Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(kit,nuxt): protect against resolved nuxt module subpath #33767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danielroe merged 3 commits into from
Nov 27, 2025
Merged

fix(kit,nuxt): protect against resolved nuxt module subpath #33767

danielroe merged 3 commits into from
Nov 27, 2025
+42 βˆ’31

Conversation

@danielroe
Copy link
Member

@danielroe danielroe commented Nov 26, 2025

πŸ”— Linked issue

πŸ“š Description

in cases where we have a nuxt module as a subpath (e.g. somelib/nuxt) it's nice - and intended! - to be able to specify somelib in the module array in nuxt.config.

however, this causes issues when there are imports from somelib as these are caught by nuxt's import protection rules, designed to prevent modules from being imported in the nuxt app

this refactors how we generate those rules. instead of using the string array of modules in nuxt config, we use the actually installed module entry paths, using mlly to 'lookup' the resolved path

(I'd like to investigate performance of this - it would be better if we could track which subpath is being used to avoid the second lookup.... given we already have a list we search)

@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Nov 26, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@danielroe danielroe self-assigned this Nov 26, 2025
@coderabbitai
Copy link

coderabbitai bot commented Nov 26, 2025
edited
Loading

Walkthrough

Module installation now uses mlly.lookupNodeModuleSubpath to compute per-module subpaths and may set an installed module's entryPath to "name/subpath" when available; entryPath assignment in callModule was moved to an outer mutable variable and can fall back to the raw module string. Import-protection registration was moved into the modules:done hook and now builds patterns from nuxt.options._installedModules entries that have an entryPath instead of iterating string module names. Tests updated to use the new _installedModules shape.

Possibly related PRs

  • nuxt/nuxt PR 30136 β€” Modifies packages/kit/src/module/install.ts to change module path resolution and exposes parsed/resolved module path information used for transpile/modulesDir.
  • nuxt/nuxt PR 31540 β€” Alters module installation/path resolution in packages/kit/src/module/install.ts, affecting entryPath and modulesDir handling.
  • nuxt/nuxt PR 33774 β€” Adjusts module installation metadata flow (meta.name/entryPath) and downstream usage in templates and code that rely on installed-module identity.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
βœ… Passed checks (2 passed)
Check name Status Explanation
Title check βœ… Passed The title clearly and specifically summarizes the main change: fixing import protection rules to handle resolved Nuxt module subpaths, which directly matches the changeset's core objective.
Description check βœ… Passed The description comprehensively explains the problem being solved (import protection incorrectly blocking imports from base packages when subpath modules are used) and the solution approach (using resolved entry paths instead of config strings), directly relating to all changes in the changeset.
✨ Finishing touches
  • πŸ“ Generate docstrings
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/import-protection
πŸ“œ Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between c2a20e5 and d9a981c.

πŸ“’ Files selected for processing (1)
  • packages/kit/src/module/install.ts (3 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/kit/src/module/install.ts

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Nov 26, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
packages/kit/src/module/install.ts (1)

325-332: Consider error handling for lookupNodeModuleSubpath.

The async lookupNodeModuleSubpath call could potentially fail or throw an error. Consider wrapping it in a try-catch block to handle failures gracefully, falling back to a default value.

   if (typeof modulePath === 'string') {
     const parsed = parseNodeModulePath(modulePath)
     if (parsed.name) {
-      const subpath = await lookupNodeModuleSubpath(modulePath) || '.'
-      entryPath = join(parsed.name, subpath === './' ? '.' : subpath)
+      try {
+        const subpath = await lookupNodeModuleSubpath(modulePath) || '.'
+        entryPath = join(parsed.name, subpath === './' ? '.' : subpath)
+      } catch {
+        // Fallback to package name if subpath lookup fails
+        entryPath = parsed.name
+      }
     }
πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 1ec99e9 and c2a20e5.

