@@ -205,6 +205,13 @@ _ATTRS = {
205205 which can lead to non-hermetic behavior.""" ,
206206 default = True ,
207207 ),
208+ "patch_node_esm_loader" : attr .bool (
209+ doc = """Apply the internal lstat patch to prevent the program from following symlinks out of
210+ the execroot, runfiles and the sandbox even when using the ESM loader.
211+
212+ This flag only has an effect when `patch_node_fs` is True.""" ,
213+ default = False ,
214+ ),
208215 "include_sources" : attr .bool (
209216 doc = """When True, `sources` from `JsInfo` providers in `data` targets are included in the runfiles of the target.""" ,
210217 default = True ,
@@ -320,7 +327,10 @@ _ATTRS = {
320327 "_windows_constraint" : attr .label (default = "@platforms//os:windows" ),
321328 "_node_patches_files" : attr .label_list (
322329 allow_files = True ,
323- default = [Label ("@aspect_rules_js//js/private/node-patches:fs.cjs" )],
330+ default = [
331+ Label ("@aspect_rules_js//js/private/node-patches:fs.cjs" ),
332+ Label ("@aspect_rules_js//js/private/node-patches:fs_stat.cjs" ),
333+ ],
324334 ),
325335 "_node_patches" : attr .label (
326336 allow_single_file = True ,
@@ -566,11 +576,18 @@ def _create_launcher(ctx, log_prefix_rule_set, log_prefix_rule, fixed_args = [],
566576 )
567577
568578def _js_binary_impl (ctx ):
579+ # Only apply lstat patch if it's requested
580+ JS_BINARY__PATCH_NODE_ESM_LOADER = "1" if ctx .attr .patch_node_esm_loader else "0"
581+ fixed_env = {
582+ "JS_BINARY__PATCH_NODE_ESM_LOADER" : JS_BINARY__PATCH_NODE_ESM_LOADER ,
583+ }
584+
569585 launcher = _create_launcher (
570586 ctx ,
571587 log_prefix_rule_set = "aspect_rules_js" ,
572588 log_prefix_rule = "js_test" if ctx .attr .testonly else "js_binary" ,
573589 fixed_args = ctx .attr .fixed_args ,
590+ fixed_env = fixed_env ,
574591 )
575592 runfiles = launcher .runfiles
576593
0 commit comments