Last 12 weeks · 4 commits
3 of 6 standards met
related to https://github.com/sveltejs/kit/issues/13764#issuecomment-3924116918 SvelteKit stringifies environment variables during build so that it can inject static values into the build output instead of always reading the env vars dynamically. However, interprets any absolute path as an asset it should add. This causes builds on Vercel's build system to balloon in function size because it traces and bundles paths such as Node, Yarn global, etc. Often, this causes the deployment to fail because the function size exceeds the limit. This PR ensures asset paths outside the given job base are ignored to help us avoid packaging in system dependencies. ~Draft for now because I'm not confident that this fix doesn't break lots of other things~
Repository: vercel/nft. Description: Node.js dependency tracing utility Stars: 1594, Forks: 167. Primary language: JavaScript. Languages: JavaScript (89.6%), TypeScript (10.4%), CSS (0%). License: MIT. Homepage: https://npmjs.com/@vercel/nft Topics: static-analysis. Latest release: 1.3.2 (5d ago). Open PRs: 9, open issues: 40. Last activity: 5d ago. Community health: 75%. Top contributors: styfle, dependabot[bot], guybedford, ijjk, thomashohn, benmccann, jeffsee55, Timer, lucleray, onsclom and others.
JavaScript
Summary Add location tracking to the function to capture where assets, dependencies, and imports are referenced in source code. This enables downstream tools (like bundlers and transformers) to rewrite asset references while preserving source maps and code structure. Motivation Currently, identifies which assets/dependencies a file uses but doesn't track where in the source code those references occur. This limits the ability to: 1. Transform asset references: Build tools that need to rewrite asset paths (e.g., Vite plugins, custom bundlers) must re-parse and duplicate nft's sophisticated detection heuristics 2. Generate accurate source maps: Without position information, transformations can't maintain proper source map mappings Use Case Vite/Rolldown/Esbuild Plugin for Asset Transformation Proposed API Enhanced Interface Example Usage Coverage I think that the following detection heuristics can be enhanced: Fully Trackable (13 cases): ✅ , , ✅ ESM / declarations ✅ Dynamic expressions ✅ function calls (readFileSync, readFile, etc.) ✅ functions (join, resolve) ✅ , references ✅ ✅ Special bindings (BINDINGS, NODE_GYP_BUILD, NBIND_INIT, etc.) Partially Trackable (3 cases): ⚠️ Glob patterns (, ) Can track the expression that triggered the glob Cannot track individual files discovered from filesystem Open Questions 1. Opt-in flag: Should location tracking be behind a feature flag to avoid performance overhead for users who don't need it? 2. Glob patterns: How should we represent assets discovered through glob patterns? Current proposal is to track the pattern expression but not individual files.
vm2 3.10.0 has a critical sandbox escape via unsanitized Promise callbacks (CVE-2026-22709, CVSS 9.8). Bumped devDependency from → (lockfile was pinned to vulnerable 3.10.0) Original prompt This section details on the original issue you should resolve* Security Vulnerability in your devDependencies (vm2) Security Vulnerability Alert for the verson of vm2 found in your devDependencies: On 25 Jan 26, a GitHub project maintainer shared a critical flaw found in vm2, a popular NodeJS sandbox library.1 The vulnerability, tracked as CVE-2026-22709 (CVSS v3.1 score 9.8), arises from vm2’s failure to properly sandbox ‘Promises,’ the callback sanitization component that handles asynchronous operations, and could allow an attacker to escape the sandbox and run untrusted JavaScript code.2 (U) CVE-2026-22709 affects vm2 version 3.10.0, and has been fixed in versions 3.10.1, 3.10.2, and 3.10.3. Users are recommended to update to version 3.10.3, as it contains a more secure patch to avoid a potential bypass. As of 30 Jan 26, there is no evidence of active exploitation. Please fix this. Update dependency to the latest version and make sure tests are passing. ## Comments on the Issue (you are @copilot in this section) Fixes vercel/nft#565 💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.
I'm trying to include the command in my Docker image. I extend a Next.js a standalone build by setting to the results of for the additional binaries I want to bundle. Anyway, the issue is easily reproducable by installing locally and then: As usual, is just a symlink to , which is really just: Seemingly, this relative path should be evaluated based on the actual file location / symlink target (). Here's the test that it would work (despite some strange warnings that I assume to be caused by some settings in the CLI):