fix: do not follow absolute paths outside job base (#568)

teemingc · web-flow · commit 0ce8e2c06ec8 · 2026-02-23T17:14:37.000Z
related to sveltejs/kit#13764 (comment) SvelteKit stringifies environment variables during build so that it can inject static values into the build output instead of always reading the env vars dynamically. However, `@vercel/nft` interprets any absolute path as an asset it should add. This causes builds on Vercel's build system to balloon in function size because it traces and bundles paths such as Node, Yarn global, etc. Often, this causes the deployment to fail because the function size exceeds the limit. This PR ensures asset paths outside the given job base are ignored to help us avoid packaging in system dependencies. ~Draft for now because I'm not confident that this fix doesn't break lots of other things~
diff --git a/src/analyze.ts b/src/analyze.ts
@@ -1169,9 +1169,33 @@ export default async function analyze(
       return;
     }
     if (wildcardIndex !== -1 && stats.isFile()) return;
+    // do not emit assets outside the package boundary if inside node_modules
+    if (pkgBase) {
+      const nodeModulesBase =
+        id.substring(0, id.indexOf(path.sep + 'node_modules')) +
+        path.sep +
+        'node_modules' +
+        path.sep;
+      if (!assetPath.startsWith(nodeModulesBase)) {
+        if (job.log)
+          console.log(
+            'Skipping asset emission of ' +
+              assetPath +
+              ' for ' +
+              id +
+              ' as it is outside the package base ' +
+              pkgBase,
+          );
+        return;
+      }
+    }
     if (stats.isFile()) {
+      // do not emit file assets outside job.base
+      if (job.ignoreFn(path.relative(job.base, assetPath))) return;
       assets.add(assetPath);
     } else if (stats.isDirectory()) {
+      // do not emit directory assets outside job.base
+      if (job.ignoreFn(path.relative(job.base, assetPath))) return;
       if (validWildcard(assetPath)) emitAssetDirectory(assetPath);
     }
   }
diff --git a/test/unit/pkg-dir-outside-base/.gitignore b/test/unit/pkg-dir-outside-base/.gitignore
@@ -0,0 +1 @@
+!node_modules 
diff --git a/test/unit/pkg-dir-outside-base/input.js b/test/unit/pkg-dir-outside-base/input.js
@@ -0,0 +1 @@
+require('some-pkg');
diff --git a/test/unit/pkg-dir-outside-base/node_modules/some-pkg/index.js b/test/unit/pkg-dir-outside-base/node_modules/some-pkg/index.js
diff --git a/test/unit/pkg-dir-outside-base/node_modules/some-pkg/package.json b/test/unit/pkg-dir-outside-base/node_modules/some-pkg/package.json
diff --git a/test/unit/pkg-dir-outside-base/output.js b/test/unit/pkg-dir-outside-base/output.js
@@ -0,0 +1,6 @@
+[
+  "package.json",
+  "test/unit/pkg-dir-outside-base/input.js",
+  "test/unit/pkg-dir-outside-base/node_modules/some-pkg/index.js",
+  "test/unit/pkg-dir-outside-base/node_modules/some-pkg/package.json"
+]
diff --git a/test/unit/pkg-dir-outside-base/secret-dir/secret.txt b/test/unit/pkg-dir-outside-base/secret-dir/secret.txt
@@ -0,0 +1 @@
+secret
diff --git a/test/unit/pkg-file-outside-base/.gitignore b/test/unit/pkg-file-outside-base/.gitignore
@@ -0,0 +1 @@
+!node_modules 
diff --git a/test/unit/pkg-file-outside-base/input.js b/test/unit/pkg-file-outside-base/input.js
@@ -0,0 +1 @@
+require('some-pkg');
diff --git a/test/unit/pkg-file-outside-base/node_modules/some-pkg/index.js b/test/unit/pkg-file-outside-base/node_modules/some-pkg/index.js
diff --git a/test/unit/pkg-file-outside-base/node_modules/some-pkg/package.json b/test/unit/pkg-file-outside-base/node_modules/some-pkg/package.json
diff --git a/test/unit/pkg-file-outside-base/output.js b/test/unit/pkg-file-outside-base/output.js
@@ -0,0 +1,6 @@
+[
+  "package.json",
+  "test/unit/pkg-file-outside-base/input.js",
+  "test/unit/pkg-file-outside-base/node_modules/some-pkg/index.js",
+  "test/unit/pkg-file-outside-base/node_modules/some-pkg/package.json"
+]
diff --git a/test/unit/pkg-file-outside-base/secret.txt b/test/unit/pkg-file-outside-base/secret.txt
@@ -0,0 +1 @@
+secret content
