Overview

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
master
accaab01 fix(misc): use default import for chalk in @nx/workspace output.ts (#35523) ## Current Behavior `require('@nx/workspace')` throws a `TypeError` in 22.7.x, crashing any generator that imports from `@nx/workspace`: ``` TypeError: Cannot read properties of undefined (reading 'inverse') at new CLIOutput (.../node_modules/@nx/workspace/src/utils/output.js:14:38) ``` Fixes #35521 ## Root Cause PR #34111 (commit `732a08c`) added `esModuleInterop: true` to `tsconfig.base.json`. This caused `import * as chalk from 'chalk'` in `output.ts` to compile to `tslib.__importStar(require("chalk"))` instead of `require("chalk")` directly. `tslib.__importStar` only copies own enumerable properties — chalk v4 exposes `reset`, `bold`, `inverse`, etc. as **prototype getters** on the `Chalk` class, not own properties. After wrapping, `chalk.reset` is `undefined` → crash. ## Changes `packages/workspace/src/utils/output.ts` — change `import * as chalk from 'chalk'` to `import chalk from 'chalk'`. With `esModuleInterop: true`, the default import compiles to `__importDefault(require("chalk")).default` which returns the chalk instance directly with its prototype chain intact. ## How Has This Been Tested? Same fix applied previously for the identical root cause in: - #21201 (`@nx/eslint-plugin`) - #26667 (`@nx/angular`) Verified by simulating the compiled output in a minimal repro workspace — see #35521 for the reproduction script. ## Checklist - [ ] `nx affected:test` has been run - [x] My changes do not require a change to the documentation --------- Co-authored-by: Miroslav Jonaš <missing.manual@gmail.com> Co-authored-by: Craigory Coppola <craigorycoppola@gmail.com>
by Jonathan G...
Succeeded
713
6995883e
by pull[bot]
Succeeded
693
39b52346 fix(schematics): fix devkit version for ng-new
by Jason Jean
Succeeded
master
13935377 fix(angular): bump prescribed angular version to 22.0.4 (#36130) ## Current Behavior nx prescribes Angular `~22.0.0` for new workspaces, which allows landing on 22.0.0-22.0.3 where Angular's `change-detection-eager` ng-update codemod crashes on nested projects (`Path "app/app.component.ts" does not exist`). ## Expected Behavior Bump `angularVersion` and `angularDevkitVersion` to `~22.0.4` - the patched release that fixes the codemod. `ngPackagrVersion` stays `~22.0.0` (no 22.0.4 is published). ## Related Issue(s) NXC-4574  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/nx-23.1.0-beta.0-Migration-24e91166)  --------- Co-authored-by: nx-cloud[bot] <71083854+nx-cloud[bot]@users.noreply.github.com>
by Jack Hsu
Failed
master
accaab01 fix(misc): use default import for chalk in @nx/workspace output.ts (#35523) ## Current Behavior `require('@nx/workspace')` throws a `TypeError` in 22.7.x, crashing any generator that imports from `@nx/workspace`: ``` TypeError: Cannot read properties of undefined (reading 'inverse') at new CLIOutput (.../node_modules/@nx/workspace/src/utils/output.js:14:38) ``` Fixes #35521 ## Root Cause PR #34111 (commit `732a08c`) added `esModuleInterop: true` to `tsconfig.base.json`. This caused `import * as chalk from 'chalk'` in `output.ts` to compile to `tslib.__importStar(require("chalk"))` instead of `require("chalk")` directly. `tslib.__importStar` only copies own enumerable properties — chalk v4 exposes `reset`, `bold`, `inverse`, etc. as **prototype getters** on the `Chalk` class, not own properties. After wrapping, `chalk.reset` is `undefined` → crash. ## Changes `packages/workspace/src/utils/output.ts` — change `import * as chalk from 'chalk'` to `import chalk from 'chalk'`. With `esModuleInterop: true`, the default import compiles to `__importDefault(require("chalk")).default` which returns the chalk instance directly with its prototype chain intact. ## How Has This Been Tested? Same fix applied previously for the identical root cause in: - #21201 (`@nx/eslint-plugin`) - #26667 (`@nx/angular`) Verified by simulating the compiled output in a minimal repro workspace — see #35521 for the reproduction script. ## Checklist - [ ] `nx affected:test` has been run - [x] My changes do not require a change to the documentation --------- Co-authored-by: Miroslav Jonaš <missing.manual@gmail.com> Co-authored-by: Craigory Coppola <craigorycoppola@gmail.com>
by Jonathan G...
