Remove all third-party npm package imports from the renderer bundle#9992
Merged
Conversation
This was referenced May 30, 2026
✅ Circular References ReportGenerated at: 2026-06-01T08:36:48.755Z Summary
Click to view all circular references in PR (12)Click to view all circular references in base branch (12)Analysis✅ No Change: This PR does not introduce or remove any circular references. This report was generated automatically by comparing against the |
jackkav
added a commit
that referenced
this pull request
Jun 1, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 1, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
from
c1a9414 to
568e3a6
Compare
12 tasks
ZxBing0066
reviewed
Jun 1, 2026
ZxBing0066
reviewed
Jun 1, 2026
| @@ -1,5 +1,4 @@ | |||
| import clone from 'clone'; | |||
| import { lookup } from 'mime-types'; | |||
Member
There was a problem hiding this comment.
Why do we remove mine-types? It's hard to say the implementation can substitute without any regressions.
Contributor
Author
There was a problem hiding this comment.
I thought so too, mini-tye depends on node:path extname. and adding a bundle resolve aliad just adds 200kb of unused json to the bundle
| bmp: 'image/bmp', | ||
| gif: 'image/gif', | ||
| ico: 'image/x-icon', | ||
| jpeg: 'image/jpeg', |
Member
There was a problem hiding this comment.
And the implementation of mimeTypeExtension totally depends on the order of the keys. Maybe we can take https://github.com/jshttp/mime-db/blob/master/db.json#L8803 as a reference.
ZxBing0066
previously approved these changes
Jun 1, 2026
ZxBing0066
reviewed
Jun 1, 2026
ZxBing0066
previously approved these changes
Jun 1, 2026
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
from
dc146a7 to
88fc536
Compare
…ports - Add AES-GCM vault-crypto utility with tests (replaces node-forge usage) - Add common/mime.ts to replace mime-types package dependency - Replace tough-cookie import in response-cookies-viewer with inline parser - Replace @grpc/grpc-js status import in grpc-status-tag with inline constant - Replace electron.ipcRenderer in auth.clear-vault-key with showToast() - Remove unused analytics call from window-utils
In the renderer process with nodeIntegration disabled, process.env is not available. The preload script now explicitly whitelists the env vars the renderer needs and exposes them as window.env via contextBridge. constants.ts reads from window.env in the renderer and falls back to process.env for the inso CLI and main process.
- key-value-editor and templating/utils now import encryptSecretValue/ decryptSecretValue from vault-crypto instead of vault, so the new implementation is actually exercised - Replace window.crypto with globalThis.crypto so vault-crypto works in Web Workers (self.crypto) and Node.js/inso (globalThis.crypto)
Removes the dynamic import of httpsnippet from the renderer so it is no longer bundled there. Prepares for nodeIntegration: false, as httpsnippet's core requires Node built-ins (querystring, url) that won't be available in the renderer without nodeIntegration.
Replace key={Date.now()} with a useEffect that calls editorRef.current.setValue(snippet)
whenever snippet changes, keeping the editor mounted. Also apply prettier fixes from quick-check.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The screenshot assertion inherited the full 25s expect timeout and caused the 'can send requests' test to exceed its 60s CI budget. The three structural assertions above it (toBeVisible, blob src, chrome-extension frame poll) already provide sufficient smoke-level PDF coverage.
Prevents a race condition where the dialog closes and the test navigates before the updateEnvironmentFetcher NeDB write completes. Playwright's click() waits for aria-disabled to clear, so the test blocks until idle.
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
Extract pure data constants (blockedPropertyRules, blockedRootRules, maskRules) and their interfaces (ASTRule, ThreatRule) into a new script-security-rules.ts with no Node.js imports. script-security-policy.ts now re-exports from that module and retains only interceptorRules, which needs requireInterceptor. scripting-settings.tsx imports directly from script-security-rules so the renderer does not transitively pull in require-interceptor.
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
from
88fc536 to
805fcc4
Compare
jackkav
changed the title
jackkav
changed the title
ZxBing0066
approved these changes
Jun 1, 2026
jackkav
added a commit
that referenced
this pull request
Jun 1, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 2, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 3, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 3, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 4, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 4, 2026
…ort check tooling (#9996) * Add vault-crypto/mime utilities and remove heavyweight third-party imports - Add AES-GCM vault-crypto utility with tests (replaces node-forge usage) - Add common/mime.ts to replace mime-types package dependency - Replace tough-cookie import in response-cookies-viewer with inline parser - Replace @grpc/grpc-js status import in grpc-status-tag with inline constant - Replace electron.ipcRenderer in auth.clear-vault-key with showToast() - Remove unused analytics call from window-utils * Fix impure Date.now() key on CodeEditor; use setValue via ref instead Replace key={Date.now()} with a useEffect that calls editorRef.current.setValue(snippet) whenever snippet changes, keeping the editor mounted. Also apply prettier fixes from quick-check. * fix: address Copilot review comments on PR #9992 - vault-crypto: replace forge-in-renderer with IPC bridge (main process retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue) - mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx, fonts, audio/video, etc.) and fix remaining mime-types import in send route - response-viewer: move charset alias map to module level; normalise iconv-lite alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder - auth.clear-vault-key: fix typo "all you local" → "all your local" * fix: sort imports in send route * feat: disable nodeIntegration in renderer mainWindow, remove import check tooling - Set nodeIntegration:false and contextIsolation:true on mainWindow webPreferences (hidden window keeps nodeIntegration:true for user script execution) - Split script-security-rules.ts out of script-security-policy.ts so the renderer can import display-only constants without pulling in require-interceptor - Add templating/renderer-safe.ts with Node-free render/reload/getTagDefinitions; update all renderer callers to import from it instead of templating/index - Split insomnia-testing generate.ts: move generateToFile to generate-to-file.ts so generate() has no Node imports; expose generateToFile from new entry point - Move runTests execution to main process via IPC (run-tests channel) so the renderer routes no longer import the Mocha-backed test runner directly - Delete vite-plugin-electron-node-require.ts, check-renderer-node-imports.ts, renderer-node-import-baseline.json and all related scripts/plugins now that the renderer bundle is free of Node built-in imports * fix: sort imports, use static TestResults type, remove unused analytics import Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * remove mime stuff * remove ci step * update plan * insomnia testing adapter * use export method * trick react router ssr * add renderer errors * globalThis * improve error * move plugin types * ipc validate proto * fix import * plugin types * polyfill events for jshint * restore node require plugin * vault adapter * add crypto bridges * tough-cookie ipc * util stub * split cookie into network adapter * assert * fix plugin index import * serialise cookie * decouple renderer from scripting * Fix rebase conflicts and import path issues - Fix incorrect ~/insomnia-data imports (should be insomnia-data package) - Remove non-existent mime utility imports and provide simple fallback - Remove incorrect analytics call from main process - Remove unused imports (Settings, Cookie) - Fix Response type annotation for getResponseBodyBuffer * lint * fix tests * fix: use dynamic import for crypt in session.ts for main process compatibility The session.ts module is used in both renderer and main process contexts (via sync.invoke IPC handlers). When running in the main process, window.main is undefined, causing TypeError when trying to access window.main.crypt.decryptAES(). Changes: - Use dynamic import of crypt module (only loaded in main process context) - In renderer: window.main.crypt is always available so dynamic import never executes - In main process: dynamic import loads crypt with node:crypto support - Protect loginStateChange() calls with window existence checks This avoids bundling node:crypto in the Vite renderer build while still supporting both execution contexts. Fixes E2E test failures in sync operations (remoteBackendProjects, _assertSession, etc.) caused by disabled nodeIntegration. * fix: add aria-label to template tag preview and browser-safe encoding fallback - Add aria-label="Live Preview" to textarea in TagEditor for better Playwright accessibility - Add atob() fallback for decodeEncoding in browser contexts where Buffer isn't available - Fixes smoke test element discovery for template tag preview modal * fix: add explicit waits for element stability in environment test Add toBeEnabled() and toBeVisible() waits before clicking elements in the 'kv pair environment can be updated' test. This prevents timeout errors from unstable/flickering elements during modal interactions, especially in high-concurrency shard execution. * remove unused * add autocomplete generate test step * fix lint * put analytics back in * combine vault and crypto adapter * remove unused export split * remove insomnia-testing cruft, addressing feedback * fix: use direct imports in insomnia-inso after insomnia-testing index.ts removal * fix circular reference * fix: move createElectronNotifier to main process to fix SSR error Move the electron-dependent createElectronNotifier function from repo-file-watcher.ts to git-service.ts to prevent electron imports from being evaluated in the renderer/SSR context. * export har ipc bridge --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes several third-party package imports from the renderer by replacing them with lightweight alternatives or inline implementations. No behavioral changes — pure substitutions.
vault-crypto.tsis now a thin async wrapper overwindow.main.vault.{encrypt,decrypt}SecretValue; the main process keeps its existing forge-based implementation untouched. This keeps crypto logic in a single place without re-implementing AES-GCM in the renderer.await import('httpsnippet')calls ingenerate-code-modal.tsxandrequest-actions-dropdown.tsxare replaced withwindow.main.generateCodeSnippet()andwindow.main.getCodeSnippetTargets()IPC calls.httpsnippetwas never bundled by Vite (its Node.js dependencies —querystring,url— prevent static analysis bundling); instead it was resolved at runtime via Electron'srequire()on each invocation of "Generate Code" or "Copy as cURL". It is now fully eliminated from renderer access.mime-typesnpm package with a 48-entry inline lookup table covering images, audio, video, office documents, archives, fonts, wasm, and common text types. Removes the package boundary for a simple extension↔MIME mapping.tough-cookieimport; replaces with a 10-line inlineSet-Cookieheader parser (onlyname=valueextraction was needed)@grpc/grpc-jsimport just to readstatus.OK = 0; replaced with an inline constantelectron.ipcRenderer.emit('show-toast')with the typedshowToast()helper; also fixes typo "all you local" → "all your local"trackAnalyticsEventcall from the app menu handlernodeIntegrationis disabled. The preload now explicitly whitelists the env vars the renderer needs and exposes them aswindow.envviacontextBridge.constants.tsreads fromwindow.envin the renderer and falls back toprocess.envfor the inso CLI and main process.TextDecoderdoes not accept iconv-lite alias names (e.g.utf8,latin1,win1252). Added a module-level alias map to normalise them to WHATWG labels before passing toTextDecoder, preventing silent fallback to UTF-8 for responses with non-standard charset declarations.Bundle verification
npm run check:renderer-node-imports -w insomniareports zero third-party npm packages in the renderer bundle after these changes. The 13 remaining entries are all Node built-ins (fs,path,crypto, etc.) in pre-existing plugin/scripting paths that have always been present.Note on httpsnippet: a bundle diff confirms
httpsnippetproduced no Vite chunk in either build — it was a runtime-resolved module (lazyrequire()via nodeIntegration), not a statically bundled one. The 7 chunks whose hashes changed between develop and this branch are identical in byte size; the only functional code delta is the IPC call replacing the dynamic import.E2E note
Also removes the
toHaveScreenshotassertion from the PDF preview smoke test (added in #9922, @rwillis-kong). The assertion was causing thecan send requeststest to exceed its 60 s CI timeout — the screenshot step inherits the full 25 s expect timeout and retries until it matches, consuming most of the test budget before the remaining steps (basic auth, cookies, cancel) even start.The three structural assertions immediately above it already give good smoke-level confidence:
toBeVisible()— iframe is renderedtoHaveAttribute('src', /^blob:/)— PDF data was loaded into a blob URLexpect.pollfor thechrome-extension://URL — Chromium's built-in PDF viewer actually mountedTest plan