fix: deployment error when using packages using native node modules

[Dnouv]

Proposed changes (including videos or screenshots)

• Normalize Node built-in specifiers in the loader so both crypto and node:crypto are allowed
  and resolved consistently.
• Fixes Apps install failure in Deno runtime when bundled code imports Node built-ins using the node: scheme (e.g., node:crypto).

Issue(s)

• The Deno app loader only allowlisted plain built-in names (e.g., crypto) but bundled apps frequently emit require('node:crypto'). This caused the loader to reject valid built-ins with Module node:crypto is not allowed.

Steps to test or reproduce

To recreate the issue:

• Install any npm package that uses a built-in Node library within an App. For example, langchain
• rc-apps deploy will throw the error: Error: Deployment error: Module node:crypto is not allowed

Further comments

RCAI6-7

Summary by CodeRabbit

• Bug Fixes

  • Fixed app failures when importing Node.js built-ins; apps can now require both bare specifiers (e.g., "crypto") and Node-prefixed specifiers (e.g., "node:crypto").

• Chores

  • Bumped @rocket.chat/apps-engine and @rocket.chat/meteor to patch releases to include the fix.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: e4ad437

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 40 packages

Name	Type
@rocket.chat/apps-engine	Patch
@rocket.chat/meteor	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds a changeset bumping @rocket.chat/apps-engine and @rocket.chat/meteor to patch and updates the Deno runtime require-construction to normalize Node built-in specifiers so both bare names (e.g., crypto) and node:-prefixed names (e.g., node:crypto) are accepted. No public API changes.

Changes

Cohort / File(s)	Summary
Release metadata \.changeset/big-fireants-leave.md	Adds a changeset bumping @rocket.chat/apps-engine (patch) and @rocket.chat/meteor (patch) with note: fixes apps importing Node native modules with the optional node: specifier. No code changes.
Deno runtime require normalization packages/apps-engine/deno-runtime/handlers/app/construct.ts	Modifies buildRequire to normalize Node built-in specifiers by stripping a leading node: for internal checks and ensuring native requires use node:<normalized>. Preserves existing external/npm/apps-engine resolution and the disallowed-module error path.

Sequence Diagram(s)

sequenceDiagram
    participant App as App Code
    participant Build as buildRequire (Deno runtime)
    participant Resolver as Module Resolver

    App->>Build: require('crypto') or require('node:crypto')
    activate Build
    Build->>Build: Normalize specifier (strip "node:" if present)
    Build->>Resolver: Is normalized a Node builtin?
    alt builtin
        Resolver-->>Build: Yes → use "node:<normalized>"
        Build-->>App: Return native module
    else not builtin
        Build->>Resolver: Resolve per external/apps-engine rules
        Resolver-->>Build: Module resolved or not found
        alt resolved
            Build-->>App: Return module
        else not allowed
            Build-->>App: Throw "Module <module> is not allowed"
        end
    end
    deactivate Build

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble specs with whiskers keen,
node: or not — the loader’s seen.
I strip the colon, tidy the name,
Apps load smooth, no build-time blame.
A tiny hop, a joyful cheer—🥕

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues Check	⚠️ Warning	The PR implements normalization of Node built-in specifiers in packages/apps-engine/deno-runtime/handlers/app/construct.ts and includes a changeset bump, which addresses the linked issue's core problem of installs failing when code requires "node:crypto" and therefore satisfies the objectives to accept both plain and node: scheme specifiers and prevent the Deno runtime install failure. However, there is no evidence in the provided changes that internal uses of Node's crypto were replaced by Web Crypto for secure random token generation, so the linked issue's requirement to remove Node crypto dependencies in the Deno runtime is not addressed. Because one of the linked-issue objectives remains unimplemented, the overall linked-issues compliance is incomplete.	Either include the Web Crypto migration in this branch by replacing Node crypto usages in the Deno runtime secure token generation code and adding tests, or update the linked issue to split the work and link a follow-up PR that implements the Web Crypto replacement and documents the change.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title directly references the deployment error caused by packages importing native Node modules and aligns with the PR’s primary change to normalize Node built-in specifiers so node:... imports are accepted. It communicates the problem being fixed and would be clear to a reviewer, though the phrase "packages using native node modules" is slightly redundant and could be tightened. Overall the title sufficiently summarizes the main change for history scanning.
Out of Scope Changes Check	✅ Passed	The diff described is limited to a normalization change in packages/apps-engine/deno-runtime/handlers/app/construct.ts and an added changeset entry updating package patch versions, and there are no modifications to unrelated features, configs, or tests shown in the provided summary. Therefore the changes appear focused and relevant to the linked issue without out-of-scope edits. No unrelated files or unexpected behavior changes are evident from the provided summaries.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ae/node_imports

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 774d5bb and 9df49dd.

📒 Files selected for processing (2)

• .changeset/big-fireants-leave.md (1 hunks)
• packages/apps-engine/deno-runtime/handlers/app/construct.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/apps-engine/deno-runtime/handlers/app/construct.ts
• .changeset/big-fireants-leave.md

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.21%. Comparing base (050f1dc) to head (e4ad437).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #36967      +/-   ##
===========================================
- Coverage    66.23%   66.21%   -0.02%     
===========================================
  Files         3384     3384              
  Lines       115027   115027              
  Branches     21064    21066       +2     
===========================================
- Hits         76185    76166      -19     
- Misses       36247    36254       +7     
- Partials      2595     2607      +12     

Flag	Coverage Δ
e2e	56.96% <ø> (-0.08%)	⬇️
unit	71.20% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.changeset/big-fireants-leave.md (1)

5-5: Clarify the changelog note with the exact behavior.

Suggest explicitly mentioning the node: scheme to help readers scanning releases.

-Fixes an issue with deploying Apps that import libraries using native Node modules.
+Fix: Apps deployment no longer fails when bundled code imports Node built‑ins using the node: scheme (e.g., node:crypto); both bare (crypto) and node:‑prefixed specifiers are accepted.

packages/apps-engine/deno-runtime/handlers/app/construct.ts (2)

29-36: Also support built‑in subpath specifiers (fs/promises, stream/web, util/types).

Current check rejects valid Node subpaths like node:fs/promises even though base fs is allowed. Allow subpaths when the base is in the allowlist.

-    return (module: string): unknown => {
-        // Normalize Node built-in specifiers: accept both 'crypto' and 'node:crypto'
-        const normalized = module.startsWith('node:') ? module.slice(5) : module;
+    return (module: string): unknown => {
+        // Normalize Node built-in specifiers: accept both 'crypto' and 'node:crypto'
+        const normalized = module.startsWith('node:') ? module.slice(5) : module;
+        const base = normalized.split('/')[0]; // support subpaths like 'fs/promises' and 'stream/web'
 
-        if (ALLOWED_NATIVE_MODULES.includes(normalized)) {
-            return require(`node:${normalized}`);
+        if (ALLOWED_NATIVE_MODULES.includes(base)) {
+            // Keep full subpath when present (e.g., 'fs/promises')
+            return require(`node:${normalized}`);
         }

Optionally add a unit test for node:fs/promises and node:stream/web.

---

46-47: Improve the error to aid debugging without leaking internals.

Include a brief hint for node: vs npm: to reduce support churn.

-        throw new Error(`Module ${module} is not allowed`);
+        throw new Error(`Module ${module} is not allowed. Only selected Node built-ins (node:<name>) and whitelisted npm packages are supported.`);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3c28676 and 774d5bb.

📒 Files selected for processing (2)

• .changeset/big-fireants-leave.md (1 hunks)
• packages/apps-engine/deno-runtime/handlers/app/construct.ts (1 hunks)

🔇 Additional comments (1)

packages/apps-engine/deno-runtime/handlers/app/construct.ts (1)

29-36: Approve — normalization of Node built-in specifiers is correct.

Accepting both bare and 'node:'‑prefixed built‑ins is safe and consistent (repo already contains multiple 'node:' imports).