Enhance browser compatibility and update Vite configuration

[kavindadimuthu]

Purpose

This pull request improves compatibility and reliability for browser and Nuxt environments by adjusting how Node.js polyfills are handled and ensuring proper dependency pre-bundling with Vite. The most important changes are grouped below:

Browser polyfill handling:

• Moves the logic for exposing Buffer on the window object from the esbuild configuration (esbuild.config.mjs — previously in banner and footer) directly into the browser entry point (src/index.ts). This ensures Buffer is always available globally in browser builds, preventing issues with libraries that expect Node polyfills. [1] [2] [3]

Nuxt/Vite dependency handling:

• Updates the Nuxt module to extend the Vite config, explicitly pre-bundling several CJS-only dependencies (@asgardeo/browser, @asgardeo/javascript, @asgardeo/vue, base64url, cross-fetch, fast-sha256) for client builds. This prevents "Export 'X' is not defined in module" errors caused by Vite serving these packages as raw CJS from disk. [1] [2]

Related Issues

• N/A

Related PRs

• N/A

Checklist

• Followed the CONTRIBUTING guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Unit tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Summary by CodeRabbit

• Refactor

  • Reorganized Buffer initialization in the browser SDK to use conditional runtime setup instead of build-time injection, improving compatibility in various browser environments without native Buffer support.

• Chores

  • Updated Nuxt module configuration to optimize dependency pre-bundling for CommonJS packages, ensuring enhanced build efficiency, reduced bundle size, and better application compatibility.

[coderabbitai]

Warning

Rate limit exceeded

@kavindadimuthu has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 3 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3dbbb664-9bce-43f8-b24c-dcd28a7c2e11

📥 Commits

Reviewing files that changed from the base of the PR and between 70cbdca and 26c1806.

📒 Files selected for processing (1)

• packages/nuxt/src/module.ts

📝 Walkthrough

Walkthrough

This PR refactors the Buffer polyfill strategy by removing build-time banner/footer injection from esbuild configuration and moving the runtime global assignment to the browser package's index.ts entrypoint. Additionally, it introduces Nuxt module configuration for pre-bundling CJS-dependent packages in the Vite build.

Changes

Cohort / File(s)	Summary
Browser Buffer Polyfill Strategy packages/browser/esbuild.config.mjs, packages/browser/src/index.ts	Removed esbuild banner/footer code injecting window.Buffer and shifted polyfill logic to runtime; index.ts now imports Buffer from the buffer package and conditionally sets window.Buffer when absent.
Nuxt Build Optimization packages/nuxt/src/module.ts	Added Nuxt module configuration extending client-side Vite build to pre-bundle CJS-dependent packages (@asgardeo/browser, @asgardeo/javascript, @asgardeo/vue, base64url, cross-fetch, fast-sha256) with duplicate-prevention guards.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix SSR compatibility and module bundling issues of Nuxt #483: Modifies the same build/polyfill wiring and Nuxt module files around Buffer polyfill and bundling behavior.

Suggested reviewers

• DonOmalVindula

Poem

🐰 A polyfill moved from build to runtime's embrace,
Buffer now finds its rightful place,
Nuxt bundles its deps with care so fine,
Browser and Vue together align,
Hopping forward with optimized design! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: browser compatibility improvements and Vite configuration updates for the Nuxt module.
Description check	✅ Passed	The description covers all required template sections with clear explanations of purpose, changes, and provides proper context. All checklist items are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 46 minutes and 3 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/nuxt/src/module.ts`:
- Around line 309-316: The current optimizeDeps include list in the deps array
references transitive packages (`@asgardeo/javascript`, base64url, cross-fetch,
fast-sha256) that are not declared in packages/nuxt/package.json; update the
module by either (A) adding these packages as explicit direct dependencies in
package.json so strict-mode package managers resolve them correctly, or (B)
remove them from the deps array and only include the top-level packages
('@asgardeo/browser' / '@asgardeo/node') if you confirm they bundle those
transitive modules at runtime; locate the deps constant in module.ts and ensure
package.json and the deps array are consistent to avoid strict-install failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 705c05e4-f359-49ff-845c-25a0e2e1dfe4

📥 Commits

Reviewing files that changed from the base of the PR and between faf4ab0 and 70cbdca.

📒 Files selected for processing (3)

• packages/browser/esbuild.config.mjs
• packages/browser/src/index.ts
• packages/nuxt/src/module.ts

💤 Files with no reviewable changes (1)

• packages/browser/esbuild.config.mjs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json
from pathlib import Path

nuxt_pkg = Path("packages/nuxt/package.json")
required = [
    "@asgardeo/browser",
    "@asgardeo/javascript",
    "@asgardeo/vue",
    "base64url",
    "cross-fetch",
    "fast-sha256",
]

data = json.loads(nuxt_pkg.read_text())
deps = data.get("dependencies", {})
peer = data.get("peerDependencies", {})

print(f"Checking {nuxt_pkg}:")
for name in required:
    declared = name in deps or name in peer
    where = "dependencies" if name in deps else ("peerDependencies" if name in peer else "NOT DECLARED")
    print(f"  - {name}: {where}")

print("\nIf any entry is NOT DECLARED, validate whether forcing it in optimizeDeps.include is safe for strict package managers.")
PY

Repository: asgardeo/javascript

Length of output: 415

---

🏁 Script executed:

# Get context around lines 309-316 in the module.ts file
head -n 330 packages/nuxt/src/module.ts | tail -n 40

Repository: asgardeo/javascript

Length of output: 1385

---

🏁 Script executed:

# Search for imports or usage of the undeclared packages in the nuxt module
rg -l "@asgardeo/javascript|base64url|cross-fetch|fast-sha256" packages/nuxt/src

Repository: asgardeo/javascript

Length of output: 91

---

🏁 Script executed:

# Check if these undeclared packages might be transitive dependencies
rg '"@asgardeo/javascript"|"base64url"|"cross-fetch"|"fast-sha256"' packages/nuxt/package.json packages/nuxt/package-lock.json 2>/dev/null || echo "Checking if packages are transitive..."

Repository: asgardeo/javascript

Length of output: 102

---

🏁 Script executed:

# Check if the undeclared packages are listed as external dependencies of `@asgardeo/browser`
# Look at what `@asgardeo/browser` depends on
cat packages/browser/package.json | jq '.dependencies, .peerDependencies, .optionalDependencies' 2>/dev/null || echo "Checking browser package..."

Repository: asgardeo/javascript

Length of output: 366

---

🏁 Script executed:

# Look for `@asgardeo/javascript` as a dependency in browser or vue packages
rg '"@asgardeo/javascript"' packages/browser/package.json packages/vue/package.json 2>/dev/null || echo "Not found in direct search"

Repository: asgardeo/javascript

Length of output: 136

---

🏁 Script executed:

# Check if these transitive packages are actually listed in package-lock.json or the monorepo structure
fd package.json | xargs grep -l "base64url\|cross-fetch\|fast-sha256" 2>/dev/null | head -10

Repository: asgardeo/javascript

Length of output: 120

---

🏁 Script executed:

# Check `@asgardeo/javascript`'s dependencies to see if it declares base64url and fast-sha256
cat packages/javascript/package.json | jq '.dependencies, .peerDependencies' 2>/dev/null || echo "Checking javascript package..."

Repository: asgardeo/javascript

Length of output: 146

---

🏁 Script executed:

# Check `@asgardeo/vue`'s dependencies
cat packages/vue/package.json | jq '.dependencies, .peerDependencies' 2>/dev/null || echo "Checking vue package..."

Repository: asgardeo/javascript

Length of output: 236

---

🏁 Script executed:

# Search for cross-fetch in all package.json files
grep -r "cross-fetch" packages/ --include="package.json"

Repository: asgardeo/javascript

Length of output: 118

---

🏁 Script executed:

# Check all dependencies of `@asgardeo/browser` more carefully including dev deps
cat packages/browser/package.json | jq '.' 2>/dev/null | head -80

Repository: asgardeo/javascript

Length of output: 2116

---

🏁 Script executed:

# Search for where cross-fetch is actually used in the nuxt module or imports
rg "cross-fetch" packages/nuxt/

Repository: asgardeo/javascript

Length of output: 116

---

🏁 Script executed:

# Check if cross-fetch should be coming from `@asgardeo/browser`'s dependencies
rg "cross-fetch" packages/browser/

Repository: asgardeo/javascript

Length of output: 45

---

🏁 Script executed:

# Let's check the full nuxt package.json to see all declared dependencies
cat packages/nuxt/package.json | jq '.dependencies, .peerDependencies' 2>/dev/null

Repository: asgardeo/javascript

Length of output: 283

---

🏁 Script executed:

# Double-check where cross-fetch is actually imported/used in the codebase
rg "cross-fetch|from.*cross-fetch|import.*cross-fetch" packages/

Repository: asgardeo/javascript

Length of output: 261

---

🏁 Script executed:

# Check if cross-fetch is used in `@asgardeo/browser` source code
rg "cross-fetch" packages/browser/src/

Repository: asgardeo/javascript

Length of output: 45

---

🏁 Script executed:

# Final verification: confirm `@asgardeo/node` is in nuxt dependencies and check its full package.json
cat packages/nuxt/package.json | jq '.dependencies | keys'

Repository: asgardeo/javascript

Length of output: 163

---

🏁 Script executed:

# Verify the dependency chain: nuxt -> `@asgardeo/node` -> cross-fetch
echo "=== `@asgardeo/node` dependencies ===" && cat packages/node/package.json | jq '.dependencies | keys'

Repository: asgardeo/javascript

Length of output: 251

---

🏁 Script executed:

# Verify the dependency chain: nuxt -> `@asgardeo/browser` -> base64url, fast-sha256, `@asgardeo/javascript`
echo "=== `@asgardeo/browser` dependencies ===" && cat packages/browser/package.json | jq '.dependencies | keys'

Repository: asgardeo/javascript

Length of output: 285

---

These packages are transitive dependencies; verify strict mode compatibility.

The packages @asgardeo/javascript, base64url, cross-fetch, and fast-sha256 are not declared in packages/nuxt/package.json but are transitive dependencies of the declared @asgardeo/browser and @asgardeo/node packages. While this ensures they are resolvable through the dependency tree, including them in optimizeDeps.include without explicit declaration may cause issues in strict package manager configurations. Verify this approach works correctly with strict mode installs, or alternatively declare these as direct dependencies if the Nuxt module explicitly depends on them.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/nuxt/src/module.ts` around lines 309 - 316, The current optimizeDeps
include list in the deps array references transitive packages
(`@asgardeo/javascript`, base64url, cross-fetch, fast-sha256) that are not
declared in packages/nuxt/package.json; update the module by either (A) adding
these packages as explicit direct dependencies in package.json so strict-mode
package managers resolve them correctly, or (B) remove them from the deps array
and only include the top-level packages ('@asgardeo/browser' / '@asgardeo/node')
if you confirm they bundle those transitive modules at runtime; locate the deps
constant in module.ts and ensure package.json and the deps array are consistent
to avoid strict-install failures.

[asgardeo-github-bot]

⚠️ No Changeset found

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go.

If these changes should result in a version bump, you need to add a changeset.

Refer Release Documentation to learn how to add a changeset.