Skip to content

chore: add CI validation for external package dependencies #11898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
petebacondarwin merged 7 commits into from
Jan 14, 2026
Merged

chore: add CI validation for external package dependencies #11898

petebacondarwin merged 7 commits into from
Jan 14, 2026

Conversation

@petebacondarwin
Copy link
Contributor

@petebacondarwin petebacondarwin commented Jan 13, 2026
edited
Loading

Summary
This PR adds CI validation to ensure packages explicitly declare their external (non-bundled) dependencies, preventing accidental dependency chain poisoning. It also bundles 13 additional dependencies to reduce supply chain risk.

(Opus assisted changes in here but guided and checked by me)

New CI Check
Adds pnpm check:package-deps (runs as part of pnpm check) which validates that:

  • Every non-workspace dependency is listed in EXTERNAL_DEPENDENCIES (in scripts/deps.ts)
  • Every item in EXTERNAL_DEPENDENCIES exists in dependencies or peerDependencies
  • Packages with external dependencies have a scripts/deps.ts file with documented reasons
    This prevents developers from accidentally adding unbundled dependencies without explicit justification.

Dependencies Bundled
Moved 13 dependencies from dependencies to devDependencies so they get bundled:

Package Dependencies Bundled
kv-asset-handler mime
miniflare acorn, acorn-walk, exit-hook, glob-to-regexp, stoppable
@cloudflare/vitest-pool-workers birpc, devalue, get-port, semver
@cloudflare/vite-plugin @remix-run/node-fetch-server, defu, get-port, picocolors, tinyglobby

Remaining External Dependencies
Updated comments to explain why they can't be bundled (not just how they're used):

Package External Deps Reason
miniflare @cspotcode/source-map-support Uses require.resolve() and require.cache manipulation to load fresh instances at runtime
miniflare sharp, workerd Native binaries
miniflare undici, ws, zod Optional native bindings / commonly shared to avoid duplication
miniflare youch dynamically required at runtime for lazy loading of pretty error pages
@cloudflare/vitest-pool-workers esbuild Native binary
@cloudflare/vitest-pool-workers cjs-module-lexer, zod Optional native N-API bindings / commonly shared
@cloudflare/vite-plugin unenv Must be resolved at runtime when bundling user's code
@cloudflare/vite-plugin ws Optional native bindings / commonly shared

Why this matters
When users install our packages, npm/pnpm also installs everything in dependencies. If those dependencies have unpinned transitive dependencies, a malicious actor could publish a compromised version that gets pulled into user installations. By bundling dependencies and validating the allowlist in CI, we control exactly what code ships.

Fixes DEVX-1580

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: CI checks

A picture of a cute animal (not mandatory, but encouraged)

@changeset-bot
Copy link

changeset-bot bot commented Jan 13, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 996466b

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Jan 13, 2026
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 13, 2026
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@11898

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@11898

miniflare

npm i https://pkg.pr.new/miniflare@11898

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@11898

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@11898

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@11898

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@11898

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@11898

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@11898

wrangler

npm i https://pkg.pr.new/wrangler@11898

commit: 996466b

@petebacondarwin petebacondarwin force-pushed the pbd/ci/devdeps-lint branch 5 times, most recently from 5043293 to 0869349 Compare January 14, 2026 09:14
@petebacondarwin petebacondarwin marked this pull request as ready for review January 14, 2026 09:14
@petebacondarwin petebacondarwin requested a review from a team as a code owner January 14, 2026 09:14
emily-shen
emily-shen reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@emily-shen emily-shen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we do need a changeset right? On the off chance this breaks something, having something in the changelog saying which dependencies got bundled would be very helpful

@emily-shen
Copy link
Contributor

emily-shen commented Jan 14, 2026

I also can't see any reason why bundling these packages would break anything (and for what its worth, nor can claude), so hopefully we are okay on that front

@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Jan 14, 2026
@petebacondarwin
Copy link
Contributor Author

petebacondarwin commented Jan 14, 2026

i think we do need a changeset right? On the off chance this breaks something, having something in the changelog saying which dependencies got bundled would be very helpful

Ah yes! The original PR only added the validation - but now I have actually made changes, we probably should have a changeset.

@petebacondarwin
chore: add CI validation for external package dependencies
8919700 
Add a validation check that ensures packages explicitly declare their
external (non-bundled) dependencies to prevent dependency chain poisoning.

- Add tools/deployments/validate-package-dependencies.ts validation script
- Add check:package-deps npm script and integrate into pnpm check
- Create scripts/deps.ts allowlists for packages with external dependencies:
  - miniflare (12 deps)
  - @cloudflare/vite-plugin (8 deps)
  - @cloudflare/vitest-pool-workers (7 deps)
  - @cloudflare/kv-asset-handler (1 dep)
  - @cloudflare/workers-editor-shared (1 dep)
- Update CONTRIBUTING.md with documentation on managing dependencies
- Add unit tests for the validation logic (22 tests)
@petebacondarwin
fix(kv-asset-handler): bundle mime dependency instead of keeping it e…
1591c05 
…xternal

Move mime from dependencies to devDependencies so it gets bundled into
the distributable. This follows the project's practice of bundling
dependencies to prevent dependency chain poisoning.
@petebacondarwin
fix(miniflare): bundle acorn and acorn-walk dependencies
aa65aa1 
Move acorn and acorn-walk from dependencies to devDependencies so they
get bundled into the distributable. These are pure JavaScript parsing
libraries with no special runtime requirements, so they can be safely
bundled.
@petebacondarwin
chore: bundle more dependencies to reduce supply chain risk
d4b27c4 
Move 13 dependencies from dependencies to devDependencies so they get
bundled into the distributed packages rather than being installed as
transitive dependencies by users.

Packages updated:
- miniflare: bundle exit-hook, glob-to-regexp, stoppable, youch
- @cloudflare/vitest-pool-workers: bundle birpc, devalue, get-port, semver
- @cloudflare/vite-plugin: bundle @remix-run/node-fetch-server, defu,
  get-port, picocolors, tinyglobby

Also updates the EXTERNAL_DEPENDENCIES comments to explain WHY each
remaining dependency cannot be bundled (native binaries, optional native
bindings, runtime resolution needs) rather than just describing how
they are used.
@petebacondarwin
fix(vitest-pool-workers): bundle dependencies that were moved to devD…
6341f73 
…ependencies
@petebacondarwin
chore: add changeset for dependency bundling
1edcf96
@petebacondarwin petebacondarwin merged commit c17e971 into main Jan 14, 2026
36 checks passed
@petebacondarwin petebacondarwin deleted the pbd/ci/devdeps-lint branch January 14, 2026 21:11
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Jan 14, 2026
@workers-devprod workers-devprod mentioned this pull request Jan 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emily-shen emily-shen emily-shen approved these changes

Assignees

No one assigned

Labels

no-changeset-required

Projects

workers-sdk
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@petebacondarwin @emily-shen