feat: US-182 - Add bcryptjs project-matrix fixture

Author: NathanFlurry

docs/nodejs-compatibility.mdx

@@ -79,6 +79,7 @@ The [project-matrix test suite](https://github.com/rivet-dev/secure-exec/tree/ma
 | [drizzle-orm](https://npmjs.com/package/drizzle-orm) | Database | ORM schema definition, query building, ESM module graph |
 | [ws](https://npmjs.com/package/ws) | Networking | WebSocket client/server, HTTP upgrade, events |
 | [jsonwebtoken](https://npmjs.com/package/jsonwebtoken) | Crypto | JWT signing (HS256), verification, decode |
+| [bcryptjs](https://npmjs.com/package/bcryptjs) | Crypto | Pure JS password hashing and verification |
 | [zod](https://npmjs.com/package/zod) | Validation | Schema definition, parsing, safe parse, transforms |
 | [rivetkit](https://npmjs.com/package/rivetkit) | SDK | Local vendor package resolution |
 | crypto (builtin) | Crypto | `crypto.randomBytes`, `randomUUID`, `getRandomValues` |

packages/secure-exec-core/isolate-runtime/src/inject/apply-timing-mitigation-freeze.ts

@@ -9,12 +9,12 @@ const __frozenTimeMs =
 		: Date.now();
 const __frozenDateNow = () => __frozenTimeMs;
 
-// Freeze Date.now — non-configurable + non-writable prevents sandbox override
+// Freeze Date.now — getter always returns frozen fn, setter silently ignores
 try {
 	Object.defineProperty(Date, "now", {
-		value: __frozenDateNow,
+		get: () => __frozenDateNow,
+		set: () => {},
 		configurable: false,
-		writable: false,
 	});
 } catch {
 	Date.now = __frozenDateNow;
@@ -45,11 +45,11 @@ Object.defineProperty(__FrozenDate, "prototype", {
 __FrozenDate.now = __frozenDateNow;
 __FrozenDate.parse = __OrigDate.parse;
 __FrozenDate.UTC = __OrigDate.UTC;
-// Lock Date.now on the replacement constructor too
+// Lock Date.now on the replacement constructor — getter/setter silently ignores writes
 Object.defineProperty(__FrozenDate, "now", {
-	value: __frozenDateNow,
+	get: () => __frozenDateNow,
+	set: () => {},
 	configurable: false,
-	writable: false,
 });
 try {
 	Object.defineProperty(globalThis, "Date", {

packages/secure-exec-core/src/generated/isolate-runtime.ts

@@ -0,0 +1,4 @@
+{
+	"entry": "src/index.js",
+	"expectation": "pass"
+}

packages/secure-exec/tests/projects/bcryptjs-pass/fixture.json

@@ -0,0 +1,8 @@
+{
+	"name": "project-matrix-bcryptjs-pass",
+	"private": true,
+	"type": "commonjs",
+	"dependencies": {
+		"bcryptjs": "2.4.3"
+	}
+}

packages/secure-exec/tests/projects/bcryptjs-pass/package.json

@@ -0,0 +1,26 @@
+"use strict";
+
+const bcrypt = require("bcryptjs");
+
+// Hash a password with explicit salt rounds
+const password = "testPassword123";
+const salt = bcrypt.genSaltSync(4);
+const hash = bcrypt.hashSync(password, salt);
+
+// Verify correct password
+const correctMatch = bcrypt.compareSync(password, hash);
+
+// Verify wrong password
+const wrongMatch = bcrypt.compareSync("wrongPassword", hash);
+
+// Hash format validation
+const isValidHash = hash.startsWith("$2a$04$") && hash.length === 60;
+
+const result = {
+	hashLength: hash.length,
+	correctMatch,
+	wrongMatch,
+	isValidHash,
+};
+
+console.log(JSON.stringify(result));

packages/secure-exec/tests/projects/bcryptjs-pass/pnpm-lock.yaml

@@ -1183,7 +1183,9 @@ describe("NodeRuntime", () => {
 	it("Date.now cannot be overridden by sandbox code", async () => {
 		proc = createTestNodeRuntime();
 		const result = await proc.run(`
-      // Strict mode makes assignment to non-writable throw TypeError
+      const frozenBefore = Date.now();
+
+      // Assignment is silently ignored (setter is a no-op for Node.js compat)
       let assignThrew = false;
       try {
         (function() { 'use strict'; Date.now = () => 999; })();
@@ -1204,11 +1206,11 @@ describe("NodeRuntime", () => {
       module.exports = {
         assignThrew,
         defineThrew,
-        stillFrozen: Date.now() === Date.now(),
+        stillFrozen: Date.now() === frozenBefore,
       };
     `);
 		expect(result.exports).toEqual({
-			assignThrew: true,
+			assignThrew: false,
 			defineThrew: true,
 			stillFrozen: true,
 		});