feat: add skew-protection-webpack-plugin package

[eduardoboucas]

Adds a new package that brings Netlify Skew Protection to any webpack-based single-page app, without requiring a framework runtime.

How it works

On a Netlify production build, the platform exposes a signed token that fingerprints the current deploy. The plugin reads that token and does two complementary things:

1. It stamps the token as a query parameter onto the URLs of the JavaScript and CSS that webpack loads, both the lazily-loaded chunks and the initial scripts and stylesheets in the HTML
2. It emits a small manifest through the Netlify Frameworks API that tells the edge to treat that query parameter as a deploy signal.

With both halves in place, the edge sees the pinned requests coming from an open tab and routes them to the originating deploy instead of the latest one.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8f63b7f1-e2e5-4739-a429-1a853151a6bc

📥 Commits

Reviewing files that changed from the base of the PR and between e23a17d and 563d055.

📒 Files selected for processing (3)

• packages/skew-protection-webpack-plugin/README.md
• packages/skew-protection-webpack-plugin/src/main.test.ts
• packages/skew-protection-webpack-plugin/src/main.ts

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• netlify/blueprints (manual)

✅ Files skipped from review due to trivial changes (1)

• packages/skew-protection-webpack-plugin/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/skew-protection-webpack-plugin/src/main.test.ts
• packages/skew-protection-webpack-plugin/src/main.ts

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Added a new webpack plugin to the monorepo for skew protection by appending a deployment-pinning query to chunk and initial HTML asset URLs.
  • Plugin now generates the routing manifest used for edge handling, with a configurable token, query parameter name, patterns, and output base directory.
  • When the token is not set (or is 0), the plugin automatically becomes a no-op.
• Bug Fixes
  • Improved release publishing behavior: manual triggers now tolerate publish failures, while push-based releases publish normally.
• Documentation
  • Added usage documentation for installing, configuring options, and expected behavior.

Walkthrough

Adds packages/skew-protection-webpack-plugin to the monorepo workspace and release-please setup, including package metadata, build/test config, ignore rules, changelog, and README. Implements NetlifySkewProtectionPlugin plus a webpack runtime module that appends the deploy-pinning query parameter to chunk and HTML asset URLs and writes .netlify/v1/skew-protection.json. Adds Vitest coverage for token-present, custom parameter name, and token-absent cases.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a new skew-protection webpack plugin package.
Description check	✅ Passed	The description matches the implemented changes by explaining the new package, token stamping, and manifest emission.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/skew-protection-webpack-plugin

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/skew-protection-webpack-plugin/README.md`:
- Around line 23-24: Update the Skew Protection README wording in the
behavior/options section to fix the awkward “scope rerouting” phrasing in the
description and make it read naturally, then correct the pattern example in the
options docs so the `patterns` value uses `js|css` rather than an escaped pipe.
Reference the surrounding README text for `patterns` and the behavior
description to locate the two doc nits.

In `@packages/skew-protection-webpack-plugin/src/main.test.ts`:
- Around line 41-46: The compiler callback in main.test.ts is triggering
no-confusing-void-expression because it uses return reject(...) in the err and
stats.hasErrors() branches. Update the compiler.run callback to call reject(...)
as a separate statement and then return on the next line, using the compiler.run
callback as the locator for both failure paths.

In `@packages/skew-protection-webpack-plugin/src/main.ts`:
- Around line 150-156: The assignment in the main plugin loader is failing
`no-unsafe-assignment` because `requirePeer('html-webpack-plugin')` is inferred
as `any` before being stored in `HtmlWebpackPlugin`. Update the `main.ts` logic
around `requirePeer` so the result is explicitly cast to the declared `{
getHooks?: (c: Compilation) => HtmlHooks | undefined }` shape when assigned to
`HtmlWebpackPlugin`, keeping the existing `try/catch` and return behavior
intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 37c36d18-36de-419e-89b3-ab21503a9014

📥 Commits

Reviewing files that changed from the base of the PR and between f88c812 and e23a17d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (14)

• .github/workflows/release-please.yaml
• .release-please-manifest.json
• package.json
• packages/skew-protection-webpack-plugin/.gitignore
• packages/skew-protection-webpack-plugin/CHANGELOG.md
• packages/skew-protection-webpack-plugin/README.md
• packages/skew-protection-webpack-plugin/package.json
• packages/skew-protection-webpack-plugin/src/lib/runtime-module.ts
• packages/skew-protection-webpack-plugin/src/main.test.ts
• packages/skew-protection-webpack-plugin/src/main.ts
• packages/skew-protection-webpack-plugin/tsconfig.json
• packages/skew-protection-webpack-plugin/tsup.config.ts
• packages/skew-protection-webpack-plugin/vitest.config.ts
• release-please-config.json

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• netlify/blueprints (manual)

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix two documentation accuracy nits in the behavior/options description.

Line 23 reads awkwardly (“scope rerouting”), and Line 47 shows js\|css instead of js|css, which can confuse users copying the pattern.

Suggested doc patch

-> same-origin request and pin your API/XHR traffic to a stale deploy. The default `patterns` scope rerouting to JS/CSS.
+> same-origin request and pin your API/XHR traffic to a stale deploy. The default `patterns` scope skew protection to JS/CSS assets.
@@
-| `patterns`  | `[".*\\.(js\|css)$"]`                       | PCRE path patterns the edge reroutes on.                                                                     |
+| `patterns`  | `[".*\\.(js|css)$"]`                        | PCRE path patterns the edge reroutes on.                                                                     |

Also applies to: 47-47

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/skew-protection-webpack-plugin/README.md` around lines 23 - 24,
Update the Skew Protection README wording in the behavior/options section to fix
the awkward “scope rerouting” phrasing in the description and make it read
naturally, then correct the pattern example in the options docs so the
`patterns` value uses `js|css` rather than an escaped pipe. Reference the
surrounding README text for `patterns` and the behavior description to locate
the two doc nits.

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Fix the blocking no-confusing-void-expression lint errors.

return reject(...) returns the void result of reject, which is failing the Lint job (lines 43-44). Split the reject call and return onto separate statements.

🔧 Proposed fix

     compiler.run((err, stats) => {
       compiler.close(() => {})
-      if (err) return reject(err)
-      if (stats?.hasErrors()) return reject(new Error(stats.toString()))
+      if (err) {
+        reject(err)
+        return
+      }
+      if (stats?.hasErrors()) {
+        reject(new Error(stats.toString()))
+        return
+      }
       resolve()
     })

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	compiler.run((err, stats) => {
	compiler.close(() => {})
	if (err) return reject(err)
	if (stats?.hasErrors()) return reject(new Error(stats.toString()))
	resolve()
	})
	compiler.run((err, stats) => {
	compiler.close(() => {})
	if (err) {
	reject(err)
	return
	}
	if (stats?.hasErrors()) {
	reject(new Error(stats.toString()))
	return
	}
	resolve()
	})

🧰 Tools

🪛 ESLint

[error] 43-43: Returning a void expression from a function is forbidden. Please move it before the return statement.

(@typescript-eslint/no-confusing-void-expression)

---

[error] 44-44: Returning a void expression from a function is forbidden. Please move it before the return statement.

(@typescript-eslint/no-confusing-void-expression)

🪛 GitHub Actions: Lint / 0_Lint.txt

[error] 43-43: ESLint (typescript-eslint/no-confusing-void-expression): Returning a void expression from a function is forbidden. Please move it before the return statement.

🪛 GitHub Actions: Lint / Lint

[error] 43-43: ESLint (@typescript-eslint/no-confusing-void-expression): Returning a void expression from a function is forbidden. Please move it before the return statement.

🪛 GitHub Check: Lint

[failure] 44-44:
Returning a void expression from a function is forbidden. Please move it before the return statement

---

[failure] 43-43:
Returning a void expression from a function is forbidden. Please move it before the return statement

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/skew-protection-webpack-plugin/src/main.test.ts` around lines 41 -
46, The compiler callback in main.test.ts is triggering
no-confusing-void-expression because it uses return reject(...) in the err and
stats.hasErrors() branches. Update the compiler.run callback to call reject(...)
as a separate statement and then return on the next line, using the compiler.run
callback as the locator for both failure paths.

Source: Pipeline failures

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Resolve the blocking no-unsafe-assignment lint error.

requirePeer('html-webpack-plugin') returns any, so the assignment to the typed HtmlWebpackPlugin variable trips @typescript-eslint/no-unsafe-assignment and is failing the Lint check. Cast the result to the declared shape.

🔧 Proposed fix

-    let HtmlWebpackPlugin: { getHooks?: (c: Compilation) => HtmlHooks | undefined }
+    let HtmlWebpackPlugin: { getHooks?: (c: Compilation) => HtmlHooks | undefined }
     try {
       // Resolved from the consumer's dependency tree.
-      HtmlWebpackPlugin = requirePeer('html-webpack-plugin')
+      HtmlWebpackPlugin = requirePeer('html-webpack-plugin') as {
+        getHooks?: (c: Compilation) => HtmlHooks | undefined
+      }
     } catch {
       return
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	let HtmlWebpackPlugin: { getHooks?: (c: Compilation) => HtmlHooks | undefined }
	try {
	// Resolved from the consumer's dependency tree.
	HtmlWebpackPlugin = requirePeer('html-webpack-plugin')
	} catch {
	return
	}
	let HtmlWebpackPlugin: { getHooks?: (c: Compilation) => HtmlHooks | undefined }
	try {
	// Resolved from the consumer's dependency tree.
	HtmlWebpackPlugin = requirePeer('html-webpack-plugin') as {
	getHooks?: (c: Compilation) => HtmlHooks | undefined
	}
	} catch {
	return
	}

🧰 Tools

🪛 ESLint

[error] 153-153: Unsafe assignment of an any value.

(@typescript-eslint/no-unsafe-assignment)

🪛 GitHub Check: Lint

[failure] 153-153:
Unsafe assignment of an any value

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/skew-protection-webpack-plugin/src/main.ts` around lines 150 - 156,
The assignment in the main plugin loader is failing `no-unsafe-assignment`
because `requirePeer('html-webpack-plugin')` is inferred as `any` before being
stored in `HtmlWebpackPlugin`. Update the `main.ts` logic around `requirePeer`
so the result is explicitly cast to the declared `{ getHooks?: (c: Compilation)
=> HtmlHooks | undefined }` shape when assigned to `HtmlWebpackPlugin`, keeping
the existing `try/catch` and return behavior intact.

Source: Linters/SAST tools