Merge pull request #429 from objectstack-ai/copilot/update-action-run-link-format

hotlong · web-flow · commit 328c99b966e7 · 2026-02-10T18:39:27.000+08:00
diff --git a/apps/site/next.config.mjs b/apps/site/next.config.mjs
@@ -5,6 +5,28 @@ const withMDX = createMDX();
 /** @type {import('next').NextConfig} */
 const config = {
   reactStrictMode: true,
+  transpilePackages: [
+    '@object-ui/core',
+    '@object-ui/components',
+    '@object-ui/fields',
+    '@object-ui/layout',
+    '@object-ui/react',
+    '@object-ui/types',
+    '@object-ui/plugin-aggrid',
+    '@object-ui/plugin-calendar',
+    '@object-ui/plugin-charts',
+    '@object-ui/plugin-chatbot',
+    '@object-ui/plugin-dashboard',
+    '@object-ui/plugin-editor',
+    '@object-ui/plugin-form',
+    '@object-ui/plugin-gantt',
+    '@object-ui/plugin-grid',
+    '@object-ui/plugin-kanban',
+    '@object-ui/plugin-map',
+    '@object-ui/plugin-markdown',
+    '@object-ui/plugin-timeline',
+    '@object-ui/plugin-view',
+  ],
   async rewrites() {
     return [
       {
diff --git a/packages/core/src/registry/WidgetRegistry.ts b/packages/core/src/registry/WidgetRegistry.ts
@@ -276,7 +276,19 @@ export class WidgetRegistry {
       }
 
       case 'module': {
-        const mod = await import(/* @vite-ignore */ source.url);
+        // Runtime-only dynamic import for loading widgets from external URLs
+        // This uses Function constructor to prevent bundlers (Webpack/Turbopack/Vite)
+        // from attempting static analysis at build time, which would fail since
+        // source.url is only known at runtime.
+        //
+        // Security: Widget URLs must be from trusted sources only. Never pass
+        // user-supplied URLs directly to WidgetManifest. URLs should be validated
+        // and controlled by the application developer.
+        //
+        // CSP Consideration: If your application uses strict Content Security Policy,
+        // ensure dynamic imports are allowed or use 'inline' or 'registry' source types.
+        const dynamicImport = new Function('url', 'return import(url)');
+        const mod = await dynamicImport(source.url);
         const exportName = source.exportName ?? 'default';
         const component = mod[exportName];
         if (!component) {
diff --git a/packages/types/src/widget.ts b/packages/types/src/widget.ts
@@ -95,10 +95,20 @@ export type WidgetSource =
   | WidgetSourceInline
   | WidgetSourceRegistry;
 
-/** Load from an ES module URL */
+/**
+ * Load from an ES module URL.
+ *
+ * ⚠️ SECURITY WARNING: Only use URLs from trusted sources.
+ * Never pass user-supplied URLs directly. URLs should be validated
+ * and controlled by your application. This feature uses dynamic imports
+ * which bypass static analysis and may be restricted by Content Security Policy.
+ */
 export interface WidgetSourceModule {
   type: 'module';
-  /** URL to the ES module (e.g., '/widgets/chart.js' or 'https://cdn.example.com/widget.mjs') */
+  /**
+   * URL to the ES module (e.g., '/widgets/chart.js' or 'https://cdn.example.com/widget.mjs')
+   * Must be from a trusted source - never user input.
+   */
   url: string;
   /** Named export to use (default: 'default') */
   exportName?: string;
