmarks
⏩ 3 skipped benchmarks1

Performance Changes

Benchmark BASE HEAD Efficiency
⚑ loadNuxt in the basic test fixture 449.3 ms 385.1 ms +16.68%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.


Comparing fix/nested-layer-transform (eeadba8) with main (a9f522c)

Open in CodSpeed

Footnotes

  1. 3 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

@danielroe danielroe requested review from huang-julien and posva June 10, 2026 11:17
@danielroe danielroe enabled auto-merge June 10, 2026 11:23
name: 'nuxt',
version: nuxtPkg.version || nitroBuilder.version,
},
imports: nuxt.options.experimental.nitroAutoImports === false

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated question to this PR but why don't we use && instead of === false ? ternary ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it feels clearer - also I try to avoid && as it can sometimes pass-through other falsy values like 0, undefined, etc.

@danielroe danielroe added this pull request to the merge queue Jun 10, 2026
Merged via the queue into main with commit 3986390 Jun 10, 2026
35 checks passed
@danielroe danielroe deleted the fix/nested-layer-transform branch June 10, 2026 12:55
@github-actions github-actions Bot mentioned this pull request Jun 10, 2026
4 tasks
@github-actions github-actions Bot mentioned this pull request Jun 24, 2026
@github-actions github-actions Bot mentioned this pull request Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

5.x πŸ› bug Something isn't working as expected

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Layers nested inside another layer are excluded from Nitro's esbuild transform

2 participants