Failed
master
accaab01 fix(misc): use default import for chalk in @nx/workspace output.ts (#35523) ## Current Behavior `require('@nx/workspace')` throws a `TypeError` in 22.7.x, crashing any generator that imports from `@nx/workspace`: ``` TypeError: Cannot read properties of undefined (reading 'inverse') at new CLIOutput (.../node_modules/@nx/workspace/src/utils/output.js:14:38) ``` Fixes #35521 ## Root Cause PR #34111 (commit `732a08c`) added `esModuleInterop: true` to `tsconfig.base.json`. This caused `import * as chalk from 'chalk'` in `output.ts` to compile to `tslib.__importStar(require("chalk"))` instead of `require("chalk")` directly. `tslib.__importStar` only copies own enumerable properties — chalk v4 exposes `reset`, `bold`, `inverse`, etc. as **prototype getters** on the `Chalk` class, not own properties. After wrapping, `chalk.reset` is `undefined` → crash. ## Changes `packages/workspace/src/utils/output.ts` — change `import * as chalk from 'chalk'` to `import chalk from 'chalk'`. With `esModuleInterop: true`, the default import compiles to `__importDefault(require("chalk")).default` which returns the chalk instance directly with its prototype chain intact. ## How Has This Been Tested? Same fix applied previously for the identical root cause in: - #21201 (`@nx/eslint-plugin`) - #26667 (`@nx/angular`) Verified by simulating the compiled output in a minimal repro workspace — see #35521 for the reproduction script. ## Checklist - [ ] `nx affected:test` has been run - [x] My changes do not require a change to the documentation --------- Co-authored-by: Miroslav Jonaš <missing.manual@gmail.com> Co-authored-by: Craigory Coppola <craigorycoppola@gmail.com>
by Jonathan G...
Succeeded
master
13935377 fix(angular): bump prescribed angular version to 22.0.4 (#36130) ## Current Behavior nx prescribes Angular `~22.0.0` for new workspaces, which allows landing on 22.0.0-22.0.3 where Angular's `change-detection-eager` ng-update codemod crashes on nested projects (`Path "app/app.component.ts" does not exist`). ## Expected Behavior Bump `angularVersion` and `angularDevkitVersion` to `~22.0.4` - the patched release that fixes the codemod. `ngPackagrVersion` stays `~22.0.0` (no 22.0.4 is published). ## Related Issue(s) NXC-4574  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/nx-23.1.0-beta.0-Migration-24e91166)  --------- Co-authored-by: nx-cloud[bot] <71083854+nx-cloud[bot]@users.noreply.github.com>
by Jack Hsu
Succeeded
808
7872fa1b
by pull[bot]
Succeeded
master
13935377 fix(angular): bump prescribed angular version to 22.0.4 (#36130) ## Current Behavior nx prescribes Angular `~22.0.0` for new workspaces, which allows landing on 22.0.0-22.0.3 where Angular's `change-detection-eager` ng-update codemod crashes on nested projects (`Path "app/app.component.ts" does not exist`). ## Expected Behavior Bump `angularVersion` and `angularDevkitVersion` to `~22.0.4` - the patched release that fixes the codemod. `ngPackagrVersion` stays `~22.0.0` (no 22.0.4 is published). ## Related Issue(s) NXC-4574  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/nx-23.1.0-beta.0-Migration-24e91166)  --------- Co-authored-by: nx-cloud[bot] <71083854+nx-cloud[bot]@users.noreply.github.com>
by Jack Hsu
Succeeded
712
90faaa11 fix(schematics): speed up the dry-run command Currently the `dry-run` command speed is on an average of: * `ng g app app_name --dry-run`: 7099.051ms to 7207.579ms; * `ng g lib lib_name --dry-run`: 4015.622ms to 3881.893ms; This is due to too many files in the tree. While performing the transformation required by the schematic, the tree inclues files in the _node_modules, .git, .idea, .vscode_ folders. These files are not needed and impact the performance of the commandline. This add a filter function on the tree, before anything is moved. With that filter function the average speed is: * `ng g app app_name --dry-run`: 1420.826ms to 1435.487ms; * `ng g lib lib_name --dry-run`: 1382.279ms to 1413.042ms; close #706
by ben
Succeeded
807
3e53951b feat(schematics): add an option to generate nestjs node-app
by FallenRite...
Succeeded
master
085566d8 fix(core): warn when the self-hosted remote cache disables TLS verification (NXC-4593) (#36132) ## Current Behavior The self-hosted HTTP remote cache (`NX_SELF_HOSTED_REMOTE_CACHE_SERVER`) makes its request from Rust (`reqwest`). It honors `NODE_TLS_REJECT_UNAUTHORIZED=0` by disabling TLS certificate verification — but because the request bypasses Node's TLS stack, **Node's built-in insecure-TLS warning never fires**, so the user is silently downgraded to unverified TLS with no indication. ## Expected Behavior When `NODE_TLS_REJECT_UNAUTHORIZED=0` is set and the self-hosted HTTP remote cache is in use, Nx re-emits Node's standard warning via `process.emitWarning`: > Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. This goes through Node's own warning machinery (so it respects `--no-warnings`, `NODE_NO_WARNINGS`, `--trace-warnings`, and de-duplication), surfacing the insecure configuration instead of leaving it silent. ## Related Issue(s) Follow-up TLS hardening for the self-hosted remote cache, alongside the path-traversal fix in #36116 (NXC-4593).  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/lucid-sparrow-3e44e727) 
by Jason Jean
Succeeded
1409
f1b26597
by pull[bot]
Succeeded
master
accaab01 fix(misc): use default import for chalk in @nx/workspace output.ts (#35523) ## Current Behavior `require('@nx/workspace')` throws a `TypeError` in 22.7.x, crashing any generator that imports from `@nx/workspace`: ``` TypeError: Cannot read properties of undefined (reading 'inverse') at new CLIOutput (.../node_modules/@nx/workspace/src/utils/output.js:14:38) ``` Fixes #35521 ## Root Cause PR #34111 (commit `732a08c`) added `esModuleInterop: true` to `tsconfig.base.json`. This caused `import * as chalk from 'chalk'` in `output.ts` to compile to `tslib.__importStar(require("chalk"))` instead of `require("chalk")` directly. `tslib.__importStar` only copies own enumerable properties — chalk v4 exposes `reset`, `bold`, `inverse`, etc. as **prototype getters** on the `Chalk` class, not own properties. After wrapping, `chalk.reset` is `undefined` → crash. ## Changes `packages/workspace/src/utils/output.ts` — change `import * as chalk from 'chalk'` to `import chalk from 'chalk'`. With `esModuleInterop: true`, the default import compiles to `__importDefault(require("chalk")).default` which returns the chalk instance directly with its prototype chain intact. ## How Has This Been Tested? Same fix applied previously for the identical root cause in: - #21201 (`@nx/eslint-plugin`) - #26667 (`@nx/angular`) Verified by simulating the compiled output in a minimal repro workspace — see #35521 for the reproduction script. ## Checklist - [ ] `nx affected:test` has been run - [x] My changes do not require a change to the documentation --------- Co-authored-by: Miroslav Jonaš <missing.manual@gmail.com> Co-authored-by: Craigory Coppola <craigorycoppola@gmail.com>
by Jonathan G...
Succeeded
master
bbd9ce72 cleanup(core): memoize external-deps map in HashPlanner (#36117) ## Current Behavior `HashPlanner::get_plans_internal` recomputes `setup_external_deps` — the map of every external node to its transitive project-node dependencies — on **every** call, even though it is a pure function of the immutable project graph. Because the task orchestrator hashes tasks on-demand wave-by-wave as they unblock, this runs dozens of times per run (~18ms each in profiling). ## Expected Behavior The external-deps map is computed **once per `HashPlanner` instance** via `OnceLock` and reused across all `get_plans_internal` calls. The daemon rebuilds the planner whenever the project graph changes (`handle-hash-tasks` reconstructs on graph-identity change), so the cached map can never go stale. The produced `HashInstruction`s — and therefore all task hashes — are unchanged. Measured on this repo with `nx run-many -t build`: planner setup dropped from **~702ms across 38 calls to ~85ms** (paid once, cold). Validated by the existing `planner.spec.ts` / `hasher.spec.ts` snapshot suites (17 tests, 9 snapshots) plus the full native unit-test suite. ## Related Issue(s) N/A — internal performance improvement (no behavior or hash-value change).  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/Nx-Native-Task-Hashing-Performance-Investigation-60f63381) 
by Jason Jean
Succeeded
711
6c220e23
by pull[bot]
Succeeded
master
ad296578 fix(core): prevent path traversal / zip-slip in self-hosted remote cache (#36116) ## Current Behavior The self-hosted HTTP remote cache extracts and restores artifacts without containment: - Extraction joins untrusted tar entry names onto the cache directory and unpacks them with tar's unguarded `Entry::unpack()`, which performs no boundary check. - Restore copies the **entire** cache directory into the workspace and recreates entries while following symlinks, and clears prior outputs with a delete that follows symlinks. A malicious — or on-path/MITM'd — `NX_SELF_HOSTED_REMOTE_CACHE_SERVER` can craft a tarball whose entries (`../`, absolute paths, or symlinks/hardlinks) escape the cache directory / workspace and write to arbitrary locations the Nx process can reach. That arbitrary file write becomes RCE by targeting files like `~/.ssh/authorized_keys`, a git hook, or `~/.zshrc`. Several malformed-input cases also panic the process, and a remote-cached exit code is decoded from only the first 2 of its 4 stored bytes (so a nonzero code can restore as `0`). ## Expected Behavior - **Extraction is contained** via tar's `unpack_in`: `..` entries are rejected, absolute paths are stripped to relative, and writes *through* symlinks/hardlinks are refused — nothing escapes `<cacheDir>/<hash>`. - **Restore copies only the declared task outputs** (never the whole cache dir), each confined to the workspace root. Parent directories are realized as real directories, so a write never traverses a symlink; symlinks are recreated verbatim (the pointer is allowed — writing *through* it is not); stale destinations are removed without following symlinks. - **Declared outputs that resolve outside the workspace are rejected** with a clear error (both when storing and restoring). - **Malformed artifacts error instead of panicking** — unreadable response body, short/missing exit-code entry, and non-UTF8 entry names (the last only surfaced on Windows). - **The exit code is read from all 4 stored bytes**, fixing a nonzero code being restored as `0`. - Adds extensive native tests: parent-dir traversal, absolute-path containment, symlink/hardlink write-through rejection, restore confined to declared outputs, symlink-not-followed / write-through-blocked, out-of-workspace output rejection, malformed/short/missing exit code, and exit-code round-trip. ## Related Issue(s) NXC-4593 — self-hosted HTTP remote cache path traversal  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/lucid-sparrow-3e44e727)  --------- Co-authored-by: nx-cloud[bot] <71083854+nx-cloud[bot]@users.noreply.github.com>
by Jason Jean
Succeeded
master
ad296578 fix(core): prevent path traversal / zip-slip in self-hosted remote cache (#36116) ## Current Behavior The self-hosted HTTP remote cache extracts and restores artifacts without containment: - Extraction joins untrusted tar entry names onto the cache directory and unpacks them with tar's unguarded `Entry::unpack()`, which performs no boundary check. - Restore copies the **entire** cache directory into the workspace and recreates entries while following symlinks, and clears prior outputs with a delete that follows symlinks. A malicious — or on-path/MITM'd — `NX_SELF_HOSTED_REMOTE_CACHE_SERVER` can craft a tarball whose entries (`../`, absolute paths, or symlinks/hardlinks) escape the cache directory / workspace and write to arbitrary locations the Nx process can reach. That arbitrary file write becomes RCE by targeting files like `~/.ssh/authorized_keys`, a git hook, or `~/.zshrc`. Several malformed-input cases also panic the process, and a remote-cached exit code is decoded from only the first 2 of its 4 stored bytes (so a nonzero code can restore as `0`). ## Expected Behavior - **Extraction is contained** via tar's `unpack_in`: `..` entries are rejected, absolute paths are stripped to relative, and writes *through* symlinks/hardlinks are refused — nothing escapes `<cacheDir>/<hash>`. - **Restore copies only the declared task outputs** (never the whole cache dir), each confined to the workspace root. Parent directories are realized as real directories, so a write never traverses a symlink; symlinks are recreated verbatim (the pointer is allowed — writing *through* it is not); stale destinations are removed without following symlinks. - **Declared outputs that resolve outside the workspace are rejected** with a clear error (both when storing and restoring). - **Malformed artifacts error instead of panicking** — unreadable response body, short/missing exit-code entry, and non-UTF8 entry names (the last only surfaced on Windows). - **The exit code is read from all 4 stored bytes**, fixing a nonzero code being restored as `0`. - Adds extensive native tests: parent-dir traversal, absolute-path containment, symlink/hardlink write-through rejection, restore confined to declared outputs, symlink-not-followed / write-through-blocked, out-of-workspace output rejection, malformed/short/missing exit code, and exit-code round-trip. ## Related Issue(s) NXC-4593 — self-hosted HTTP remote cache path traversal  --- [View session information ↗](https://app.trypolygraph.com/orgs/6a061dcb561c062131116eca/sessions/lucid-sparrow-3e44e727)  --------- Co-authored-by: nx-cloud[bot] <71083854+nx-cloud[bot]@users.noreply.github.com>
by Jason Jean
Succeeded
806
f7b70552
by pull[bot]
Succeeded
36134
12085f5d feat(core): scaffold create-nx-workspace into the current directory ## Current Behavior `create-nx-workspace .` only works in a strictly empty directory, so a fresh GitHub repo (`.git`, README, LICENSE) fails. Templates require `git clone`. ## Expected Behavior - `.`/`./` scaffolds in place when the directory is functionally empty (dotfiles, README, LICENSE); real content still errors and points to `nx init`. - Interactive run with no name offers "Create in the current directory?". - Templates download as a tarball instead of `git clone`, so git is never required (fresh machines, CI, AI agents) and extracting over an existing `.git` is safe. README is replaced by the generated workspace. ## Related Issue(s) N/A
by Jack Hsu