* feat(): support multipart mixed
fix: support vars interpolation on mixed multi-part
Update packages/bruno-electron/src/ipc/network/interpolate-vars.js
Co-authored-by: Timon <39559178+Its-treason@users.noreply.github.com>
refactor: use startsWith
feat: best effort for other multipart/* contentypes
* feat: enhance variable interpolation for multipart requests
- Updated `interpolateVars` function to support interpolation in multipart/form-data and multipart/mixed requests.
- Added handling for empty multipart arrays and parts with missing or undefined values.
- Improved type checks for content types to ensure proper interpolation behavior.
Includes new tests to validate the interpolation functionality for multipart requests.
* fix: normalize error handling in sendRequest and improve test reliability
---------
Co-authored-by: Alfonso Presa <alfonso-presa@users.noreply.github.com>
* fix: isJson assertion fails after res.setBody() with object in node-vm
Objects created inside Node's vm.createContext() have a different Object
constructor than the host realm. When res.setBody() is called with a JS
object from a script, _.cloneDeep preserves the cross-realm prototype,
causing obj.constructor === Object to fail in the isJson assertion.
Replace with Object.prototype.toString.call() which is cross-realm safe.
* fix: register isJson chai assertion in QuickJS test runtime
The bundled chai in QuickJS only exposes { expect, assert } via
requireObject — no Assertion class. Access the prototype through
Object.getPrototypeOf(expect(null)) and use Object.defineProperty
to register the json property directly.
* fix: enable assertion chaining on isJson in QuickJS runtime
The QuickJS isJson property getter was missing `return this`, preventing
chai assertion chaining (e.g. expect(body).to.be.json.and...).
* feat: add support for new variable management functions in Bruno
- Implemented methods to retrieve and delete all environment and global variables.
- Added corresponding translations for new functions in Postman and Bruno converters.
- Updated request handling to include header deletion functionality.
- Enhanced test cases to cover new variable management features.
* feat: add new scripts for environment and global variable management
- Introduced scripts to delete all environment and global variables.
- Added functionality to retrieve all environment and global variables.
- Implemented tests to validate the behavior of new variable management features.
* feat: implement collection variable management in Bruno
- Added methods for managing collection variables: set, get, has, delete, and retrieve all.
- Updated Postman translation functions to reflect new collection variable methods.
- Enhanced tests to validate the functionality of collection variable management.
- Refactored existing code to replace environment variable references with collection variable equivalents.
* feat: enhance collection variable translations in Bruno
- Updated translation functions for collection variable management to align with Postman API.
- Added tests for new collection variable methods: set, has, delete, retrieve all, and clear.
- Refactored existing tests to ensure accurate translation of collection variable operations.
* feat: expand API hints for variable management in Bruno
* fix: test cases
* fix: remove unnecessary return in deleteEnvVar function
* feat: add translations for direct cookie access methods
- Implement translations for pm.cookies.has, pm.cookies.get, and pm.cookies.toObject to their corresponding bru.cookies methods.
- Enhance the postman-to-bruno translator to handle these new cookie access patterns.
- Add unit tests to verify the correct conversion of cookie access methods in various scenarios.
* refactor: simplify optional member expression handling in postman-to-bruno translator
- Streamlined the code for handling optional member expressions in the translation of cookie access methods.
- Updated unit test to verify the correct output format for pm.cookies.toObject() conversion.
* refactor: enhance handling of await expressions in cookie translations
- Updated the postman-to-bruno translator to wrap await expressions in parentheses for improved clarity and consistency.
- Adjusted unit tests to reflect the new output format for cookie access methods, ensuring accurate translation of pm.cookies.get calls.
* refactor: update cookie access translations to use hasCookie method
- Modified translations for pm.cookies.has to utilize the new bru.cookies.hasCookie method for improved clarity and functionality.
- Updated related unit tests to reflect changes in expected output for cookie existence checks.
- Added new tests to validate the behavior of the hasCookie method in various scenarios.
* fix(node-vm): scripting context and module resolution issues
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): use vm.createContext for true isolation and fix prototype mismatches
- Replace vm.compileFunction with vm.createContext + runInContext for true isolation
- Remove ECMAScript built-ins from safeGlobals (VM provides its own versions)
- This fixes prototype chain mismatches that broke libraries like @faker-js/faker
- Add sanitized process object (allows env, blocks exit/kill)
- Add global/globalThis pointing to isolated context (not host)
- Extract safe globals to constants.js for maintainability
- Remove typed-arrays mixin (VM provides TypedArrays)
- Add comprehensive isolation tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): remove process, add Error types and TypedArrays mixin, add jose test
- Remove process object from script context (security hardening)
- Remove createSanitizedProcess function from constants.js
- Add Error types to safeGlobals for instanceof checks with host errors
- Add TypedArrays mixin for host API compatibility (TextEncoder, crypto, Buffer)
- Add jose library and test for JWT sign/verify functionality
- Update tests to reflect process removal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): handle circular dependencies and failed module caching
- Pre-populate module cache before execution to support circular requires
- Cache moduleObj instead of moduleObj.exports to handle module.exports reassignment
- Remove failed modules from cache to allow retry
- Add test for circular dependency handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): spread all context properties in buildScriptContext
Instead of explicitly listing each context property, spread all
properties from the context input to support future additions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): add filtered process object to script context
Expose a sanitized process object with only safe read-only properties
(argv, version, arch, platform, pid, features) while keeping env empty
for security.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* test(node-vm): add comprehensive tests for Node.js builtins
Add 18 test files for Node.js builtin APIs in developer sandbox mode:
- Buffer, URL, TextEncoder/TextDecoder, btoa/atob
- Web Crypto API and node:crypto module
- Timers (setTimeout, setInterval, setImmediate, queueMicrotask)
- Fetch API (Request, Response, Headers, FormData, Blob)
- Intl formatters, JSON, Events (Event, EventTarget, CustomEvent)
- Node modules: fs, path, os, util, stream, zlib, querystring
All tests skip in safe mode using bru.runner.skipRequest().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): address CodeRabbit review feedback
- Block absolute paths from bypassing security by routing through loadLocalModule
- Fix process tests to expect sanitized object instead of undefined
- Fix cache test to verify module executes only once
- Add tests for absolute path handling (block outside, allow within roots)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: lint issues
* fix(node-vm): recontextualize host objects for cross-context deep equality
Objects passed from the host context into the Node VM have different
Object/Array constructors than objects created inside the VM. This breaks
deep equality checks in libraries like AJV, where fast-deep-equal fails
on `a.constructor !== b.constructor` for structurally identical objects.
Add recontextualizeScript to utils.js that wraps getter methods (res.getBody,
res.getHeaders, req.getBody, req.getHeaders, req.getPathParams, req.getTags,
bru.getVar) to JSON round-trip returned objects inside the VM, giving them
VM-native prototypes.
Add external-lib-with-bru-req-res-objects package and tests to verify
bru/req/res accessibility from npm modules. Update ajv.bru tests to
validate res.getBody() against AJV schemas with enum on nested objects.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(node-vm): update spec to use saved mock refs after recontextualize
The recontextualizeScript wraps res.getBody with a JSON round-trip
function, replacing the jest mock on the context object. Save mock
references before calling runScriptInNodeVm so assertions work.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(node-vm): shallow-copy mutable process properties in sandbox
process.argv, process.versions, and process.features were passed by
reference, allowing sandboxed scripts to mutate the host process.
Shallow-copy these properties to prevent leaking mutable references.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(node-vm): use recursive clone in toVMNative instead of JSON round-trip
JSON.stringify converts undefined to null in arrays, breaking tests like
res.setBody([..., undefined, ...]). Replace with recursive clone that
creates new VM-native objects/arrays while preserving undefined values.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(node-vm): generalize recontextualize to wrap all bru/req/res methods
Instead of hardcoding specific method names, walk the prototype chain
with Object.getOwnPropertyNames to discover and wrap all methods that
return Objects/Arrays. Async methods (sendRequest, runRequest) get their
resolved values wrapped. The res callable and res.body/res.headers are
also recontextualized for direct access and query usage.
Adds integration tests for VM-native prototype checks across res, req,
bru APIs, res() callable queries, and bru.sendRequest patterns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* revert(node-vm): remove recontextualizeScript and related tests
The recontextualize approach of wrapping all bru/req/res methods
to return VM-native objects is being reverted in favor of a
different solution to the cross-context prototype mismatch issue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(node-vm): expose full process object in developer sandbox via safeGlobals
* test(node-vm): update process tests for full process object in developer sandbox
* test(node-vm): update spec to verify process.nextTick availability
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix: Support @contentType for multiline values
Fixes the issue where the @contentType annotation broke the parsing of multiline values.
* chore: add dotall flag to fileExtractContentType
Not strictly needed since body:file uses single-line values in practice,
but doesn't hurt and matches what multipartExtractContentType does.
---------
Co-authored-by: Márk Dániel Seres <markdaniel.seres@tesco.com>
* fix: standardize URL formatting in insomnia test files
* feat: add mix router for handling custom redirects and cookies
* fix: add validation for redirect count to prevent infinite loops
* fix: update test URLs to use local server and add query parameters for improved testing
* fix: update test URLs from httpbin to echo.usebruno.com across multiple test files
* fix: standardize URL formatting in insomnia test files
* chore: standardize URL formatting in insomnia test files
* feat: bru.sendRequest api
* updated the postman-translations logic to handle `pm.sendRequest` to `bru.sendRequest` translations, and added unit tests
* ~ removed `maxRedirects` and `proxy` values for sendRequest axios-instance
~ fixed the imports for the `send-request-transformer` function
~ `sendRequest` and `runRequest` will return same response object in both safe and developer mode
~ sendRequest function optimization
* revert sendRequest to async function, added a testcase for sendRequest with url string
* sendRequest callback errors handling
* updated tests and added await for the callbacks
---------
Co-authored-by: lohit <lohit@usebruno.com>
* feat: enhance variable highlighting in CodeMirror and update interpolation method
* feat: add interpolate function to bru shim and corresponding tests
- Implemented the `interpolate` function in the bru shim to handle variable interpolation.
- Added a new test case for the `interpolate` function to verify its functionality with mock variables.
* feat: enhance interpolate function to support object interpolation
* feat: add translation support for pm.variables.replaceIn to bru.interpolate
* revert: eslint config changes
* revert: eslint config changes
* fix: update method call to use correct interpolation function in Bru class
* refactor: added jsdoc to codemirror highlighting code
* fix: higlighting for multiline editor
* Bugfix: Add cheerio and xml2js modules to post-response scripts
* chore: improved cheerio and xml2js test
---------
Co-authored-by: Anoop M D <anoop.md1421@gmail.com>
Enhance BrunoResponse with statusText functionality:
- Added `getStatusText()` method to BrunoResponse class
- Updated QuickJS shim to support statusText
* Fix: Revert selective JSON parsing where string response is not parsed
- Revert "Merge pull request #3706 from Pragadesh-45/fix/response-format-updates"
- e897dc1eb0
- Revert "Merge pull request #3676 from pooja-bruno/fix/string-json-response"
- 1f2bee1f90
* Fix: Revert interpreting Assert RHS-value wrapped in quotes literally
- Revert "Merge pull request #3806 from Pragadesh-45/fix/handle-assert-results"
- 63d3cb380d
- Revert "Merge pull request #3805 from Pragadesh-45/fix/handle-assert-results"
- 6abd063749
* Fix: Inconsistent JSON formatting in preview when encoded value is a string
* Fix: Prettify JSON for Res-preview without parsing to avoid JS specific roundings
* Fix(testbench): req.body is always Buffer after the binary req body related changes
* Added `/api/echo/custom` where response can be configured using request itself
* Added tests for validating Assert and Response-preview
Co-authored-by: Pragadesh-45 <temporaryg7904@gmail.com>
* Handle char-encoding in Response-preview and added more tests
* Updated API endpoint in tests to use httpfaker api
* QuickJS (Safe Mode) exec logic to handle template literals similar to Developer Mode
* Safe Mode bru.runRequest to return statusText similar to Developer Mode
---------
Co-authored-by: ramki-bruno <ramki@usebruno.com>
Co-authored-by: Anoop M D <anoop.md1421@gmail.com>
