Skip to content

runtime hardening before release: br/zstd leak scanning, shared process.env bookkeeping, lazy-crypto fixes#864

Merged
theoephraim merged 1 commit into
mainfrom
runtime-prepublish-hardening
Jul 5, 2026
Merged

runtime hardening before release: br/zstd leak scanning, shared process.env bookkeeping, lazy-crypto fixes#864
theoephraim merged 1 commit into
mainfrom
runtime-prepublish-hardening

Conversation

@theoephraim

Copy link
Copy Markdown
Member

Follow-ups from a pre-publish review of the runtime changes in #861/#862, since those ship to all varlock users.

Changes

Leak scanner (patch-server-response.ts)

  • now decodes brotli and zstd responses (zstd where node >= 22.15), not just gzip/deflate — same accumulate/flush pattern; unsupported encodings log via debug instead of silently skipping

Shared env state (env.ts)

  • originalProcessEnv + injected-key bookkeeping moved into the shared globalThis state (#861 moved values/settings but left these module-local), so a reload flowing through a different bundled copy of varlock/env still cleans up keys removed from config
  • removed keys are also dropped from the shared values object, so ENV.REMOVED_KEY no longer serves a stale value after reload

Edge init (init-edge.ts)

  • async-decrypt promise is marked handled, so a wrong key surfaces as a clean per-request error instead of a pre-request unhandled rejection (fatal on some edge runtimes)

Engines: node floor raised to >=22.3.0process.getBuiltinModule (which the lazy node:crypto loading relies on in ESM contexts) doesn't exist before 22.3.

Tests

  • new unit coverage for the previously untested response scanner: throw mode (single/multi-chunk gzip, header-only chunk, deflate/br/zstd, unknown-encoding fail-open) and redact mode through a real HTTP server (redaction, byte-identical gzip pass-through, compressed leaks failing closed)
  • new multi-module-copy env state tests (cross-copy init/reload, removed-key cleanup, still-encrypted blob handling)
  • framework harness gains headerAssertions; the nextjs dev scenario now asserts the dev server survives a leak-killed response and that responses actually flow through the gzip scan path — verified locally against next 14/15/16 (webpack + turbopack)

Changeset texts updated accordingly (including a heads-up that apps with existing undetected leaks will start seeing those responses blocked, since most browser traffic previously bypassed the scanner).

…env bookkeeping, lazy-crypto fixes

- leak scanner now decodes brotli + zstd responses (same accumulate/flush
  pattern as gzip); unknown encodings get a debug log instead of a silent skip
- process.env injection bookkeeping moved into the shared globalThis env
  state so reloads through a different bundled module copy clean up removed
  keys; removed keys are also dropped from the shared ENV values
- init-edge marks the async-decrypt promise handled so a bad key surfaces
  per-request instead of as a pre-request unhandled rejection
- engines bumped to node >=22.3.0 (process.getBuiltinModule floor for the
  lazy node:crypto loading)
- new unit tests for patch-server-response (throw + redact modes, real http
  server pass-through) and multi-copy env state; nextjs framework dev
  scenario now asserts the server survives a killed response and that
  responses flow through the gzip scan path (new harness headerAssertions)
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

bumpy-frog

The changes in this PR will be included in the next version bump.

patch Patch releases

  • varlock 1.9.0 → 1.9.1

Bump files in this PR

Click here if you want to add another bump file to this PR


This comment is maintained by bumpy.

@pkg-pr-new

pkg-pr-new Bot commented Jul 5, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/varlock@864

commit: c8f2121

@theoephraim theoephraim merged commit aa6d178 into main Jul 5, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant