feat: disable nodeIntegration in renderer mainWindow, remove Node import check tooling#9996
Open
jackkav wants to merge 47 commits into
Open
feat: disable nodeIntegration in renderer mainWindow, remove Node import check tooling#9996jackkav wants to merge 47 commits into
jackkav wants to merge 47 commits into
Conversation
✨ Circular References ReportGenerated at: 2026-06-03T19:27:55.844Z Summary
✨ Circular References Removed (2)Click to expand/collapseClick to view all circular references in PR (8)Click to view all circular references in base branch (10)Analysis✨ Great Job! This PR removes 2 circular references. Keep up the good work! This report was generated automatically by comparing against the |
jackkav
force-pushed
the
pr/templating-adapter
branch
2 times, most recently
from
299c1f5 to
1d8de98
Compare
jackkav
force-pushed
the
pr/disable-node-integration
branch
from
64cc384 to
9394680
Compare
jackkav
force-pushed
the
pr/templating-adapter
branch
from
1d8de98 to
418da0f
Compare
Base automatically changed from
pr/templating-adapter
to
pr/safe-utilities-cleanup
June 1, 2026 08:27
jackkav
force-pushed
the
pr/safe-utilities-cleanup
branch
2 times, most recently
from
88fc536 to
805fcc4
Compare
jackkav
force-pushed
the
pr/disable-node-integration
branch
from
9394680 to
94098a5
Compare
Contributor
Author
Rebase + review notesRebased onto Fixes applied (new commit
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR completes the renderer Node-integration removal by flipping mainWindow security flags (nodeIntegration off + contextIsolation on), routing unit-test execution through a main-process IPC boundary, and deleting the Vite/node-import migration scaffolding that was previously used to support renderer Node imports.
Changes:
- Disable
nodeIntegrationand enablecontextIsolationfor the renderer main window. - Move unit-test execution to main via a new
run-testsIPC handler and expose it in preload. - Remove renderer Node-import tooling (Vite plugin + reporting scripts/baseline) and replace
mime-typesusage with local MIME helpers in a few call sites.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/insomnia/vite.config.ts | Removes renderer Node-require tooling and Node import detection from the Vite build. |
| packages/insomnia/vite-plugin-electron-node-require.ts | Removes the custom Vite plugin that enabled runtime require() in the renderer. |
| packages/insomnia/src/ui/components/panes/response-pane-utils.ts | Switches response download extension detection to local MIME helpers. |
| packages/insomnia/src/ui/components/editors/body/body-editor.tsx | Switches file-body MIME lookup to local MIME helpers. |
| packages/insomnia/src/routes/organization.$organizationId.project.$projectId.workspace.$workspaceId.test.test-suite.$testSuiteId.test.$testId.run.tsx | Replaces direct runTests usage with window.main.runTests. |
| packages/insomnia/src/routes/organization.$organizationId.project.$projectId.workspace.$workspaceId.test.test-suite.$testSuiteId.run-all-tests.tsx | Replaces direct runTests usage with window.main.runTests. |
| packages/insomnia/src/routes/organization.$organizationId.project.$projectId.workspace.$workspaceId.debug.request.$requestId.send.tsx | Switches mime-types extension helper to local MIME helper. |
| packages/insomnia/src/main/window-utils.ts | Flips webPreferences security flags for the main window. |
| packages/insomnia/src/main/ipc/main.ts | Adds run-tests IPC handler and types it on the renderer bridge API. |
| packages/insomnia/src/main/ipc/electron.ts | Adds run-tests to the typed IPC channel union. |
| packages/insomnia/src/entry.preload.ts | Exposes runTests via window.main using invokeWithNormalizedError. |
| packages/insomnia/src/common/mime.ts | Adds a Node-free MIME mapping helper module for the renderer. |
| packages/insomnia/scripts/check-renderer-node-imports.ts | Removes the node-import baseline check script. |
| packages/insomnia/package.json | Removes renderer node-import analysis scripts (but currently introduces indentation drift). |
| packages/insomnia/config/renderer-node-import-baseline.json | Removes the node-import baseline file. |
| packages/insomnia-testing/src/index.ts | Adjusts exports so generateToFile is split into its own module. |
| packages/insomnia-testing/src/generate/index.ts | Adjusts exports so generateToFile is split into its own module. |
| packages/insomnia-testing/src/generate/generate.ts | Removes Node fs usage from generate() implementation. |
| packages/insomnia-testing/src/generate/generate-to-file.ts | Introduces Node-only generateToFile() implementation. |
| package.json | Removes the top-level renderer node-import script (but currently introduces indentation drift). |
Comments suppressed due to low confidence (1)
packages/insomnia/vite.config.ts:55
resolve.aliasno longer shims the Nodepathmodule, but there is still renderer code importingmime-types(e.g.src/ui/components/viewers/response-multipart-viewer.tsx).mime-typesdepends onpath.extname, so removing this alias will break the Vite dev server / renderer build with an unresolvedpathbuiltin unless all renderermime-typesusage is removed in the same PR.
