Current Hub snapshot pipeline (packages/hub/src/snapshot-playwright.ts) uses
esm.sh CDN for browser-side ESM resolution and hardcodes package versions for
Shoelace and media-chrome. This approach has several problems:
- Non-deterministic: CDN availability and response times vary between runs
- Version drift: Hardcoded versions may differ from local dependencies
- Not hermetic: External network calls make builds non-reproducible
- CI fragility: CDN outages cause snapshot failures
- Security: Loading arbitrary CDN content increases attack surface
Migrate to local node_modules + temporary static server:
- Resolution: Install packages via
deno install/npm installto localnode_modules, then serve via a temporary static HTTP server - Lockfile hash: Record
deno.lockhash and resolved package versions in snapshot metadata - Version gate: Fail if resolved version differs from lockfile
- No CDN: Remove all
esm.shreferences from snapshot pipeline - Reproducibility: Same lockfile + same source = identical snapshots
- Add version/source metadata to snapshot output
- Log
esm.shbase URL and resolved versions - No behavior change, just observability
- Start a temporary
deno serveor Vite dev server for ESM resolution - Point Playwright at local server instead of
esm.sh - Keep
esm.shas fallback with warning
- Remove
esm.shfallback entirely - All snapshots must resolve locally
- CI enforces hermetic builds only
- Snapshots become deterministic and reproducible
- CI no longer depends on
esm.shavailability - Requires
node_modulesin CI (already present for Vite builds) - Slightly more complex server setup in scan pipeline
- Better security posture (no arbitrary CDN content)