mirror of
https://github.com/Kong/insomnia.git
synced 2026-06-03 21:55:53 -04:00
7cd8854f24
* updated plan * feat: lift network.ts fs/path use behind window.main.timeline IPC bridge Removes `node:fs` and `node:path` from the renderer-reachable `src/network/network.ts`. Three timeline-path constructions and two `appendFile` calls are replaced with narrow `window.main.timeline.getPath` (sync IPC) and `window.main.timeline.appendToFile` (async IPC) helpers that live in main, where Node builtins belong. Path validation in `appendToTimeline` mirrors `writeResponseBodyToFile`: only paths inside the `responses/` directory ending in `.timeline` are accepted, preventing a compromised renderer from writing arbitrary files. Updates `config/renderer-node-import-baseline.json` to remove the two `src/network/network.ts` entries — the baseline shrinks as intended. Part of the nodeIntegration: false migration (PR B). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: address Aikido path-traversal feedback and mock window.main in network tests - `getTimelinePath`: use `path.resolve` + `path.relative` check instead of `path.join` to prevent path-traversal attacks (Aikido medium severity finding) - `network.test.ts`: add `vi.stubGlobal('window', ...)` mock for `window.main.timeline` so tests don't throw "window is not defined" now that `defaultSendActionRuntime` calls `window.main.timeline.appendToFile` Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: suppress echoServer stdout in playwright config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: update insomnia-inso logger for consola v3 compatibility FancyReporter and BasicReporter were removed in consola v3; LogLevel became a type-only export and the runtime enum is now LogLevels. Replace with createConsola + a local BasicReporter shim, and import LogLevels in cli.ts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * refactor: address timeline IPC review concerns - Convert timeline.getPath from sendSync to invoke (async) to avoid blocking the renderer thread; path construction has no I/O - Extract getResponsesDir() shared helper so both getTimelinePath and appendToTimeline read the same source of truth, eliminating env-drift between the two calls - Guard mkdir with a Set so the responses directory is only created once per process rather than on every appendFile call Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: upgrade consola to v3 and fix type/import issues in insomnia-inso - Bump consola from ^2.15.3 to ^3.4.2 to match logger.ts which already used v3 API (createConsola) - Fix logType → LogType (renamed in v3) - Remove fancy option (removed in v3 ConsolaOptions) - Use ConsolaInstance instead of Consola in result-report.ts so .log() resolves correctly - Fix import sort in cli.ts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: restore Node.js-safe fallbacks in network.ts for inso CLI The timeline IPC bridge introduced window.main.timeline calls without guarding against the inso CLI context where window is not defined. The electron shim (aliased in the inso bundle) provides app.getPath as a fallback, matching the pre-bridge behaviour. - getTimelinePath: check typeof window before using IPC; fall back to the electron shim path (os.tmpdir()/insomnia-send-request/responses) - defaultSendActionRuntime.appendTimeline: fall back to fs.promises.appendFile - tryToExecutePreRequestScript catch block: skip IPC appendToFile in Node.js context Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: sort node: imports before third-party and replace if/else with ternary in network.ts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace static fs/path imports with inline require() to pass renderer baseline check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * refactor: replace process.type branching in network.ts with build-time adapter modules Eliminates all runtime process.type and typeof window checks by introducing network-adapter.renderer.ts and network-adapter.node.ts. Vite and Vitest resolve the import to the renderer adapter; inso esbuild resolves to the node adapter. No branching code remains in network.ts itself. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: restore object alias format in vite.config.ts to fix rollup build Array-form alias with find:'~' was not matching prefix imports like ~/common/insomnia-fetch in the react-router production build. Object form behaves correctly in Vite 7. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: resolve merge conflicts in logger.ts and cli.ts, restore AGENTS.md indented tree - logger.ts: keep LogType (consola v3 casing), drop duplicate conflict markers - cli.ts: remove stashed duplicate LogLevels import from conflict block - AGENTS.md: restore indented hierarchy in Repository Structure and Data Model sections Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * remove cx * fix: add path traversal guard to getTimelinePath in node adapter Mirrors the same defence-in-depth check already present in the IPC handler. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix tests which use network from main * flake * refactor: replace bundler aliases with process.type runtime detection in network-adapter Instead of three separate bundler aliases (Vite, esbuild main, esbuild inso), network-adapter.ts now selects the correct adapter at runtime using process.type === 'renderer'. - Vite prod: process.type is already inlined as 'renderer' via define, so Rollup tree-shakes the node branch - esbuild main: define process.type='browser' so esbuild tree-shakes renderer branch - esbuild inso: define process.type=undefined so esbuild tree-shakes renderer branch - Vitest (insomnia): existing renderer alias kept for test environment - Vitest (inso): add renderer alias to match pre-existing test behaviour and avoid loading native node-libcurl module in tests Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: restore vite alias for network-adapter to fix server bundle build The react-router build produces both client and server bundles. Without the alias, the server bundle encountered a runtime require() for './network-adapter.renderer' that couldn't resolve (Vite inlines process.type='renderer' via define for the server build too, so Rollup tree-shakes to the renderer branch, but the module gets externalized in the server bundle rather than inlined, leaving a broken runtime require). Restoring the alias ensures both builds inline network-adapter.renderer directly, which is safe because the module only defines functions — window.main is never called at module init time. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feedback --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1.1 MiB
1.1 MiB