πŸ“’ Files selected for processing (4)
  • packages/kit/src/module/install.ts (3 hunks)
  • packages/nuxt/src/core/nuxt.ts (1 hunks)
  • packages/nuxt/src/core/plugins/import-protection.ts (1 hunks)
  • packages/nuxt/test/import-protection.test.ts (2 hunks)
🧰 Additional context used
πŸ““ Path-based instructions (3)
**/*.{ts,tsx,vue}

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

Follow standard TypeScript conventions and best practices

Files:

  • packages/nuxt/src/core/plugins/import-protection.ts
  • packages/kit/src/module/install.ts
  • packages/nuxt/test/import-protection.test.ts
  • packages/nuxt/src/core/nuxt.ts
**/*.{ts,tsx,js,jsx,vue}

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx,js,jsx,vue}: Use clear, descriptive variable and function names
Add comments only to explain complex logic or non-obvious implementations
Keep functions focused and manageable (generally under 50 lines), and extract complex logic into separate domain-specific files
Remove code that is not used or needed
Use error handling patterns consistently

Files:

  • packages/nuxt/src/core/plugins/import-protection.ts
  • packages/kit/src/module/install.ts
  • packages/nuxt/test/import-protection.test.ts
  • packages/nuxt/src/core/nuxt.ts
**/*.{test,spec}.{ts,tsx,js}

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

Write unit tests for core functionality using vitest

Files:

  • packages/nuxt/test/import-protection.test.ts
🧠 Learnings (8)
πŸ““ Common learnings 
Learnt from: GalacticHypernova
Repo: nuxt/nuxt PR: 26468
File: packages/nuxt/src/components/plugins/loader.ts:24-24
Timestamp: 2024-11-05T15:22:54.759Z
Learning: In `packages/nuxt/src/components/plugins/loader.ts`, the references to `resolve` and `distDir` are legacy code from before Nuxt used the new unplugin VFS and will be removed.

Learnt from: huang-julien
Repo: nuxt/nuxt PR: 29366
File: packages/nuxt/src/app/components/nuxt-root.vue:16-19
Timestamp: 2024-12-12T12:36:34.871Z
Learning: In `packages/nuxt/src/app/components/nuxt-root.vue`, when optimizing bundle size by conditionally importing components based on route metadata, prefer using inline conditional imports like:

```js
const IsolatedPage = route?.meta?.isolate ? defineAsyncComponent(() => import('#build/isolated-page.mjs')) : null
```

instead of wrapping the import in a computed property or importing the component unconditionally.
πŸ“š Learning: 2024-11-05T15:22:54.759Z 
Learnt from: GalacticHypernova
Repo: nuxt/nuxt PR: 26468
File: packages/nuxt/src/components/plugins/loader.ts:24-24
Timestamp: 2024-11-05T15:22:54.759Z
Learning: In `packages/nuxt/src/components/plugins/loader.ts`, the references to `resolve` and `distDir` are legacy code from before Nuxt used the new unplugin VFS and will be removed.

Applied to files:

  • packages/nuxt/src/core/plugins/import-protection.ts
  • packages/kit/src/module/install.ts
  • packages/nuxt/test/import-protection.test.ts
  • packages/nuxt/src/core/nuxt.ts
πŸ“š Learning: 2024-12-12T12:36:34.871Z 
Learnt from: huang-julien
Repo: nuxt/nuxt PR: 29366
File: packages/nuxt/src/app/components/nuxt-root.vue:16-19
Timestamp: 2024-12-12T12:36:34.871Z
Learning: In `packages/nuxt/src/app/components/nuxt-root.vue`, when optimizing bundle size by conditionally importing components based on route metadata, prefer using inline conditional imports like:

```js
const IsolatedPage = route?.meta?.isolate ? defineAsyncComponent(() => import('#build/isolated-page.mjs')) : null
```

instead of wrapping the import in a computed property or importing the component unconditionally.

Applied to files:

  • packages/nuxt/src/core/plugins/import-protection.ts
  • packages/nuxt/test/import-protection.test.ts
  • packages/nuxt/src/core/nuxt.ts
πŸ“š Learning: 2024-11-28T21:22:40.496Z 
Learnt from: GalacticHypernova
Repo: nuxt/nuxt PR: 29661
File: packages/kit/src/template.ts:227-229
Timestamp: 2024-11-28T21:22:40.496Z
Learning: In `packages/kit/src/template.ts`, when updating the `EXTENSION_RE` regular expression for TypeScript configuration, avoid using patterns like `(\.\w+)+$` as they can result in catastrophic backtracking.

