Fix module resolution and Vite bundling for browser builds

[Copilot]

TypeScript compilation and Vite bundling failed when importing objectstack.config.ts from example packages. Three issues identified:

1. Example packages didn't export their config files in package.json
2. Import used wrong package name: @objectstack/example-todo → @example/app-todo
3. Node.js modules (module, crypto) imported at top level in @objectstack/core caused Vite bundling failures

Changes

Package exports - Added exports, main, and types fields to:

• @example/app-todo/package.json
• @example/app-crm/package.json
• @example/plugin-bi/package.json

{
  "main": "./objectstack.config.ts",
  "types": "./objectstack.config.ts",
  "exports": {
    ".": "./objectstack.config.ts",
    "./objectstack.config": "./objectstack.config.ts"
  }
}

Import path - Fixed in examples/app-react-crud/src/mocks/browser.ts:

- import todoConfig from '@objectstack/example-todo/objectstack.config';
+ import todoConfig from '@example/app-todo/objectstack.config';

Universal library bundling - Fixed Node.js module imports in @objectstack/core:

• packages/core/src/logger.ts - Moved module import to runtime using eval for Node.js environment detection
• packages/core/src/security/plugin-signature-verifier.ts - Moved crypto import to runtime using eval

These changes prevent browser bundlers (Vite/Rollup) from attempting to include Node.js-only modules in browser bundles while maintaining full functionality in Node.js environments.

Testing

• ✅ TypeScript compilation passes
• ✅ Vite build completes successfully
• ✅ Browser builds work correctly
• ✅ Security scan passed (0 vulnerabilities)

Original prompt

引用: https://github.com/objectstack-ai/spec/actions/runs/21617125959/job/62298291454#step:8:1

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spec	Ready	Preview, Comment	Feb 3, 2026 5:12am

[hotlong]

@copilot fix 2026-02-03T05:00:23.8652084Z examples/app-react-crud build: Continue by describing the network in your application:
2026-02-03T05:00:23.8653427Z examples/app-react-crud build: �[31m�[1mhttps://mswjs.io/docs/quick-start�[22m�[39m
2026-02-03T05:00:26.5966216Z examples/app-host build: Done
2026-02-03T05:00:27.6773834Z examples/app-react-crud build: �[36mvite v7.3.1 �[32mbuilding client environment for production...�[36m�[39m
2026-02-03T05:00:27.9250637Z examples/app-react-crud build: transforming...
2026-02-03T05:00:28.2785184Z examples/app-react-crud build: �[33m[plugin vite:resolve] Module "module" has been externalized for browser compatibility, imported by "/home/runner/work/spec/spec/packages/core/dist/logger.js". See https://vite.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.�[39m
2026-02-03T05:00:28.4691844Z examples/app-react-crud build: �[33m[plugin vite:resolve] Module "crypto" has been externalized for browser compatibility, imported by "/home/runner/work/spec/spec/packages/core/dist/security/plugin-signature-verifier.js". See https://vite.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.�[39m
2026-02-03T05:00:29.9762089Z examples/app-react-crud build: �[32m✓�[39m 826 modules transformed.
2026-02-03T05:00:29.9780891Z examples/app-react-crud build: �[31m✗�[39m Build failed in 2.28s
2026-02-03T05:00:29.9781855Z examples/app-react-crud build: �[31merror during build:
2026-02-03T05:00:29.9783893Z examples/app-react-crud build: �[31m../../packages/core/dist/logger.js (1:9): "createRequire" is not exported by "__vite-browser-external", imported by "../../packages/core/dist/logger.js".�[31m
2026-02-03T05:00:29.9785633Z examples/app-react-crud build: file: �[36m/home/runner/work/spec/spec/packages/core/dist/logger.js:1:9�[31m
2026-02-03T05:00:29.9786505Z examples/app-react-crud build: �[33m
2026-02-03T05:00:29.9787259Z examples/app-react-crud build: 1: import { createRequire } from 'module';
2026-02-03T05:00:29.9788006Z examples/app-react-crud build: ^
2026-02-03T05:00:29.9788839Z examples/app-react-crud build: 2: const require = createRequire(import.meta.url);
2026-02-03T05:00:29.9789598Z examples/app-react-crud build: 3: /**
2026-02-03T05:00:29.9790179Z examples/app-react-crud build: �[31m
2026-02-03T05:00:29.9791663Z examples/app-react-crud build: at getRollupError (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/parseAst.js:402:41)
2026-02-03T05:00:29.9793809Z examples/app-react-crud build: at error (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/parseAst.js:398:42)
2026-02-03T05:00:29.9796148Z examples/app-react-crud build: at Module.error (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:17040:16)
2026-02-03T05:00:29.9797908Z examples/app-react-crud build: at Module.traceVariable (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:17452:29)
2026-02-03T05:00:29.9799780Z examples/app-react-crud build: at ModuleScope.findVariable (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:15070:39)
2026-02-03T05:00:29.9801905Z examples/app-react-crud build: at Identifier.bind (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:5447:40)
2026-02-03T05:00:29.9803778Z examples/app-react-crud build: at CallExpression.bind (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:2829:23)
2026-02-03T05:00:29.9806008Z examples/app-react-crud build: at CallExpression.bind (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:12179:15)
2026-02-03T05:00:29.9807460Z examples/app-react-crud build: at VariableDeclarator.bind (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:2829:23)
2026-02-03T05:00:29.9808933Z examples/app-react-crud build: at VariableDeclaration.bind (file:///home/runner/work/spec/spec/node_modules/.pnpm/rollup@4.57.1/node_modules/rollup/dist/es/shared/node-entry.js:2825:28)�[39m
2026-02-03T05:00:30.0103182Z examples/app-react-crud build: Failed
2026-02-03T05:00:30.0233029Z /home/runner/work/spec/spec/examples/app-react-crud:
2026-02-03T05:00:30.0234446Z  ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL  @example/app-react-crud@0.9.0 build: pnpm msw:init && tsc && vite build
2026-02-03T05:00:30.0235008Z Exit status 1
2026-02-03T05:00:30.0482392Z  ELIFECYCLE  Command failed with exit code 1.
2026-02-03T05:00:30.0613777Z ##[error]Process completed with exit code 1.

[Copilot]

@copilot fix 2026-02-03T05:00:23.8652084Z examples/app-react-crud build: Continue by describing the network in your application:
2026-02-03T05:00:23.8653427Z examples/app-react-crud build: �[31m�[1mht...

Fixed in commit 1e0c9b0. The issue was that @objectstack/core imports Node.js modules (module, crypto) at the top level, which causes Vite to fail when bundling for the browser.

Solution:

• Modified logger.ts and plugin-signature-verifier.ts to conditionally load Node.js modules using eval only when in Node.js environment
• This prevents browser bundlers from trying to include these modules
• Build now completes successfully with expected eval warnings

The Vite build now succeeds:

✓ 824 modules transformed.
✓ built in 4.50s

[Copilot]

Pull request overview

This pull request fixes TypeScript compilation and Vite bundling failures when importing ObjectStack configuration files from example packages. The root cause was three-fold: missing package exports, incorrect import paths, and Node.js built-in modules being included in browser bundles.

Changes:

• Added package export configurations to example packages (app-todo, app-crm, plugin-bi) to expose their objectstack.config.ts files
• Corrected import path from @objectstack/example-todo to @example/app-todo in browser.ts
• Wrapped Node.js module imports (crypto, module) in eval() calls to prevent bundlers from including them in browser builds

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
examples/app-todo/package.json	Added exports configuration to expose objectstack.config.ts for external imports
examples/app-crm/package.json	Added exports configuration to expose objectstack.config.ts for external imports
examples/plugin-bi/package.json	Added exports configuration to expose objectstack.config.ts (inconsistent with main field pointing to src/index.ts)
examples/app-react-crud/src/mocks/browser.ts	Fixed incorrect package name from @objectstack/example-todo to @example/app-todo
packages/core/src/logger.ts	Moved module import to runtime using eval() to avoid bundler inclusion in browser builds
packages/core/src/security/plugin-signature-verifier.ts	Moved crypto import to runtime using eval() to avoid bundler inclusion in browser builds

[Copilot]

Inconsistent package exports configuration. The "main" field points to "src/index.ts" (a plugin implementation), while the "exports" includes "./objectstack.config" pointing to "objectstack.config.ts" (a manifest). This differs from the pattern used in app-todo and app-crm where "main" points to "objectstack.config.ts".

Since app-host imports from "@example/plugin-bi/objectstack.config", the exports configuration is correct, but the "main" field should also point to "objectstack.config.ts" for consistency, or the package should clarify its dual purpose (both plugin implementation and manifest export).

[Copilot]

Using eval() to dynamically load Node.js modules creates a security risk and violates Content Security Policy (CSP) in environments that enforce 'unsafe-eval' restrictions. While this approach works around bundler issues, it has operational implications:

1. Security: eval() execution can be exploited if an attacker can control the string being evaluated, even though the current usage appears safe
2. CSP Compliance: Browsers with strict CSP will block eval(), making this code fail in secure contexts
3. Code Analysis: Static analysis tools and bundlers cannot track the dependency

Consider these alternatives:

• Use conditional dynamic imports: await import('crypto') with proper error handling
• Use Vite/Rollup's external configuration to exclude Node.js modules from browser builds
• Create separate entry points for Node.js and browser environments

The current approach may work but has significant operational and security tradeoffs that should be documented or addressed with a more robust solution.

[Copilot]

Using eval() to dynamically load Node.js modules creates security and operational risks:

1. Security: eval() can be exploited and violates Content Security Policy (CSP) with 'unsafe-eval' restrictions
2. Runtime Failures: This code will fail in browser environments with strict CSP
3. Maintainability: Static analysis tools cannot track these dynamic dependencies

Consider these alternatives:

• Use conditional dynamic imports with try/catch: await import('module')
• Configure Vite/Rollup to externalize Node.js built-ins for browser builds
• Create separate build targets for Node.js and browser environments

The pattern is repeated from plugin-signature-verifier.ts, suggesting a systemic approach to this problem. A more robust, security-conscious solution should be implemented across the codebase.

Suggested change

	// Create require function dynamically for Node.js (avoids bundling issues in browser)
	// @ts-ignore - dynamic import of Node.js module
	const { createRequire } = eval('require("module")');
	this.require = createRequire(import.meta.url);
	// Synchronous import for Pino using createRequire (works in ESM)
	// Use CommonJS require directly when available (Node.js CJS environments)
	if (typeof require !== 'undefined') {
	// @ts-ignore - require is only available in Node.js CJS
	this.require = require;
	} else {
	// In environments without require (e.g., Node ESM), fail gracefully and use console fallback
	throw new Error('CommonJS require is not available');
	}
	// Synchronous import for Pino using CommonJS require