You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: add default lodash package to Node-TypeScript runtime
Add lodash and its @types/lodash declarations to the pre-installed
node_modules and bind-mount it read-only into /sandbox on the run step
(in addition to the existing compile-step mount), so compiled JS
resolves require('lodash') at run time and tsc type-checks the import.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: internal/sandbox/CLAUDE.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ Core sandbox execution engine, split across three files:
9
9
-**configs/seccomp.kafel** — Seccomp-BPF syscall filtering policy written in Kafel. Uses a blacklist approach (DEFAULT ALLOW) blocking dangerous syscalls (io_uring, bpf, userfaultfd, mount, ptrace, etc.) as a defense-in-depth layer. Referenced from nsjail.cfg via `seccomp_policy_file` and copied to `/etc/nsjail/seccomp.kafel` in Docker.
10
10
-**defaults/go/** — Embedded `go.mod.tmpl` and `go.sum.tmpl` templates applied as default files for Go runtime execution.
11
11
-**defaults/node/** — Embedded `package.json` and `package-lock.json` applied as default files for Node runtime execution. Pins the default packages (currently `lodash`) pre-installed at `/mise/node-modules/node_modules` (bind-mounted read-only into `/sandbox/node_modules` during the run step). Regenerate the lockfile with `npm install --package-lock-only`; never edit by hand.
12
-
-**defaults/node-typescript/** — Embedded `package.json`, `package-lock.json`, and `tsconfig.json` applied as default files for Node-TypeScript runtime execution.
12
+
-**defaults/node-typescript/** — Embedded `package.json`, `package-lock.json`, and `tsconfig.json` applied as default files for Node-TypeScript runtime execution. Beyond `typescript` and `@types/node`, ships the default packages (currently `lodash` plus its `@types/lodash` declarations) pre-installed at `/mise/ts-node-modules/node_modules`, bind-mounted read-only into `/sandbox/node_modules` on both the compile step (so `tsc` resolves the types) and the run step (so the compiled JS resolves `require()`). Regenerate the lockfile with `npm install --package-lock-only`; never edit by hand.
13
13
-**defaults/ruby/** — Embedded `Gemfile` and `Gemfile.lock` applied as default files for Ruby runtime execution. The lockfile is generated via Bundler CLI (`bundle install` + `bundle lock --add-platform x86_64-linux aarch64-linux` + `bundle lock --add-checksums`); never edit by hand. The `CHECKSUMS` section pins each gem's SHA-256 so `bundle install` at Docker build time refuses to proceed if a fetched gem differs from the locked hash (supply-chain protection).
14
14
15
15
Go runtime rejects user-submitted `go.mod`, `go.sum`, and `main` files (HTTP 400) to enforce use of defaults and prevent overwriting the compiled binary.
{Src: "/mise/ts-node-modules/node_modules", Dst: "/sandbox/node_modules"}, // pre-installed default packages (read-only); the compiled JS resolves require() against this at run time
{Src: "/mise/ts-node-modules/node_modules", Dst: "/sandbox/node_modules"}, // pre-installed typescript, type definitions, and default packages such as lodash (read-only)
0 commit comments