runtime hardening before release: br/zstd leak scanning, shared process.env bookkeeping, lazy-crypto fixes#864
Merged
Conversation
…env bookkeeping, lazy-crypto fixes - leak scanner now decodes brotli + zstd responses (same accumulate/flush pattern as gzip); unknown encodings get a debug log instead of a silent skip - process.env injection bookkeeping moved into the shared globalThis env state so reloads through a different bundled module copy clean up removed keys; removed keys are also dropped from the shared ENV values - init-edge marks the async-decrypt promise handled so a bad key surfaces per-request instead of as a pre-request unhandled rejection - engines bumped to node >=22.3.0 (process.getBuiltinModule floor for the lazy node:crypto loading) - new unit tests for patch-server-response (throw + redact modes, real http server pass-through) and multi-copy env state; nextjs framework dev scenario now asserts the server survives a killed response and that responses flow through the gzip scan path (new harness headerAssertions)
Contributor
|
The changes in this PR will be included in the next version bump.
|
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Follow-ups from a pre-publish review of the runtime changes in #861/#862, since those ship to all varlock users.
Changes
Leak scanner (patch-server-response.ts)
Shared env state (env.ts)
originalProcessEnv+ injected-key bookkeeping moved into the shared globalThis state (#861moved values/settings but left these module-local), so a reload flowing through a different bundled copy ofvarlock/envstill cleans up keys removed from configENV.REMOVED_KEYno longer serves a stale value after reloadEdge init (init-edge.ts)
Engines: node floor raised to
>=22.3.0—process.getBuiltinModule(which the lazynode:cryptoloading relies on in ESM contexts) doesn't exist before 22.3.Tests
headerAssertions; the nextjs dev scenario now asserts the dev server survives a leak-killed response and that responses actually flow through the gzip scan path — verified locally against next 14/15/16 (webpack + turbopack)Changeset texts updated accordingly (including a heads-up that apps with existing undetected leaks will start seeing those responses blocked, since most browser traffic previously bypassed the scanner).