Skip to content

fix(core): avoid string-built CJS runner wrapper#7485

Merged
chenjiahan merged 1 commit intomainfrom
chenjiahan/fix-codeql-cjs-runner
Apr 13, 2026
Merged

fix(core): avoid string-built CJS runner wrapper#7485
chenjiahan merged 1 commit intomainfrom
chenjiahan/fix-codeql-cjs-runner

Conversation

@chenjiahan
Copy link
Copy Markdown
Member

@chenjiahan chenjiahan commented Apr 13, 2026

Summary

  • replace the CJS runner wrapper string construction with vm.compileFunction when executing bundle output
  • keep the existing CommonJS module scope and dynamic import() behavior while avoiding the CodeQL js/bad-code-sanitization pattern

Related Links

Copilot AI review requested due to automatic review settings April 13, 2026 04:02
gemini-code-assist[bot]
gemini-code-assist bot reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the CommonJsRunner to use vm.compileFunction instead of manually wrapping code in a function string and executing it via vm.runInThisContext. This change simplifies the execution logic and removes the need for manual line and column offsets. A review comment highlights a potential compatibility issue, noting that vm.compileFunction with the importModuleDynamically option requires Node.js 16.12.0 or higher, which is more restrictive than the previous implementation and could cause runtime errors in older environments.

Comment thread packages/core/src/server/runner/cjs.ts
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR updates the CommonJS bundle execution path to avoid constructing a wrapper function via string concatenation, switching to vm.compileFunction to satisfy CodeQL’s js/bad-code-sanitization guidance while preserving existing module scoping and dynamic import() behavior.

Changes:

  • Replace string-built (function(...) { ... }) wrapper + vm.runInThisContext with vm.compileFunction.
  • Adjust preExecute to run on the raw bundle content (no wrapper prefix).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/core/src/server/runner/cjs.ts
@chenjiahan chenjiahan merged commit 9c479d2 into main Apr 13, 2026
10 checks passed
@chenjiahan chenjiahan deleted the chenjiahan/fix-codeql-cjs-runner branch April 13, 2026 05:38
@chenjiahan chenjiahan mentioned this pull request Apr 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

release: bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chenjiahan