From 14c3735eb51d29bf8d11cf1c70173c5b9ad3cff1 Mon Sep 17 00:00:00 2001
From: Connor McEntee <sallustfire@gmail.com>
Date: Fri, 7 Nov 2025 20:46:33 -0700
Subject: [PATCH] fix: skip sandbox validation for external modules in
 bazel-sandbox plugin

The bazel-sandbox plugin throws errors when esbuild resolves external
paths (marked via the external attribute), even though these paths are
intentionally excluded from bundling and don't need to exist in the Bazel
sandbox.

This change adds a check for result.external (https://esbuild.github.io/api/#external)
before path validation, allowing external modules to bypass sandbox checks
while maintaining security for bundled modules.
---
 esbuild/private/plugins/bazel-sandbox.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/esbuild/private/plugins/bazel-sandbox.js b/esbuild/private/plugins/bazel-sandbox.js
index 67feed1..5477b18 100644
--- a/esbuild/private/plugins/bazel-sandbox.js
+++ b/esbuild/private/plugins/bazel-sandbox.js
@@ -39,6 +39,16 @@ async function resolveInExecroot(build, importPath, otherOptions) {
     return result
   }
 
+  // External modules are intentionally outside the bundle and don't need path validation
+  if (result.external) {
+    if (!!process.env.JS_BINARY__LOG_DEBUG) {
+      console.error(
+        `DEBUG: [bazel-sandbox] skipping sandbox validation for external module: ${result.path}`
+      )
+    }
+    return result
+  }
+
   if (
     !result.path.startsWith('.') &&
     !result.path.startsWith('/') &&