Skip to content

ipk-verify: service language-version check + advisory runtime-API detection#5

Merged
mariotaku merged 1 commit into
mainfrom
claude/web-app-tech-detection-x71d8v
Jul 6, 2026
Merged

ipk-verify: service language-version check + advisory runtime-API detection#5
mariotaku merged 1 commit into
mainfrom
claude/web-app-tech-detection-x71d8v

Conversation

@mariotaku

Copy link
Copy Markdown
Member

Follow-up to #4 (web-app / service technology detection). Adds two detection capabilities to ipk-verify, both driven by testing against real webosbrew packages.

Service language-version check (gating)

Previously, non-native JS/Node services only reported dependencies + the firmware's Node.js version (informational), because engines.node is not trustworthy and was disregarded.

Now the service's own .js code is tokenized for its ES syntax level and checked against each firmware's bundled Node.js version (EsLevel::min_node_version, from packages.json). This is a code-derived, trustworthy requirement (syntax can't be polyfilled), unlike engines.node.

  • A service using optional chaining (?., ES2020) correctly fails on Node 12 and passes on Node 16.
  • The real Homebrew Channel service reads ES5 → OK on every Node.

Runtime-API detection (advisory, polyfill-aware)

Unambiguous namespaced APIs (Object.assign, Object.entries/fromEntries, Array.from, Promise.allSettled, globalThis, Reflect.*, …) are detected from the token stream and flagged as "may need polyfills" when newer than the target engine/Node. This is advisory only — it never gates compatibility, since runtime APIs (unlike syntax) can be polyfilled. Prototype methods (.includes/.flat) are excluded because their receiver type is unknowable from tokens.

Polyfill awareness: testing real bundles showed they ship core-js / @babel/runtime / regenerator, which merely reference every API (feature-detect/define), so a naive advisory flags the polyfill library itself. When a polyfill library is detected the component is noted as self-polyfilling and the API advisory is suppressed.

  • Homebrew Channel (bundles core-js) → "bundles polyfills (core-js, regenerator)", no misleading API row.
  • A non-polyfilled app calling Object.entries/fromEntries → advisory shows polyfill? on Chromium <73, native on 79+.

Internals

JS token analysis (ES features + static APIs + polyfill sniffing) is factored into a shared common/webdetect/src/js.rs module used by both web-app and service detection. ress/tl remain the only new dependencies (from #4).

Tests

webdetect 32, fw-lib 2, ipk-lib 3, ipk-verify integration 2 (+ global_scope 2) — all green, no warnings. Verified end-to-end against the real Homebrew Channel package and synthetic fixtures.

🤖 Generated with Claude Code

https://claude.ai/code/session_01WNiK747P4W8C2M9RRhRFS3


Generated by Claude Code

Two follow-ups after the merged web-app work.

Service language-version check (gating): a service's own .js is
tokenized for its ES syntax level and checked against each firmware's
bundled Node.js version (EsLevel::min_node_version). This is the
trustworthy, code-derived Node requirement that replaces the untrusted
engines.node — a service using optional chaining now correctly fails on
Node 12 and passes on Node 16.

Runtime-API detection (advisory, polyfill-aware): unambiguous namespaced
APIs (Object.assign, Object.entries/fromEntries, Array.from,
Promise.allSettled, globalThis, Reflect.*, ...) are detected from the
token stream and flagged when newer than the target engine/Node — a
"may need polyfills" note that never gates. Prototype methods are
excluded (ambiguous receiver). Crucially, testing real packages showed
bundles ship core-js/babel-runtime that merely *reference* every API, so
the advisory is suppressed when a polyfill library is detected; the
component is instead noted as self-polyfilling.

JS token analysis (ES features + APIs + polyfill sniffing) is factored
into a shared js module used by both web-app and service detection.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01WNiK747P4W8C2M9RRhRFS3
@mariotaku mariotaku merged commit 4a706ae into main Jul 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants