Remove all third-party npm package imports from the renderer bundle#9992
Merged
Conversation
This was referenced May 30, 2026
✅ Circular References ReportGenerated at: 2026-06-01T08:36:48.755Z Summary
Click to view all circular references in PR (12)Click to view all circular references in base branch (12)Analysis✅ No Change: This PR does not introduce or remove any circular references. This report was generated automatically by comparing against the |
jackkav
added a commit
that referenced
this pull request
Jun 1, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 1, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
from
c1a9414 to
568e3a6
Compare
12 tasks
ZxBing0066
reviewed
Jun 1, 2026
ZxBing0066
reviewed
Jun 1, 2026
| @@ -1,5 +1,4 @@ | |||
| import clone from 'clone'; | |||
| import { lookup } from 'mime-types'; | |||
Member
There was a problem hiding this comment.
Why do we remove mine-types? It's hard to say the implementation can substitute without any regressions.
Contributor
Author
There was a problem hiding this comment.
I thought so too, mini-tye depends on node:path extname. and adding a bundle resolve aliad just adds 200kb of unused json to the bundle
| bmp: 'image/bmp', | ||
| gif: 'image/gif', | ||
| ico: 'image/x-icon', | ||
| jpeg: 'image/jpeg', |
Member
There was a problem hiding this comment.
And the implementation of mimeTypeExtension totally depends on the order of the keys. Maybe we can take https://github.com/jshttp/mime-db/blob/master/db.json#L8803 as a reference.
ZxBing0066
previously approved these changes
Jun 1, 2026
ZxBing0066
reviewed
Jun 1, 2026
ZxBing0066
previously approved these changes
Jun 1, 2026
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
from
dc146a7 to
88fc536
Compare
…ports - Add AES-GCM vault-crypto utility with tests (replaces node-forge usage) - Add common/mime.ts to replace mime-types package dependency - Replace tough-cookie import in response-cookies-viewer with inline parser - Replace @grpc/grpc-js status import in grpc-status-tag with inline constant - Replace electron.ipcRenderer in auth.clear-vault-key with showToast() - Remove unused analytics call from window-utils
In the renderer process with nodeIntegration disabled, process.env is not available. The preload script now explicitly whitelists the env vars the renderer needs and exposes them as window.env via contextBridge. constants.ts reads from window.env in the renderer and falls back to process.env for the inso CLI and main process.
- key-value-editor and templating/utils now import encryptSecretValue/ decryptSecretValue from vault-crypto instead of vault, so the new implementation is actually exercised - Replace window.crypto with globalThis.crypto so vault-crypto works in Web Workers (self.crypto) and Node.js/inso (globalThis.crypto)
Removes the dynamic import of httpsnippet from the renderer so it is no longer bundled there. Prepares for nodeIntegration: false, as httpsnippet's core requires Node built-ins (querystring, url) that won't be available in the renderer without nodeIntegration.
Replace key={Date.now()} with a useEffect that calls editorRef.current.setValue(snippet)
whenever snippet changes, keeping the editor mounted. Also apply prettier fixes from quick-check.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The screenshot assertion inherited the full 25s expect timeout and caused the 'can send requests' test to exceed its 60s CI budget. The three structural assertions above it (toBeVisible, blob src, chrome-extension frame poll) already provide sufficient smoke-level PDF coverage.
Prevents a race condition where the dialog closes and the test navigates before the updateEnvironmentFetcher NeDB write completes. Playwright's click() waits for aria-disabled to clear, so the test blocks until idle.
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
Extract pure data constants (blockedPropertyRules, blockedRootRules, maskRules) and their interfaces (ASTRule, ThreatRule) into a new script-security-rules.ts with no Node.js imports. script-security-policy.ts now re-exports from that module and retains only interceptorRules, which needs requireInterceptor. scripting-settings.tsx imports directly from script-security-rules so the renderer does not transitively pull in require-interceptor.
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
from
88fc536 to
805fcc4
Compare
jackkav
changed the title
jackkav
changed the title
ZxBing0066
approved these changes
Jun 1, 2026
jackkav
added a commit
that referenced
this pull request
Jun 1, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 2, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 3, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 3, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
jackkav
added a commit
that referenced
this pull request
Jun 4, 2026
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes several third-party package imports from the renderer by replacing them with lightweight alternatives or inline implementations. No behavioral changes — pure substitutions.
vault-crypto.tsis now a thin async wrapper overwindow.main.vault.{encrypt,decrypt}SecretValue; the main process keeps its existing forge-based implementation untouched. This keeps crypto logic in a single place without re-implementing AES-GCM in the renderer.await import('httpsnippet')calls ingenerate-code-modal.tsxandrequest-actions-dropdown.tsxare replaced withwindow.main.generateCodeSnippet()andwindow.main.getCodeSnippetTargets()IPC calls.httpsnippetwas never bundled by Vite (its Node.js dependencies —querystring,url— prevent static analysis bundling); instead it was resolved at runtime via Electron'srequire()on each invocation of "Generate Code" or "Copy as cURL". It is now fully eliminated from renderer access.mime-typesnpm package with a 48-entry inline lookup table covering images, audio, video, office documents, archives, fonts, wasm, and common text types. Removes the package boundary for a simple extension↔MIME mapping.tough-cookieimport; replaces with a 10-line inlineSet-Cookieheader parser (onlyname=valueextraction was needed)@grpc/grpc-jsimport just to readstatus.OK = 0; replaced with an inline constantelectron.ipcRenderer.emit('show-toast')with the typedshowToast()helper; also fixes typo "all you local" → "all your local"trackAnalyticsEventcall from the app menu handlernodeIntegrationis disabled. The preload now explicitly whitelists the env vars the renderer needs and exposes them aswindow.envviacontextBridge.constants.tsreads fromwindow.envin the renderer and falls back toprocess.envfor the inso CLI and main process.TextDecoderdoes not accept iconv-lite alias names (e.g.utf8,latin1,win1252). Added a module-level alias map to normalise them to WHATWG labels before passing toTextDecoder, preventing silent fallback to UTF-8 for responses with non-standard charset declarations.Bundle verification
npm run check:renderer-node-imports -w insomniareports zero third-party npm packages in the renderer bundle after these changes. The 13 remaining entries are all Node built-ins (fs,path,crypto, etc.) in pre-existing plugin/scripting paths that have always been present.Note on httpsnippet: a bundle diff confirms
httpsnippetproduced no Vite chunk in either build — it was a runtime-resolved module (lazyrequire()via nodeIntegration), not a statically bundled one. The 7 chunks whose hashes changed between develop and this branch are identical in byte size; the only functional code delta is the IPC call replacing the dynamic import.E2E note
Also removes the
toHaveScreenshotassertion from the PDF preview smoke test (added in #9922, @rwillis-kong). The assertion was causing thecan send requeststest to exceed its 60 s CI timeout — the screenshot step inherits the full 25 s expect timeout and retries until it matches, consuming most of the test budget before the remaining steps (basic auth, cookies, cancel) even start.The three structural assertions immediately above it already give good smoke-level confidence:
toBeVisible()— iframe is renderedtoHaveAttribute('src', /^blob:/)— PDF data was loaded into a blob URLexpect.pollfor thechrome-extension://URL — Chromium's built-in PDF viewer actually mountedTest plan