build: Bundle vats with vite #763
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
grypez
force-pushed
the
grypez/bundle-with-vite
branch
3 times, most recently
from
504110d to
1a13965
Compare
Coverage Report
File Coverage
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
grypez
force-pushed
the
grypez/bundle-with-vite
branch
from
1a13965 to
b8e02c0
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
grypez
force-pushed
the
grypez/bundle-with-vite
branch
from
bdc4c89 to
85c60f8
Compare
grypez
force-pushed
the
grypez/bundle-with-vite
branch
from
85c60f8 to
56f5732
Compare
| hasProperty(value, 'moduleFormat') && | ||
| value.moduleFormat === 'iife' && | ||
| hasProperty(value, 'code') && | ||
| typeof value.code === 'string'; |
There was a problem hiding this comment.
Incomplete type guard doesn't validate all VatBundle properties
Medium Severity
The isVatBundle type guard asserts that a value is a VatBundle, but only validates moduleFormat and code properties. The VatBundle type also requires exports: string[] and modules: Record<...> properties. Code that uses this type guard will believe it has a complete VatBundle after the check, but accessing .exports or .modules could return undefined if an incomplete object passed the check.
| ecmaVersion: 'latest', | ||
| sourceType: 'module', | ||
| onComment: comments, | ||
| }); |
There was a problem hiding this comment.
Wrong sourceType for parsing IIFE bundle output
Low Severity
The stripCommentsPlugin uses sourceType: 'module' to parse vite's IIFE output, but IIFE bundles are scripts, not modules. Module parsing implies strict mode, which rejects certain legacy JavaScript patterns (octal literals, with statements, etc.). If bundled dependencies contain non-strict-mode code that wasn't transpiled, parse() throws a SyntaxError, preventing comment stripping and causing the build to fail unexpectedly.
Drop support for the legacy endoZipBase64 bundle format and remove the @endo/import-bundle dependency. All vat bundles now use the vite-iife format loaded via Compartment.evaluate(). - Remove @endo/import-bundle from ocap-kernel dependencies - Simplify bundle-loader.ts to only support vite-iife format - Update VatSupervisor to use synchronous loadBundle - Update CLI tests to mock bundleVat instead of @endo/bundle-source - Update serve integration test to check vite-iife format Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Erik Marks <25517051+rekmarks@users.noreply.github.com>
Reuses the acorn parsing dependency from `@ocap/kernel-agents-repl` to authoritatively scrub comments from vat bundles. Refs #770 <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Replaces the comment scrubber with an AST-based implementation to reliably remove comments (including those containing `import(`) from bundled code. > > - Refactors `vite/strip-comments-plugin` to use Acorn (`parse` with `onComment`) and return unchanged code when no comments are found > - Adds unit tests for `strip-comments-plugin` covering single/multi-line comments, strings, regex, templates, and empty input > - Adds `acorn` dependency in `@ocap/cli` and updates `yarn.lock` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3a59ba8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
grypez
force-pushed
the
grypez/bundle-with-vite
branch
from
fcdd1f3 to
cc26d68
Compare
| assert: globalThis.assert, | ||
| ...endowments, | ||
| ...inescapableGlobalProperties, | ||
| }); |
There was a problem hiding this comment.
inescapableGlobalProperties treated as regular escapable globals
Medium Severity
The loadBundle function accepts an inescapableGlobalProperties parameter but treats it identically to regular endowments by spreading both into the Compartment constructor. In the original importBundle from @endo/import-bundle, inescapableGlobalProperties had special SES semantics that prevented the evaluated code from shadowing these globals. The current implementation makes them regular globals that can be shadowed by var declarations in the evaluated code. The test only verifies the properties are accessible, not that they're truly inescapable.
grypez
force-pushed
the
grypez/bundle-with-vite
branch
from
cc26d68 to
44ef8b3
Compare
status: substantiated repro: 763#discussion_r2723046643
status: substantiated repro: 763#discussion_r2718760552
status: substantiated repro: 763#discussion_r2723046645
grypez
force-pushed
the
grypez/bundle-with-vite
branch
from
44ef8b3 to
daa5828
Compare
Summary
Replace
@endo/bundle-sourcewith vite for vat bundling and remove@endo/import-bundlefor bundle loading.Changes
build()API with IIFE output formatCompartment.evaluate()instead ofimportBundle()@endo/import-bundledependency from all packages.@endo/bundle-sourcedependency from all packages except kernel-shims.Bundle Format
New bundles use
vite-iifeformat:{ "moduleFormat": "vite-iife", "code": "var __vatExports__ = ...", "exports": ["buildRootObject"], "modules": { ... } }Closes: #742
Note
Replaces Endo tooling with a Vite-based pipeline and a new runtime loader for vats.
vite-based bundler (bundleVat) producing IIFE bundles with__vatExports__; includesexport-metadataandstrip-commentsRollup pluginsbundle/watch; update README; adjust tests and fixtures to new bundle shape@endo/import-bundle; addloadBundletoevaluateIIFE bundles in a SESCompartment;VatSupervisornow fetches bundle text and loads vialoadBundleVatBundletype andisVatBundle; export fromkernel-utilsvite,rollup,acorn; update lockfileWritten by Cursor Bugbot for commit daa5828. This will update automatically on new commits. Configure here.