* fix(node-vm): scripting context and module resolution issues
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): use vm.createContext for true isolation and fix prototype mismatches
- Replace vm.compileFunction with vm.createContext + runInContext for true isolation
- Remove ECMAScript built-ins from safeGlobals (VM provides its own versions)
- This fixes prototype chain mismatches that broke libraries like @faker-js/faker
- Add sanitized process object (allows env, blocks exit/kill)
- Add global/globalThis pointing to isolated context (not host)
- Extract safe globals to constants.js for maintainability
- Remove typed-arrays mixin (VM provides TypedArrays)
- Add comprehensive isolation tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): remove process, add Error types and TypedArrays mixin, add jose test
- Remove process object from script context (security hardening)
- Remove createSanitizedProcess function from constants.js
- Add Error types to safeGlobals for instanceof checks with host errors
- Add TypedArrays mixin for host API compatibility (TextEncoder, crypto, Buffer)
- Add jose library and test for JWT sign/verify functionality
- Update tests to reflect process removal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): handle circular dependencies and failed module caching
- Pre-populate module cache before execution to support circular requires
- Cache moduleObj instead of moduleObj.exports to handle module.exports reassignment
- Remove failed modules from cache to allow retry
- Add test for circular dependency handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): spread all context properties in buildScriptContext
Instead of explicitly listing each context property, spread all
properties from the context input to support future additions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): add filtered process object to script context
Expose a sanitized process object with only safe read-only properties
(argv, version, arch, platform, pid, features) while keeping env empty
for security.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* test(node-vm): add comprehensive tests for Node.js builtins
Add 18 test files for Node.js builtin APIs in developer sandbox mode:
- Buffer, URL, TextEncoder/TextDecoder, btoa/atob
- Web Crypto API and node:crypto module
- Timers (setTimeout, setInterval, setImmediate, queueMicrotask)
- Fetch API (Request, Response, Headers, FormData, Blob)
- Intl formatters, JSON, Events (Event, EventTarget, CustomEvent)
- Node modules: fs, path, os, util, stream, zlib, querystring
All tests skip in safe mode using bru.runner.skipRequest().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(node-vm): address CodeRabbit review feedback
- Block absolute paths from bypassing security by routing through loadLocalModule
- Fix process tests to expect sanitized object instead of undefined
- Fix cache test to verify module executes only once
- Add tests for absolute path handling (block outside, allow within roots)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: lint issues
* fix(node-vm): recontextualize host objects for cross-context deep equality
Objects passed from the host context into the Node VM have different
Object/Array constructors than objects created inside the VM. This breaks
deep equality checks in libraries like AJV, where fast-deep-equal fails
on `a.constructor !== b.constructor` for structurally identical objects.
Add recontextualizeScript to utils.js that wraps getter methods (res.getBody,
res.getHeaders, req.getBody, req.getHeaders, req.getPathParams, req.getTags,
bru.getVar) to JSON round-trip returned objects inside the VM, giving them
VM-native prototypes.
Add external-lib-with-bru-req-res-objects package and tests to verify
bru/req/res accessibility from npm modules. Update ajv.bru tests to
validate res.getBody() against AJV schemas with enum on nested objects.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(node-vm): update spec to use saved mock refs after recontextualize
The recontextualizeScript wraps res.getBody with a JSON round-trip
function, replacing the jest mock on the context object. Save mock
references before calling runScriptInNodeVm so assertions work.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(node-vm): shallow-copy mutable process properties in sandbox
process.argv, process.versions, and process.features were passed by
reference, allowing sandboxed scripts to mutate the host process.
Shallow-copy these properties to prevent leaking mutable references.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(node-vm): use recursive clone in toVMNative instead of JSON round-trip
JSON.stringify converts undefined to null in arrays, breaking tests like
res.setBody([..., undefined, ...]). Replace with recursive clone that
creates new VM-native objects/arrays while preserving undefined values.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(node-vm): generalize recontextualize to wrap all bru/req/res methods
Instead of hardcoding specific method names, walk the prototype chain
with Object.getOwnPropertyNames to discover and wrap all methods that
return Objects/Arrays. Async methods (sendRequest, runRequest) get their
resolved values wrapped. The res callable and res.body/res.headers are
also recontextualized for direct access and query usage.
Adds integration tests for VM-native prototype checks across res, req,
bru APIs, res() callable queries, and bru.sendRequest patterns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* revert(node-vm): remove recontextualizeScript and related tests
The recontextualize approach of wrapping all bru/req/res methods
to return VM-native objects is being reverted in favor of a
different solution to the cross-context prototype mismatch issue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(node-vm): expose full process object in developer sandbox via safeGlobals
* test(node-vm): update process tests for full process object in developer sandbox
* test(node-vm): update spec to verify process.nextTick availability
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Added collection format handling in Tags component.
- Updated convertCollection function to accept collectionFormat parameter.
- Improved tag validation logic in TagList component based on collection format.
- Adjusted OpenAPI transformation functions to support collection format options.
- Enhanced schema validation for tags to allow spaces and underscores.
* fix: match filesystem name input style to NewFolder modal in SaveTransientRequest
- Update label to match NewFolder format with '(on filesystem)' suffix
- Add folder icon before the input field
- Apply PathDisplay-like styling with yellow text color and monospace font
- Use matching background, border, and padding from PathDisplay component
* fix: add edit toggle and help tooltip to SaveTransientRequest filesystem name
- Add edit/display mode toggle matching NewFolder modal behavior
- Show PathDisplay when not editing, input field when editing
- Add Help tooltip with placement support for filesystem name field
- Add placement prop to Help component (top, bottom, left, right)
- Remove unused filesystem input styles from StyledWrapper
* fix: update Help component usage in SaveTransientRequest filesystem name field
- Change Help component width prop from a string to a number for consistency.
When collection proxy is set to "inherit", bru.sendRequest was skipping
the app-level proxy and falling through directly to system proxy. Now it
correctly checks app-level proxy settings first, matching the behavior
of normal requests. When appLevelProxyConfig is not provided (e.g. CLI),
falls through to system proxy preserving existing behavior.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Update label to match NewFolder format with '(on filesystem)' suffix
- Add folder icon before the input field
- Apply PathDisplay-like styling with yellow text color and monospace font
- Use matching background, border, and padding from PathDisplay component
Use `isBuiltin` from the `module` package to dynamically exclude all
Node.js built-in modules from the bundle, preventing rollup from
trying to bundle core modules like path, fs, crypto, etc.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Added validation for folder and file names to ensure they are not empty and conform to naming rules.
- Display error messages using toast notifications for invalid names.
- Added `filterTransientItems` utility to recursively remove transient items from collections.
- Updated export functions for OpenCollection and Postman to filter out transient items before export.
- Enhanced collection handling in various components to skip transient requests during processing.
- Adjusted RunConfigurationPanel to exclude transient items from request handling.
- Remove size property from Map and Set displays
- Display Set values at top level with numeric indices (0, 1, 2, ...)
- Display Map entries at top level with => notation (key =>: value)
- Remove [[Set]] and [[Map]] wrapper properties for cleaner display
- Collapse Maps and Sets by default in console (matching Postman behavior)
- Add 'Map' and 'Set' type labels to clearly identify object types
- Maintain expandable/collapsible UI for easy inspection of contents
* Mark test script errors as failed in runner (#6261)
* Mark test script errors as failed in runner
and CLI
* Unify handling of post-response and pre-request script errors in both CLI and Electron
* feat: Enhance error handling in script execution by preserving partial results for pre-request and post-response scripts across CLI and Electron. This ensures that tests passing before an error are still reported.
* Preserving stopExecution in test script error handler
---------
Co-authored-by: Pragadesh-45 <temporaryg7904@gmail.com>
* Enhance error handling for script execution by introducing isScriptError flag in test results (#7029)
* fix: Enhance error handling for script execution by introducing isScriptError flag in test results
Enhance error reporting in script execution by adding isScriptError flag to error responses
fix: Mark pre-request script errors as failures in runner summary
---------
Co-authored-by: Karan Pradhan <78605930+KaranPradhan266@users.noreply.github.com>
Co-authored-by: Pragadesh-45 <temporaryg7904@gmail.com>
* fix: Enhance error handling for script execution by introducing isScriptError flag in test results
Enhance error reporting in script execution by adding isScriptError flag to error responses
fix: Mark pre-request script errors as failures in runner summary
* Mark test script errors as failed in runner
and CLI
* Unify handling of post-response and pre-request script errors in both CLI and Electron
* feat: Enhance error handling in script execution by preserving partial results for pre-request and post-response scripts across CLI and Electron. This ensures that tests passing before an error are still reported.
* Preserving stopExecution in test script error handler
---------
Co-authored-by: Pragadesh-45 <temporaryg7904@gmail.com>
