Merge branch 'main' into JakeChampion-patch-1

Author: mrstork

.release-please-manifest.json

@@ -1,17 +1,17 @@
 {
   "packages/build-info": "10.0.7",
-  "packages/build": "35.0.4",
-  "packages/edge-bundler": "14.5.0",
-  "packages/cache-utils": "6.0.3",
-  "packages/config": "24.0.1",
-  "packages/functions-utils": "6.2.1",
+  "packages/build": "35.1.2",
+  "packages/edge-bundler": "14.5.2",
+  "packages/cache-utils": "6.0.4",
+  "packages/config": "24.0.3",
+  "packages/functions-utils": "6.2.4",
   "packages/git-utils": "6.0.2",
-  "packages/headers-parser": "9.0.1",
-  "packages/js-client": "14.0.3",
+  "packages/headers-parser": "9.0.2",
+  "packages/js-client": "14.0.4",
   "packages/nock-udp": "5.0.1",
   "packages/redirect-parser": "15.0.3",
   "packages/run-utils": "6.0.2",
   "packages/opentelemetry-sdk-setup": "2.0.2",
   "packages/opentelemetry-utils": "2.0.1",
-  "packages/zip-it-and-ship-it": "14.1.1"
+  "packages/zip-it-and-ship-it": "14.1.4"
 }

package-lock.json

@@ -105,6 +105,80 @@
   * dependencies
     * @netlify/config bumped from ^20.8.0 to ^20.8.1
 
+## [35.1.2](https://github.com/netlify/build/compare/build-v35.1.1...build-v35.1.2) (2025-08-19)
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @netlify/functions-utils bumped from ^6.2.3 to ^6.2.4
+    * @netlify/zip-it-and-ship-it bumped from 14.1.3 to 14.1.4
+
+## [35.1.1](https://github.com/netlify/build/compare/build-v35.1.0...build-v35.1.1) (2025-08-18)
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @netlify/functions-utils bumped from ^6.2.2 to ^6.2.3
+    * @netlify/zip-it-and-ship-it bumped from 14.1.2 to 14.1.3
+
+## [35.1.0](https://github.com/netlify/build/compare/build-v35.0.7...build-v35.1.0) (2025-08-14)
+
+
+### Features
+
+* add skew protection to Frameworks API ([#6601](https://github.com/netlify/build/issues/6601)) ([6cf3065](https://github.com/netlify/build/commit/6cf306535d8083797a140ecaa05b0778c33e1052))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @netlify/config bumped from ^24.0.2 to ^24.0.3
+
+## [35.0.7](https://github.com/netlify/build/compare/build-v35.0.6...build-v35.0.7) (2025-08-12)
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @netlify/edge-bundler bumped from 14.5.1 to 14.5.2
+
+## [35.0.6](https://github.com/netlify/build/compare/build-v35.0.5...build-v35.0.6) (2025-08-11)
+
+
+### Bug Fixes
+
+* **deps:** update dependency @netlify/blobs to ^10.0.8 ([#6584](https://github.com/netlify/build/issues/6584)) ([1e7332a](https://github.com/netlify/build/commit/1e7332ad332f8b35e5ce48cbfda389e22658b618))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @netlify/edge-bundler bumped from 14.5.0 to 14.5.1
+
+## [35.0.5](https://github.com/netlify/build/compare/build-v35.0.4...build-v35.0.5) (2025-08-08)
+
+
+### Bug Fixes
+
+* remove code supporting versions of Node < v15 ([#6599](https://github.com/netlify/build/issues/6599)) ([d9f55d3](https://github.com/netlify/build/commit/d9f55d35fbf4c1f37f2a6632a43566fb6d295ca1))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @netlify/cache-utils bumped from ^6.0.3 to ^6.0.4
+    * @netlify/config bumped from ^24.0.1 to ^24.0.2
+    * @netlify/functions-utils bumped from ^6.2.1 to ^6.2.2
+    * @netlify/zip-it-and-ship-it bumped from 14.1.1 to 14.1.2
+
 ## [35.0.4](https://github.com/netlify/build/compare/build-v35.0.3...build-v35.0.4) (2025-08-06)
 
 

packages/build/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@netlify/build",
-  "version": "35.0.4",
+  "version": "35.1.2",
   "description": "Netlify build module",
   "type": "module",
   "exports": "./lib/index.js",
@@ -67,16 +67,16 @@
   "license": "MIT",
   "dependencies": {
     "@bugsnag/js": "^8.0.0",
-    "@netlify/blobs": "^10.0.7",
-    "@netlify/cache-utils": "^6.0.3",
-    "@netlify/config": "^24.0.1",
-    "@netlify/edge-bundler": "14.5.0",
-    "@netlify/functions-utils": "^6.2.1",
+    "@netlify/blobs": "^10.0.8",
+    "@netlify/cache-utils": "^6.0.4",
+    "@netlify/config": "^24.0.3",
+    "@netlify/edge-bundler": "14.5.2",
+    "@netlify/functions-utils": "^6.2.4",
     "@netlify/git-utils": "^6.0.2",
     "@netlify/opentelemetry-utils": "^2.0.1",
     "@netlify/plugins-list": "^6.80.0",
     "@netlify/run-utils": "^6.0.2",
-    "@netlify/zip-it-and-ship-it": "14.1.1",
+    "@netlify/zip-it-and-ship-it": "14.1.4",
     "@sindresorhus/slugify": "^2.0.0",
     "ansi-escapes": "^7.0.0",
     "ansis": "^4.1.0",
@@ -115,7 +115,8 @@
     "typescript": "^5.0.0",
     "uuid": "^11.0.0",
     "yaml": "^2.8.0",
-    "yargs": "^17.6.0"
+    "yargs": "^17.6.0",
+    "zod": "^3.25.76"
   },
   "devDependencies": {
     "@netlify/nock-udp": "^5.0.1",

packages/build/package.json

@@ -8,7 +8,7 @@ import { Metric } from '../../core/report_metrics.js'
 import { log, reduceLogLines } from '../../log/logger.js'
 import { logFunctionsToBundle } from '../../log/messages/core_steps.js'
 import {
-  FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT,
+  FRAMEWORKS_API_EDGE_FUNCTIONS_PATH,
   FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP,
 } from '../../utils/frameworks_api.js'
 
@@ -52,7 +52,7 @@ const coreStep = async function ({
   const internalSrcPath = resolve(buildDir, internalSrcDirectory)
   const distImportMapPath = join(dirname(internalSrcPath), IMPORT_MAP_FILENAME)
   const srcPath = srcDirectory ? resolve(buildDir, srcDirectory) : undefined
-  const frameworksAPISrcPath = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT)
+  const frameworksAPISrcPath = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_PATH)
   const generatedFunctionPaths = [internalSrcPath]
 
   if (await pathExists(frameworksAPISrcPath)) {
@@ -62,7 +62,7 @@ const coreStep = async function ({
   const frameworkImportMap = resolve(
     buildDir,
     packagePath || '',
-    FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT,
+    FRAMEWORKS_API_EDGE_FUNCTIONS_PATH,
     FRAMEWORKS_API_EDGE_FUNCTIONS_IMPORT_MAP,
   )
 
@@ -170,7 +170,7 @@ const hasEdgeFunctionsDirectories = async function ({
     return true
   }
 
-  const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_ENDPOINT)
+  const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_EDGE_FUNCTIONS_PATH)
 
   return await pathExists(frameworkFunctionsSrc)
 }

packages/build/src/plugins_core/edge_functions/index.ts

@@ -1,9 +1,14 @@
+import { promises as fs } from 'node:fs'
+import { dirname, resolve } from 'node:path'
+
 import { mergeConfigs } from '@netlify/config'
 
 import type { NetlifyConfig } from '../../index.js'
 import { getConfigMutations } from '../../plugins/child/diff.js'
+import { DEPLOY_CONFIG_DIST_PATH, FRAMEWORKS_API_SKEW_PROTECTION_PATH } from '../../utils/frameworks_api.js'
 import { CoreStep, CoreStepFunction } from '../types.js'
 
+import { loadSkewProtectionConfig } from './skew_protection.js'
 import { filterConfig, loadConfigFile } from './util.js'
 
 // The properties that can be set using this API. Each element represents a
@@ -26,6 +31,30 @@ const ALLOWED_PROPERTIES = [
 // a special notation where `redirects!` represents "forced redirects", etc.
 const OVERRIDE_PROPERTIES = new Set(['redirects!'])
 
+// Looks for a skew protection configuration file. If found, the file is loaded
+// and validated against the schema, throwing a build error if validation
+// fails. If valid, the contents are written to the deploy config file.
+const handleSkewProtection = async (buildDir: string, packagePath?: string) => {
+  const inputPath = resolve(buildDir, packagePath ?? '', FRAMEWORKS_API_SKEW_PROTECTION_PATH)
+  const outputPath = resolve(buildDir, packagePath ?? '', DEPLOY_CONFIG_DIST_PATH)
+
+  const skewProtectionConfig = await loadSkewProtectionConfig(inputPath)
+  if (!skewProtectionConfig) {
+    return
+  }
+
+  const deployConfig = {
+    skew_protection: skewProtectionConfig,
+  }
+
+  try {
+    await fs.mkdir(dirname(outputPath), { recursive: true })
+    await fs.writeFile(outputPath, JSON.stringify(deployConfig))
+  } catch (error) {
+    throw new Error('Failed to process skew protection configuration', { cause: error })
+  }
+}
+
 const coreStep: CoreStepFunction = async function ({
   buildDir,
   netlifyConfig,
@@ -34,6 +63,7 @@ const coreStep: CoreStepFunction = async function ({
     // no-op
   },
 }) {
+  await handleSkewProtection(buildDir, packagePath)
   let config: Partial<NetlifyConfig> | undefined
 
   try {

packages/build/src/plugins_core/frameworks_api/index.ts

@@ -0,0 +1,54 @@
+import { promises as fs } from 'node:fs'
+
+import { z } from 'zod'
+
+const deployIDSourceTypeSchema = z.enum(['cookie', 'header', 'query'])
+
+const deployIDSourceSchema = z.object({
+  type: deployIDSourceTypeSchema,
+  name: z.string(),
+})
+
+const skewProtectionConfigSchema = z.object({
+  patterns: z.array(z.string()),
+  sources: z.array(deployIDSourceSchema),
+})
+
+export type SkewProtectionConfig = z.infer<typeof skewProtectionConfigSchema>
+export type DeployIDSource = z.infer<typeof deployIDSourceSchema>
+export type DeployIDSourceType = z.infer<typeof deployIDSourceTypeSchema>
+
+const validateSkewProtectionConfig = (input: unknown): SkewProtectionConfig => {
+  const { data, error, success } = skewProtectionConfigSchema.safeParse(input)
+
+  if (success) {
+    return data
+  }
+
+  throw new Error(`Invalid skew protection configuration:\n\n${formatSchemaError(error)}`)
+}
+
+export const loadSkewProtectionConfig = async (configPath: string) => {
+  let parsedData: unknown
+
+  try {
+    const data = await fs.readFile(configPath, 'utf8')
+
+    parsedData = JSON.parse(data)
+  } catch (error) {
+    // If the file doesn't exist, this is a non-error.
+    if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+      return
+    }
+
+    throw new Error('Invalid skew protection configuration', { cause: error })
+  }
+
+  return validateSkewProtectionConfig(parsedData)
+}
+
+const formatSchemaError = (error: z.ZodError) => {
+  const lines = error.issues.map((issue) => `- ${issue.path.join('.')}: ${issue.message}`)
+
+  return lines.join('\n')
+}

packages/build/src/plugins_core/frameworks_api/skew_protection.ts

@@ -4,11 +4,11 @@ import { resolve } from 'path'
 import isPlainObject from 'is-plain-obj'
 
 import type { NetlifyConfig } from '../../index.js'
-import { FRAMEWORKS_API_CONFIG_ENDPOINT } from '../../utils/frameworks_api.js'
+import { FRAMEWORKS_API_CONFIG_PATH } from '../../utils/frameworks_api.js'
 import { SystemLogger } from '../types.js'
 
 export const loadConfigFile = async (buildDir: string, packagePath?: string) => {
-  const configPath = resolve(buildDir, packagePath ?? '', FRAMEWORKS_API_CONFIG_ENDPOINT)
+  const configPath = resolve(buildDir, packagePath ?? '', FRAMEWORKS_API_CONFIG_PATH)
 
   try {
     const data = await fs.readFile(configPath, 'utf8')

packages/build/src/plugins_core/frameworks_api/util.ts

@@ -7,7 +7,7 @@ import { addErrorInfo } from '../../error/info.js'
 import { log } from '../../log/logger.js'
 import { type GeneratedFunction, getGeneratedFunctions } from '../../steps/return_values.js'
 import { logBundleResults, logFunctionsNonExistingDir, logFunctionsToBundle } from '../../log/messages/core_steps.js'
-import { FRAMEWORKS_API_FUNCTIONS_ENDPOINT } from '../../utils/frameworks_api.js'
+import { FRAMEWORKS_API_FUNCTIONS_PATH } from '../../utils/frameworks_api.js'
 
 import { getZipError } from './error.js'
 import { getUserAndInternalFunctions, validateFunctionsSrc } from './utils.js'
@@ -147,7 +147,7 @@ const coreStep = async function ({
   const functionsDist = resolve(buildDir, relativeFunctionsDist)
   const internalFunctionsSrc = resolve(buildDir, relativeInternalFunctionsSrc)
   const internalFunctionsSrcExists = await pathExists(internalFunctionsSrc)
-  const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_ENDPOINT)
+  const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_PATH)
   const frameworkFunctionsSrcExists = await pathExists(frameworkFunctionsSrc)
   const functionsSrcExists = await validateFunctionsSrc({ functionsSrc, relativeFunctionsSrc })
   const [userFunctions = [], internalFunctions = [], frameworkFunctions = []] = await getUserAndInternalFunctions({
@@ -240,7 +240,7 @@ const hasFunctionsDirectories = async function ({
     return true
   }
 
-  const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_ENDPOINT)
+  const frameworkFunctionsSrc = resolve(buildDir, packagePath || '', FRAMEWORKS_API_FUNCTIONS_PATH)
 
   if (await pathExists(frameworkFunctionsSrc)) {
     return true

packages/build/src/plugins_core/functions/index.ts

@@ -2,11 +2,11 @@ import { rm } from 'node:fs/promises'
 import { resolve } from 'node:path'
 
 import { getBlobsDirs } from '../../utils/blobs.js'
-import { FRAMEWORKS_API_ENDPOINT } from '../../utils/frameworks_api.js'
+import { FRAMEWORKS_API_PATH } from '../../utils/frameworks_api.js'
 import { CoreStep, CoreStepFunction } from '../types.js'
 
 const coreStep: CoreStepFunction = async ({ buildDir, packagePath }) => {
-  const dirs = [...getBlobsDirs(buildDir, packagePath), resolve(buildDir, packagePath || '', FRAMEWORKS_API_ENDPOINT)]
+  const dirs = [...getBlobsDirs(buildDir, packagePath), resolve(buildDir, packagePath || '', FRAMEWORKS_API_PATH)]
 
   try {
     await Promise.all(dirs.map((dir) => rm(dir, { recursive: true, force: true })))