[Bug]: Vite build not hermetic? Imports escape sandbox

[henkerik]

What happened?

A Vite build succeeds, even if not all dependencies are provided in the BUILD.bazel file.

Version

Development (host) and target OS/architectures:

Output of bazel --version: bazel 6.0.0rc2

Version of the Aspect rules, or other relevant rules from your
WORKSPACE or MODULE.bazel file: rules_js-1.8.0

Language(s) and/or frameworks involved: Javascript, Vite

How to reproduce

A git repo with instructions how to reproduce this bug is available at: 

https://github.com/henkerik/repro_rules_js_362

Any other information?

This repo started as a fork of https://github.com/gregmagolan/repro_rules_js_362 because I suspected I ran into the same bug. However, I think this bug is different. It looks like a regular JS import escapes the Bazel sandbox as well:

https://github.com/henkerik/repro_rules_js_362/blob/main/vite.config.js#L2

Fund our work

• Sponsor our open source work by donating a bug bounty

[gregmagolan]

Possibly a symptom of #362?

[henkerik]

@gregmagolan I though so at first, that's why I forked your repo :). However, I build node from source with your patch (aspect-forks/node@6616ddd) but this didn't fix it.

[matthewjh]

FWIW, sharing this here in case it's helpful: I found similar breakouts under webpack, but I didn't compile a repro and file an issue just yet.

I noted that https://github.com/sindresorhus/import-local appeared to be involved in at least some of the webpack "sandbox break" instances.

[xinbinhuang]

seeing the same issue. Seems like that the the bazel target (i.e. vite) is using the node_modules in the bazel-out repository