starred/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-25 16:55:59 +03:00
Code Issues 711 Projects Releases 5 Packages Wiki Activity

[PR #3973] [MERGED] chore: migrate Node.js implementation for js-sandbox to isolated-vm #4620

New issue
Closed
opened 2026-03-17 02:08:18 +03:00 by kerem · 0 comments
kerem commented 2026-03-17 02:08:18 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/3973
Author: @jamesgeorge007
Created: 4/12/2024
Status: Merged
Merged: 4/19/2024
Merged by: @AndrewBastin

Base: release/2024.3.1Head: sandbox-vulnerability-remediation

📝 Commits (10+)

  • 5cc8716 chore: migrate JS sandbox to isolated-vm
  • 23e959a fix: pre-request script execution
  • bac9743 refactor: serialize test script API methods before sending to the isolate
  • c2bd74a chore: migrate test framework to vitest
  • d75a76d chore: resolve build errors wrt wrt CJS interop with ESM
  • 318402d refactor: leverage Proxy to intercept scripting API calls
  • 023072e refactor: spawn child process to add no-node-snapshot flag when required
  • 0e2d2d0 chore: bump jest timeout for test.spec.ts
  • 27d58c0 fix: condition to spawn child process
  • 7eca5ba chore: make isolated-vm a peer-dependency

📊 Changes

52 files changed (+1029 additions, -286 deletions)

View changed files

📝 .github/workflows/tests.yml (+7 -8)
📝 packages/hoppscotch-cli/bin/hopp.js (+26 -1)
📝 packages/hoppscotch-cli/package.json (+2 -1)
📝 packages/hoppscotch-cli/src/__tests__/commands/test.spec.ts (+1 -1)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v1-req-v0.json (+53 -25)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v1-req-v1.json (+52 -3)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v2-req-v2.json (+58 -3)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v2-req-v3.json (+58 -3)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/secret-envs-coll.json (+51 -21)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/secret-envs-persistence-coll.json (+13 -13)
📝 packages/hoppscotch-cli/src/__tests__/samples/collections/secret-envs-persistence-scripting-coll.json (+2 -2)
📝 packages/hoppscotch-cli/src/__tests__/samples/environments/secret-envs.json (+6 -1)
📝 packages/hoppscotch-cli/src/__tests__/samples/environments/secret-supplied-values-envs.json (+6 -1)
📝 packages/hoppscotch-cli/src/__tests__/utils.ts (+18 -11)
📝 packages/hoppscotch-cli/src/index.ts (+2 -1)
📝 packages/hoppscotch-cli/src/utils/mutators.ts (+36 -18)
packages/hoppscotch-js-sandbox/jest.config.js (+0 -10)
packages/hoppscotch-js-sandbox/jest.setup.ts (+0 -1)
📝 packages/hoppscotch-js-sandbox/node.d.ts (+2 -2)
📝 packages/hoppscotch-js-sandbox/package.json (+11 -3)

...and 32 more files

📄 Description

Description

This PR aims at migrating the sandbox implementation for Node.js from node:vm to isolated-vm.

Ref: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr

Closes HFE-475.

Changes

  • Add isolated-vm as a peer dependency (there were issues with not being able to require isolated-vm when it was made a direct dependency) to js-sandbox and mark it optional since it's specific to the Node.js implementation. Also, it is added as a direct dependency on the CLI.
  • Migrate the testing framework from Jest (support for ESM is experimental) to Vitest for js-sandbox.
  • Directory hierarchy updates for js-sandbox.
    • Arrange the source directories based on the platform (node, web) instead of the type of scripts (pre-request & test-runner) easily accommodating platform-specific utility functions. ~/src/utils.ts at the root compiling utility functions reused across platform implementations is renamed to ~/src/shared-utils to differentiate between platform-specific utils ~/src/node/utils.ts.
    • Remove the nested testing directory from the test suite and enforce a naming convention for the directories based on the scripting API namespace objects (env, expect, etc).
  • The value supplied to pw.expect(expectVal) is stringified with an additional property isStringifiedWithinIsolate if it's a non-primitive while transferring to the isolate context as required by isolated-vm. The value is parsed at the pw.expect method definition after checking for the above additional property to differentiate between stringification done while transferring to the isolate context and an original value. The newly introduced property is removed before consumption.
  • Spawn a new process if the Node.js version is 20 and above from the CLI supplying the --no-node-snapshot flag to node as required by isolated-vm, Ref and later proceed with the argument parsing phase.
  • Account for requests nested under folders within collections while validating against the versioned entity schema and translating to the latest version. Follow up of #3912.
  • Fix flaky tests in the CLI (update tests to refer to the echo.hoppscotch.io endpoint and prevent test failures if the auth endpoint resulted in a non 200 status code).
  • GH Action config updates
    • Bump dependent actions.
    • Fix a typo while referring to the Node.js version and ensure run tests on LTS.
    • Move the Setup node step above Setup pnpm.

Checks

  • My pull request adheres to the code style of this project
  • All the tests have passed

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/3973 **Author:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Created:** 4/12/2024 **Status:** ✅ Merged **Merged:** 4/19/2024 **Merged by:** [@AndrewBastin](https://github.com/AndrewBastin) **Base:** `release/2024.3.1` ← **Head:** `sandbox-vulnerability-remediation` --- ### 📝 Commits (10+) - [`5cc8716`](https://github.com/hoppscotch/hoppscotch/commit/5cc8716457feb6e2127d51364aaa0cb2518bff97) chore: migrate JS sandbox to isolated-vm - [`23e959a`](https://github.com/hoppscotch/hoppscotch/commit/23e959a390fee12e904195f49e94174f114ecfe4) fix: pre-request script execution - [`bac9743`](https://github.com/hoppscotch/hoppscotch/commit/bac974378f5095dd0a0e4e389016d0617960a574) refactor: serialize test script API methods before sending to the isolate - [`c2bd74a`](https://github.com/hoppscotch/hoppscotch/commit/c2bd74a331b5e3c6fb063c7b07a55f461b3af960) chore: migrate test framework to vitest - [`d75a76d`](https://github.com/hoppscotch/hoppscotch/commit/d75a76d2a94f0ff3019fb5f1eaed8a4b145bc29b) chore: resolve build errors wrt wrt CJS interop with ESM - [`318402d`](https://github.com/hoppscotch/hoppscotch/commit/318402d55960cdc52b542de87c8e52a88b9845de) refactor: leverage Proxy to intercept scripting API calls - [`023072e`](https://github.com/hoppscotch/hoppscotch/commit/023072e5075202464a6fcf7338754c5ab142cc76) refactor: spawn child process to add no-node-snapshot flag when required - [`0e2d2d0`](https://github.com/hoppscotch/hoppscotch/commit/0e2d2d0f5ed4a3ef408c5c90d643358d2868eaca) chore: bump jest timeout for test.spec.ts - [`27d58c0`](https://github.com/hoppscotch/hoppscotch/commit/27d58c0f48de738797d07588727b8dae19287b56) fix: condition to spawn child process - [`7eca5ba`](https://github.com/hoppscotch/hoppscotch/commit/7eca5bac84369784fbe7c9195e35193b53f40bd8) chore: make `isolated-vm` a peer-dependency ### 📊 Changes **52 files changed** (+1029 additions, -286 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/tests.yml` (+7 -8) 📝 `packages/hoppscotch-cli/bin/hopp.js` (+26 -1) 📝 `packages/hoppscotch-cli/package.json` (+2 -1) 📝 `packages/hoppscotch-cli/src/__tests__/commands/test.spec.ts` (+1 -1) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v1-req-v0.json` (+53 -25) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v1-req-v1.json` (+52 -3) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v2-req-v2.json` (+58 -3) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/coll-v2-req-v3.json` (+58 -3) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/secret-envs-coll.json` (+51 -21) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/secret-envs-persistence-coll.json` (+13 -13) 📝 `packages/hoppscotch-cli/src/__tests__/samples/collections/secret-envs-persistence-scripting-coll.json` (+2 -2) 📝 `packages/hoppscotch-cli/src/__tests__/samples/environments/secret-envs.json` (+6 -1) 📝 `packages/hoppscotch-cli/src/__tests__/samples/environments/secret-supplied-values-envs.json` (+6 -1) 📝 `packages/hoppscotch-cli/src/__tests__/utils.ts` (+18 -11) 📝 `packages/hoppscotch-cli/src/index.ts` (+2 -1) 📝 `packages/hoppscotch-cli/src/utils/mutators.ts` (+36 -18) ➖ `packages/hoppscotch-js-sandbox/jest.config.js` (+0 -10) ➖ `packages/hoppscotch-js-sandbox/jest.setup.ts` (+0 -1) 📝 `packages/hoppscotch-js-sandbox/node.d.ts` (+2 -2) 📝 `packages/hoppscotch-js-sandbox/package.json` (+11 -3) _...and 32 more files_ </details> ### 📄 Description ### Description This PR aims at migrating the sandbox implementation for `Node.js` from [node:vm](https://nodejs.org/api/vm.html#vm-executing-javascript) to [isolated-vm](https://github.com/laverdet/isolated-vm). Ref: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr Closes HFE-475. ### Changes - Add `isolated-vm` as a peer dependency (there were issues with not being able to require `isolated-vm` when it was made a direct dependency) to `js-sandbox` and mark it optional since