Conversation
Co-authored-by: piotr-blue <piotr-blue@users.noreply.github.com>
Co-authored-by: piotr-blue <piotr-blue@users.noreply.github.com>
Co-authored-by: piotr-blue <piotr-blue@users.noreply.github.com>
Co-authored-by: piotr-blue <piotr-blue@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| const compatibility = scanCompatibility({ | ||
| sourceByPath, | ||
| profile, | ||
| }); |
There was a problem hiding this comment.
Scanner parses original TypeScript files with JavaScript-only parser
Medium Severity
The compatibility scanner reads original source files from disk via loadSourceByPath (using esbuild metafile input paths, which include .ts files), then passes them to safeParseModule which uses acorn — a JavaScript-only parser. Any TypeScript file with type annotations, interfaces, or generics will fail to parse. The resulting parse_error diagnostic causes compatibility.ok to be false, and since rejectIncompatible defaults to true, the bundler throws a DeterministicBundlerError. Current tests only use .ts files containing valid JavaScript syntax, masking this issue.
Additional Locations (1)
| ); | ||
| } | ||
| return; | ||
| } |
There was a problem hiding this comment.
Scanner misses ExportNamedDeclaration node builtin re-exports
Low Severity
The scanNode function checks ImportDeclaration and ExportAllDeclaration for node builtin specifiers but omits ExportNamedDeclaration with a source property. This means export { readFile } from 'node:fs' would not produce a node_builtin_import diagnostic, even though the equivalent import and export * forms are correctly flagged.
2 participants
Note
High Risk
High risk because it changes the deterministic VM initialization ABI (
qjs_det_initnow takesfeature_flags) and introduces profile-gated runtime behavior (e.g., RegExp enablement) that affects core execution semantics across wasm/native harnesses.Overview
Introduces a new
@blue-quickjs/deterministic-bundlerlibrary to deterministically bundle multi-file JS/TS module graphs into a singleprogram.code, emit a stable SHA-256 content hash, and run a profile-aware compatibility scan (blocking forbidden surfaces by default).Extends the runtime program artifact with
executionProfile(baseline-v1default,compat-regexp-v1opt-in) and plumbs it through wasm/native initialization via a newfeature_flagsparameter toqjs_det_init, with tests asserting baseline-vs-compat RegExp behavior and clearer VM error classification for top-levelreturn(EXECUTION_SURFACE_MISMATCH).Adds end-to-end chess.js “library reuse” fixtures and parity tests: bundles chess.js under
compat-regexp-v1and verifies deterministic results/gas inlibs/quickjs-runtime,apps/smoke-node, andapps/smoke-web(including a new Playwright page/fixture). Updates docs and harness scripts to document bundling, raw-script semantics, and execution-profile selection.Written by Cursor Bugbot for commit 3692941. This will update automatically on new commits. Configure here.