Add initial bundler plugin by timokoessler · Pull Request #768 · AikidoSec/firewall-node

timokoessler · 2025-09-30T09:29:03Z

Todos

Add an agent mode during bundling that e.g. does not report to API
Fix SCA reporting of dependencies
Zen can not be disabled completely at runtime in bundling mode (?)
Write docs
Supported bundlers
- Esbuild
- Rolldown
Check on runtime if the same agent version is used
Do not require output dir if copy Files is false

Future Todos

Summary by Aikido

⚠️ Security Issues: 2	🔍 Quality Issues: 10	Resolved Issues: 0

🚀 New Features

Added initial bundler plugin with esbuild and rolldown support

⚡ Enhancements

Modified instrumentation transformer to inject bundling-specific helper calls
Added bundling mode flags to agent/hooks to skip runtime hooks during bundling
Updated ESM test script and package.json to include bundler dev dependencies

^{More info}

codecov · 2025-09-30T09:37:01Z

Codecov Report

❌ Patch coverage is 92.99674% with 43 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
library/bundler/internal/bundlers/esbuild.ts	90.54%	14 Missing ⚠️
library/bundler/internal/base.ts	92.81%	13 Missing ⚠️
library/bundler/internal/bundlers/rolldown.ts	95.00%	5 Missing and 1 partial ⚠️
...y/agent/hooks/instrumentation/injectedFunctions.ts	90.47%	4 Missing ⚠️
...nt/hooks/instrumentation/transformCodeInsertSCA.ts	93.18%	3 Missing ⚠️
library/agent/hooks/wrapNewInstance.ts	0.00%	2 Missing ⚠️
library/agent/hooks/wrapExport.ts	85.71%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

+ Some refactor, fixes and test improvements

library/bundler/internal/bundlers/esbuild.ts

instrumentation-wasm/src/js_transformer/helpers/insert_code.rs

library/agent/hooks/instrumentation/injectedFunctions.ts

library/bundler/internal/base.ts

library/bundler/internal/bundlers/rolldown.ts

aikido-pr-checks · 2026-01-30T16:07:19Z

library/agent/hooks/instrumentation/loadHook.ts

+  pkgVersion: string | undefined = undefined
 ) {
-  const moduleInfo = getModuleInfoFromPath(path);
+  moduleInfo ??= getModuleInfoFromPath(path);


Reassigning function parameter 'moduleInfo' with 'moduleInfo ??= getModuleInfoFromPath(path)'. Use a new local variable or default parameter instead.

Details

✨ AI Reasoning
The patch introduced nullish-coalescing assignments to function parameters inside the patched function. Reassigning incoming parameters can obscure the original argument values and confuse callers and maintainers. The changes specifically set defaults by mutating parameters rather than using local variables or default parameters. This harms clarity and maintainability and was introduced in this diff.

🔧 How do I fix it?
Create new local variables instead of reassigning parameters. Use different variable names to clearly distinguish between input and modified values.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.}
_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
_{More info}

instrumentation-wasm/src/js_transformer/transform_insert_sca.rs

library/bundler/internal/base.ts

library/bundler/internal/bundlers/esbuild.ts

library/bundler/internal/base.ts

+ Update OXC

timokoessler changed the base branch from main to new-instrumentation September 30, 2025 09:29

timokoessler mentioned this pull request Sep 30, 2025

esbuild plugin (POC) #689

Closed

Base automatically changed from new-instrumentation to main November 7, 2025 13:10

timokoessler changed the base branch from main to new-build-process November 13, 2025 13:56

timokoessler changed the base branch from new-build-process to main January 29, 2026 17:07

timokoessler added 14 commits January 29, 2026 18:15

Support esbuild using unplugin

68b231e

Fix lockfile

7af328b

WIP Implement esbuild support

eb2b021

Fix esm bundling using esbuild

167d339

Add e2e tests for esbuild

11ffa1c

Do not start agent during bundling

d10e78c

+ Some refactor, fixes and test improvements

Some esbuild edge cases

9e4abaa

Prepare rolldown / rollup (WIP)

f6b3e54

Rolldown / rollup support (WIP)

4923220

Implement solution for SCA (WIP)

893d086

Implement SCA for all imported libraries

74a031f

Fix tests and rolldown build

1566d3c

Add rolldown tests

27e13f6

Simplify to always externalize Zen

2f4b1d6

timokoessler force-pushed the bundler-support branch from f7741d7 to 2f4b1d6 Compare January 29, 2026 17:20

timokoessler added 2 commits January 29, 2026 18:45

Fix rebase

47fc715

Detect agent version change after bundling

d32d3dc

timokoessler changed the title ~~Bundler support (POC)~~ Add initial bundler plugin Jan 30, 2026

timokoessler added 5 commits January 30, 2026 12:04

Add unit tests for rolldown

7b82d7c

Add more bundling unit tests

98c8d74

Remove unplugin

e7fa2b6

Add docs and modify tests

d35ba2c

More test fixes

4cfe82c

timokoessler marked this pull request as ready for review January 30, 2026 16:05