it's specific to the `Node.js` implementation. Also, it is added as a direct dependency on the CLI. - Migrate the testing framework from `Jest` (support for ESM is experimental) to `Vitest` for `js-sandbox`. - Directory hierarchy updates for `js-sandbox`. - Arrange the source directories based on the platform (`node`, `web`) instead of the type of scripts (`pre-request` & `test-runner`) easily accommodating platform-specific utility functions. `~/src/utils.ts` at the root compiling utility functions reused across platform implementations is renamed to `~/src/shared-utils` to differentiate between platform-specific utils `~/src/node/utils.ts`. - Remove the nested `testing` directory from the test suite and enforce a naming convention for the directories based on the scripting API namespace objects (`env`, `expect`, etc). - The value supplied to `pw.expect(expectVal)` is stringified with an additional property `isStringifiedWithinIsolate` if it's a non-primitive while transferring to the isolate context as required by `isolated-vm`. The value is parsed at the `pw.expect` method definition after checking for the above additional property to differentiate between stringification done while transferring to the isolate context and an original value. The newly introduced property is removed before consumption. - Spawn a new process if the `Node.js` version is `20` and above from the CLI supplying the `--no-node-snapshot` flag to `node` as required by `isolated-vm`, [Ref](https://github.com/laverdet/isolated-vm?tab=readme-ov-file#requirements) and later proceed with the argument parsing phase. - Account for requests nested under `folders` within collections while validating against the versioned entity schema and translating to the latest version. Follow up of #3912. - Fix flaky tests in the CLI (update tests to refer to the [echo.hoppscotch.io](https://echo.hoppscotch.io/) endpoint and prevent test failures if the auth endpoint resulted in a non `200` status code). - GH Action config updates - Bump dependent actions. - Fix a typo while referring to the Node.js version and ensure run tests on LTS. - Move the `Setup node` step above `Setup pnpm`. ### Checks - [x] My pull request adheres to the code style of this project - [x] All the tests have passed --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-17 02:08:18 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/security-fix-2026-4-0
next
fix/mockserver-env-set-url-priority
feat/rest-gql-merge
refactor/workspaces
fix/onboarding-mass-assignment
desktop-settings-phase-0-schema-bridge-shell
patch
test-webhook
pr/johnan319/5745
tembo/optimize-performance-db-queries
add-claude-github-actions-1772782423108
fix/code-scanning-103
fix/mock-server-example-endpoint-match-v2
fix/rate-limit-on-health-route
hotfix/api-doc-collection-deletetion
cd-test
fix/mock-server-backend-followup
chore/code-scanning-52
chore/verion-addition-check
nested-migrations
scripting-system-updates-worker-setup
scripting-system-updates
pr/shipko/4367
ci-test
feat/user-delete-condition
feat/user-workspace-stats-api
chore/collection-export-addition
fix/import-file-size-limit-flow
feat/dashboard-common
feat/sort-environment-alphabetically
feat/infra-config-encryption
refactor/team
feat/collection-duplicationn
feat/secure-cookies-toggle
pr/pavog/4195
pr/pavog/4196
test/patch-demo
feat/native-interceptor-updates
pr/AndrewBastin/4111
feat/user-last-active-on
fix/codemirror-large-text-scroll-bug
fix/precision-lost-beautify
fix/env-diff-test-schema-error
fix/email-case-sensitive
release/2024.3.3
refactor/workspace-login-conversion
feat/node-apline-version-upgrade
feat/seed
release/2024.3.2
fix/sh-email-handlebar-issue
feat/app-experiment-animation
release/2024.3.1
release/2024.3.0
pr/jamesgeorge007/3937
experiment/deploychan
feat/github-enterprise-auth
refactor/collection-search-query
hotfix/infra-config-reset-bug
fix/secret-var-bug
hotfix/full-text-search
hotfix/request-variable-version-syncing
feat/request-variable
feat/server-config-additional-properties
pr/JoelJacobStephen/3845
release/2023.12.6
fix/safari-codemirror-perf-bug
release/2023.12.5
release/2023.12.4
fix/secret-env-bugs-tooltip
release/2023.12.3
fix/shared-request-bug
fix/disable-context-menu-option
release/2023.12.2
release/2023.12.1
fix/shared-request-bugs
release/2023.12.0
fix/gql-history-schema
fix/actions-not-working-without-sidebar
pr/jamesgeorge007/3665
chore/desktop-app-corrections
fix/auth-headers-in-coll
fix/embed-url
improve/placeholder
add-realtime-logos
feat/shared-request-embeds
feat/collection-headers
revamp/header
release/2023.8.4
refactor/interceptor-error-display
feat/subpath-based-access
release/2023.8.3
feat/shared-requests
feat/desktop
fix/nodemailer-templates-issue
feature/upgrade-graphql-ws
fix/graphql-crashing
fix/set-environments-when-no-env-selected
refactor/pre-prisma-bump-setup
release/2023.8.2
pr/danitherex/3216
perf/raw-db-query
release/2023.8.1
revert-3348-perf/reduce-backend-calls
fix/incorrect-tab-count-close-all-tab
fix/duplicate-tab-bug
release/2023.8.0
hotfix/fetch-shortcode
fix/tab-right-click-rename-bug
chore/docker-fixes
pr/JoelJacobStephen/3178
feat/fe-accessible-auth-provider-env
feat-cherry-pick/conditional-auth-select
feat/conditional-auth-select
release/2023.4.8
fix/generate-sitemap-issue
test/backend-test-case
refactor/team-invitation
pr/AndrewBastin/3171
release/2023.4.7
fix/duplicate-team-invite
fix/unified-bg-color-coll-tree
fix/shortcode-screen-stuck
release/2023.4.6
revert-3117-patch-3
fix/env-selector-bg
fix/db-url
release/2023.4.4
fix/sync-popup-bug
fix/team-env-set-test
chore/wss-to-ws-on-env
fix/prettify-xml-response
feat/db-volume-addition
feat/env-selector-tabs-ui
bug/broken-env
release/2023.4.2
fix/switch-workspace-env-bug
fix/magic-link
fix/cookie-handler
HPS-OSS-1
staging
revert/auth-issue
feat/export-env
refactor/commons
reference/path-variables
orphan-pr/2243
feat/realtime-search
fix/save-override
refactor/strategies
feat/embeds
bug/withDefaults
feat/show-keys
refactor/toast
2026.3.1
2026.3.0
2026.2.1
2026.2.0
2026.1.1
2026.1.0
2025.12.1
2025.12.0
2025.11.2
2025.11.1
2025.11.0
2025.10.1
2025.10.0
2025.9.2
2025.9.1
2025.9.0
2025.8.1
2025.8.0
2025.7.1
2025.7.0
2025.6.1
2025.6.0
2025.5.4
2025.5.3
2025.5.2
2025.5.1
2025.5.0
2025.4.2
2025.4.1
2025.4.0
2025.3.2
2025.3.1
2025.3.0
2025.2.3
2025.2.2
2025.2.1
2025.2.0
2025.1.1
2025.1.0
2024.12.2
2024.12.1
2024.12.0
2024.11.0
2024.10.2
2024.10.1
2024.10.0
2024.9.3
2024.9.2
2024.9.1
2024.9.0
2024.8.3
2024.8.2
2024.8.1
2024.8.0
2024.7.2
2024.7.1
2024.7.0
2024.6.1
2024.6.0
2024.3.4
2024.3.3
2024.3.2
2024.3.1
2024.3.0
2023.12.6
2023.12.5
2023.12.4
2023.12.3
2023.12.2
2023.12.1
2023.12.0
2023.8.4
2023.8.3
2023.8.2
2023.8.1
2023.8.0
2023.4.8
2023.4.7
2023.4.6
2023.4.5
2023.4.4
2023.4.3
2023.4.2
2023.4.1
2023.4.0
v3.0.1
v3.0.0
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.12.0
v1.10.0
v1.9.9
v1.9.7
v1.9.5
v1.9.0
v1.8.0
v1.5.0
v1.0.0
v0.1.0
Labels
Clear labels   
CodeDay

   
a11y

   
browser limited

   
bug

   
bug fix

   
cli

   
core

   
critical

   
design

   
desktop

   
discussion

   
docker

   
documentation

   
duplicate

   
enterprise

   
feature

   
feature

   
fosshack

   
future

   
good first issue

   
hacktoberfest

   
help wanted

   
i18n

   
invalid

   
major

   
minor

   
need information

   
need testing

   
not applicable to hoppscotch

   
not reproducible

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactor

   
resolved

   
sandbox

   
self-host

   
spam

   
stale

   
testmu

   
wip

   
wont fix
No labels
CodeDay
a11y
browser limited
bug
bug fix
cli
core
critical
design
desktop
discussion
docker
documentation
duplicate
enterprise
feature
feature
fosshack
future
good first issue
hacktoberfest
help wanted
i18n
invalid
major
minor
need information
need testing
not applicable to hoppscotch
not reproducible
pull-request
question
refactor
resolved
sandbox
self-host
spam
stale
testmu
wip
wont fix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hoppscotch#4620
No description provided.