'~': path.resolve(__dirname, './src'),
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+826
to
+830
| ipcMainHandle('run-tests', async (_, src: string) => { | ||
| const { runTests } = await import('insomnia-testing'); | ||
| const sendRequest = getSendRequestCallback(); | ||
| return runTests(src, { sendRequest }); | ||
| }); |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| try { | ||
| window.localStorage.setItem('insomnia.secretKey', getInsomniaSecretKey() || res); | ||
| const sec = await encodeBase64(kp.secretKey); | ||
| window.localStorage.setItem('insomnia.secretKey', getInsomniaSecretKey() || sec); |
8 tasks
jackkav
force-pushed
the
pr/disable-node-integration
branch
from
67c8c01 to
d047842
Compare
| } catch (err) { | ||
| console.warn(`Failed to parse cookie string "${event.target.value}"`, err); | ||
| return; | ||
| console.warn(`Failed to parse cookie string "${str}"`, err); |
jackkav
force-pushed
the
pr/disable-node-integration
branch
from
990c167 to
2ab0baa
Compare
ZxBing0066
reviewed
Jun 3, 2026
| const isDebug = Boolean(process.env.DEBUG); | ||
| const version = process.env.VERSION || 'dev'; | ||
| // Redirects *.renderer imports to their *.node equivalents for node/CLI builds. | ||
| const rendererToNodePlugin: Plugin = { |
Member
There was a problem hiding this comment.
This is a bit hacky. Should this be handled by the bundler by process.type in the adapter? Why do we need this plugin?
Contributor
Author
There was a problem hiding this comment.
because that approach is equally hacky, and doesn't help vite determine what not to bundle, because vite only sets type to renderer in prod not dev, theres an explanation in the comment. a better approach might be window !== undefined, you are welcome to experiment with this branch to your satisfaction.
Member
There was a problem hiding this comment.
I have no preference for the solution. But it should be consistent and won't introduce misunderstandings.
Contributor
Author
There was a problem hiding this comment.
Looked into it, inso is hacky, hacks on hacks isn't new.
ZxBing0066
reviewed
Jun 3, 2026
jackkav
force-pushed
the
pr/disable-node-integration
branch
from
feb0efb to
c9cc29c
Compare
…ports - Add AES-GCM vault-crypto utility with tests (replaces node-forge usage) - Add common/mime.ts to replace mime-types package dependency - Replace tough-cookie import in response-cookies-viewer with inline parser - Replace @grpc/grpc-js status import in grpc-status-tag with inline constant - Replace electron.ipcRenderer in auth.clear-vault-key with showToast() - Remove unused analytics call from window-utils
Replace key={Date.now()} with a useEffect that calls editorRef.current.setValue(snippet)
whenever snippet changes, keeping the editor mounted. Also apply prettier fixes from quick-check.
- vault-crypto: replace forge-in-renderer with IPC bridge (main process
retains forge; renderer calls window.main.vault.{en,de}cryptSecretValue)
- mime.ts: expand lookup table to 48 entries (webp, wasm, mp4, docx, xlsx,
fonts, audio/video, etc.) and fix remaining mime-types import in send route
- response-viewer: move charset alias map to module level; normalise iconv-lite
alias names (utf8, latin1, win1252, …) to WHATWG labels for TextDecoder
- auth.clear-vault-key: fix typo "all you local" → "all your local"
…heck tooling - Set nodeIntegration:false and contextIsolation:true on mainWindow webPreferences (hidden window keeps nodeIntegration:true for user script execution) - Split script-security-rules.ts out of script-security-policy.ts so the renderer can import display-only constants without pulling in require-interceptor - Add templating/renderer-safe.ts with Node-free render/reload/getTagDefinitions; update all renderer callers to import from it instead of templating/index - Split insomnia-testing generate.ts: move generateToFile to generate-to-file.ts so generate() has no Node imports; expose generateToFile from new entry point - Move runTests execution to main process via IPC (run-tests channel) so the renderer routes no longer import the Mocha-backed test runner directly - Delete vite-plugin-electron-node-require.ts, check-renderer-node-imports.ts, renderer-node-import-baseline.json and all related scripts/plugins now that the renderer bundle is free of Node built-in imports
…cs import Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix incorrect ~/insomnia-data imports (should be insomnia-data package) - Remove non-existent mime utility imports and provide simple fallback - Remove incorrect analytics call from main process - Remove unused imports (Settings, Cookie) - Fix Response type annotation for getResponseBodyBuffer
…atibility The session.ts module is used in both renderer and main process contexts (via sync.invoke IPC handlers). When running in the main process, window.main is undefined, causing TypeError when trying to access window.main.crypt.decryptAES(). Changes: - Use dynamic import of crypt module (only loaded in main process context) - In renderer: window.main.crypt is always available so dynamic import never executes - In main process: dynamic import loads crypt with node:crypto support - Protect loginStateChange() calls with window existence checks This avoids bundling node:crypto in the Vite renderer build while still supporting both execution contexts. Fixes E2E test failures in sync operations (remoteBackendProjects, _assertSession, etc.) caused by disabled nodeIntegration.
… fallback - Add aria-label="Live Preview" to textarea in TagEditor for better Playwright accessibility - Add atob() fallback for decodeEncoding in browser contexts where Buffer isn't available - Fixes smoke test element discovery for template tag preview modal
Add toBeEnabled() and toBeVisible() waits before clicking elements in the 'kv pair environment can be updated' test. This prevents timeout errors from unstable/flickering elements during modal interactions, especially in high-concurrency shard execution.
jackkav
force-pushed
the
pr/disable-node-integration
branch
from
8bb40e8 to
787cee8
Compare
Move the electron-dependent createElectronNotifier function from repo-file-watcher.ts to git-service.ts to prevent electron imports from being evaluated in the renderer/SSR context.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Final step in removing
nodeIntegrationfrom the Electron renderer. FlipsnodeIntegration: false/contextIsolation: trueonmainWindow, then traces and eliminates every remaining Node-dependent import path from the renderer bundle.The hidden window that runs pre/post-request scripts keeps
nodeIntegration: true— that boundary is intentional.How
Security flag (
window-utils.ts)nodeIntegration: true → false,contextIsolation: false → trueonmainWindowCookie IPC bridge (
main/ipc/cookies.ts)tough-cookiejar logic moved to main process; renderer callswindow.main.cookies.*via IPCnetwork-adapter.renderer.ts/network-adapter.node.tssplit so each side gets the right cookie implementationHAR export IPC bridge (
main/har.ts)window.main.har.*via IPCentry.preload.tsto rendererVault adapter split (
vault-adapter.node.ts/vault-adapter.renderer.ts)node-forge; renderer callswindow.main.vault.{en,de}cryptSecretValuevia IPC bridgeScript security split (
script-security-rules.ts)blockedPropertyRules,blockedRootRules,maskRules, types) extracted to a new module with zero Node importsscript-security-rulesdirectly;script-security-policy.tskeeps only therequireInterceptor-dependent logicTemplating renderer-safe surface (
render-adapter.ts)render,reload,getTagDefinitionsre-exported without pulling in plugin/Node-heavytemplating/indexTesting IPC bridge (
main/ipc/main.ts)insomnia-testingdynamically imported in main; renderer callswindow.main.runTests(src)generate-to-file.tssplit fromgenerate.tssogenerate()has zero Node importsPlugin types extracted (
plugins/types.ts)Proto validation IPC (
main/ipc/grpc.ts)@grpc/proto-loadervalidation moved to main processFile watcher notifier split (
git-service.ts)createElectronNotifiermoved to main process to prevent Electron imports in renderer/SSR contextCode snippet types (
types/code-snippet.ts)Remove migration tooling (now redundant)
vite-plugin-electron-node-require.ts,check-renderer-node-imports.ts,renderer-node-import-baseline.jsonDetectNodeBuiltinImportsvite plugin and related CI stepanalyze:renderer-node-imports,check:renderer-node-imports,update:renderer-node-import-baselinescriptsTest plan
npm run type-check -w insomniapassesnpm run type-check -w insomnia-testingpassesnpm run lint -w insomniapassesrequire is not definederrors in renderer devtools