fix: emit relative imports in dist (drop self-referential @/ alias)#16
Merged
Conversation
assess() detection was jsdom-verified only — and jsdom has no Worker, so the DevTools debugger detector and real-engine timing/navigator behaviour were never exercised. A browser update could silently turn a detector into a false negative without CI noticing. Add an e2e/ Playwright package: a Vite-built fixture loads Shield's source and exposes assess() on window; the spec drives it via page.evaluate and asserts result shape, that the shield.automation.webdriver signal mirrors the live navigator.webdriver, that a forced extension signature composes risk -> flags -> spanAttributes end-to-end, and that a clean session stays lean. This exercises the Worker-based DevTools debugger detector jsdom cannot run. CI runs Chromium + Firefox on ubuntu and WebKit on macos-latest (Playwright WebKit throws an internal error on Linux regardless of the static server, so it is gated off Linux and verified natively on macOS — the engine where timing heuristics diverge most). 8/8 green on Chromium + Firefox locally.
dist/otel.js imported '@/core/index.js' and '@/types/index.js' — shield's internal TypeScript path alias, which tsc does not rewrite to a relative path on emit. Any consumer bundling shield without replicating the alias (Webpack/ Next, Vite, …) failed with 'Module not found: Can't resolve @/core/index.js', breaking attachShieldToSpan on import. src/otel.ts was the only file using the alias; it now imports relatively, so dist/ is alias-free. Verified: clean build, no '@/' left in dist, 372 tests green. Surfaced while wiring shield into the tindalabs.dev static build.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug
@tindalabs/shield's publisheddist/otel.jsimported its internal path alias:tscdoes not rewritepathsaliases (@/* → src/*) to relative paths on emit, so the alias leaked into the shipped package. Any consumer bundling shield without replicating that alias — Webpack/Next, Vite, esbuild, etc. — fails on import ofattachShieldToSpan:This breaks the OTel entry point for the common bundler case. (
assess()/ContentProtectorhappen not to traverseotel.ts, which is why it wasn't caught earlier.)The fix
src/otel.tswas the only file using the alias. It now imports relatively:So
dist/is alias-free with no new build tooling.Verification
tscbuild;grep "from '@/'" dist→ nothing.dist/otel.jsnow imports./core/index.js.Surfaced while wiring shield into the tindalabs.dev static build (Next/Webpack), where it was a hard build failure. CHANGELOG updated — this is a consumer-visible fix, so it warrants a
0.1.1patch.