Applied to files:

  • packages/nuxt/src/core/plugins/import-protection.ts
πŸ“š Learning: 2025-11-25T11:42:16.119Z 
Learnt from: CR
Repo: nuxt/nuxt PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-25T11:42:16.119Z
Learning: Applies to **/*.vue : Use `<script setup lang="ts">` and the composition API when creating Vue components

Applied to files:

  • packages/nuxt/test/import-protection.test.ts
πŸ“š Learning: 2025-11-25T11:42:16.119Z 
Learnt from: CR
Repo: nuxt/nuxt PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-25T11:42:16.119Z
Learning: Applies to **/*.{ts,tsx,vue} : Follow standard TypeScript conventions and best practices

Applied to files:

  • packages/nuxt/test/import-protection.test.ts
πŸ“š Learning: 2025-11-25T11:42:16.119Z 
Learnt from: CR
Repo: nuxt/nuxt PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-25T11:42:16.119Z
Learning: Applies to **/e2e/**/*.{ts,tsx,js} : Write end-to-end tests using Playwright and `nuxt/test-utils`

Applied to files:

  • packages/nuxt/test/import-protection.test.ts
πŸ“š Learning: 2025-11-25T11:42:16.119Z 
Learnt from: CR
Repo: nuxt/nuxt PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-25T11:42:16.119Z
Learning: Applies to **/*.{ts,tsx,js,jsx,vue} : Remove code that is not used or needed

Applied to files:

  • packages/nuxt/test/import-protection.test.ts
πŸͺ› ast-grep (0.40.0)
packages/nuxt/src/core/plugins/import-protection.ts

[warning] 34-34: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${escapeRE(mod.entryPath)}$)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: build
  • GitHub Check: code
πŸ”‡ Additional comments (7)
packages/nuxt/src/core/nuxt.ts (1)

372-395: LGTM! Timing change aligns with new entryPath-based protection.

Moving import protection setup to the modules:done hook ensures that nuxt.options._installedModules is fully populated before protection patterns are generated. This is necessary for the new entryPath-based approach.

packages/nuxt/src/core/plugins/import-protection.ts (1)

32-39: LGTM! More precise module protection using resolved entry paths.

The refactor from string-based module patterns to entryPath-based patterns ensures that import protection rules match the actual resolved module locations. Using escapeRE to escape special regex characters prevents ReDoS vulnerabilities, making the static analysis warning a false positive.

packages/nuxt/test/import-protection.test.ts (2)

25-25: LGTM! Test validates subpath imports are not blocked.

This test case correctly verifies that importing from a module's runtime subpath (e.g., some-nuxt-module/runtime/something.vue) is not blocked when only the module's entry path (e.g., some-nuxt-module) is protected. This confirms the fix described in the PR objectives.

48-51: LGTM! Test structure updated to match new module metadata format.

The mock correctly uses _installedModules with entryPath properties, aligning with the refactored import protection logic.

packages/kit/src/module/install.ts (3)

7-7: LGTM! New import for subpath resolution.

The lookupNodeModuleSubpath utility is needed to accurately determine the actual module entry path rather than relying on the string specified in the configuration.

328-330: Note: Performance implications of module subpath lookups.

As mentioned in the PR description, the lookupNodeModuleSubpath call adds an async operation for each module installation. Consider investigating the performance impact and potentially optimising by caching results or tracking which subpath is used to avoid redundant lookups.

343-343: LGTM! Appropriate fallback for entryPath.

The fallback correctly uses moduleToInstall as the entryPath when the resolved path logic doesn't set it, which occurs when moduleToInstall is not a string or when module path parsing doesn't yield an entry path.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 26, 2025
edited
Loading

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@33767

@nuxt/nitro-server

npm i https://pkg.pr.new/@nuxt/nitro-server@33767

nuxt

npm i https://pkg.pr.new/nuxt@33767

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@33767

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@33767

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@33767

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@33767

commit: d9a981c

@codspeed-hq
Copy link

codspeed-hq bot commented Nov 26, 2025
edited
Loading

CodSpeed Performance Report

Merging #33767 will not alter performance

Comparing fix/import-protection (d9a981c) with main (cdce631)

Summary

βœ… 10 untouched

@danielroe danielroe merged commit 81356f8 into main Nov 27, 2025
97 of 100 checks passed
@danielroe danielroe deleted the fix/import-protection branch November 27, 2025 15:53
@github-actions github-actions bot mentioned this pull request Nov 27, 2025
Merged
danielroe added a commit that referenced this pull request Dec 9, 2025
@danielroe
fix(kit,nuxt): protect against resolved nuxt module subpath (#33767)
0994403
@github-actions github-actions bot mentioned this pull request Dec 9, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Dec 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@danielroe danielroe

Labels

4.x bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielroe