Skip to content

[Detail Bug] @browserless/function crashes in production due to missing runtime dependencies (acorn/acorn-walk) #694

New issue
New issue
Open
Open
[Detail Bug] @browserless/function crashes in production due to missing runtime dependencies (acorn/acorn-walk)#694
@detail-app

Description

@detail-app
detail-app
bot
opened on Mar 2, 2026

Detail Bug Report

https://app.detail.dev/org_06887db3-bf54-40ab-976d-46c66ab2b840/bugs/bug_e41f7b37-c102-45b0-80a3-9a851a508758

Summary

  • Context: The template.js file is the core module of @browserless/function that analyzes user-provided code to detect if it uses the Puppeteer page API, using AST parsing to determine whether to inject browser connection logic.
  • Bug: The file requires acorn and acorn-walk at the module level, but these packages are listed as devDependencies instead of dependencies in package.json.
  • Actual vs. expected: The packages should be listed under dependencies so they are installed in production environments, but they are only in devDependencies which means they won't be installed when users install @browserless/function.
  • Impact: Any production installation of @browserless/function will crash at runtime when template.js is loaded, making the package completely unusable.

Code with Bug

In packages/function/src/template.js:

const walk = require('acorn-walk')  // <-- BUG 🔴 Required at runtime but not declared as a dependency
const acorn = require('acorn')       // <-- BUG 🔴 Required at runtime but not declared as a dependency

In packages/function/package.json:

"devDependencies": {
  "@browserless/test": "^10.11.1",
  "acorn": "~8.16.0",           // <-- BUG 🔴 Runtime dependency incorrectly listed as devDependency
  "acorn-walk": "~8.3.5",       // <-- BUG 🔴 Runtime dependency incorrectly listed as devDependency
  "ava": "5",
  "lodash": "latest"
}

Explanation

packages/function/src/template.js loads acorn and acorn-walk at module initialization. Because packages/function/package.json lists them only under devDependencies, they are not guaranteed to be installed for consumers in production installs, leading to Cannot find module 'acorn-walk'/'acorn' at runtime.

The issue has been masked by a transitive dependency: the declared dependency isolated-function currently depends on acorn/acorn-walk, so Node may resolve them from isolated-function's node_modules. This is an accidental, fragile coupling; if isolated-function changes its dependencies, @browserless/function will break.

Codebase Inconsistency

The published package confirms the mismatch:

$ npm view @browserless/function dependencies
{
  '@browserless/errors': '^10.11.1',
  'isolated-function': '~0.1.49',
  'require-one-of': '~1.0.24'
}

acorn and acorn-walk are absent from the package’s declared dependencies despite being required at runtime.

Recommended Fix

Move acorn and acorn-walk from devDependencies to dependencies in packages/function/package.json so they are installed for consumers.

History

This bug was introduced in commit d45585f. The commit added a performance optimization to parse user code with AST analysis (using acorn/acorn-walk) to detect whether the page object is used, avoiding unnecessary Puppeteer setup when not needed. When adding the new template.js file with these runtime dependencies, the acorn packages were mistakenly added to devDependencies instead of dependencies in package.json.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions