fix: verify module identity in cache protocol to prevent stale modules

deyaaeldeen · Copilot · deyaaeldeen · commit c12fc82105b4 · 2026-03-31T01:26:20.000Z
The module runner's `urlToIdModuleMap` caches modules by URL. When a bare specifier (e.g., `@azure/core-lro`) is used as the URL, the first resolved version is cached and served to all subsequent importers, even if they should receive a different physical package. Additionally, the `{ cache: true }` protocol between the module runner and server had no identity verification. The server confirms a module was transformed without checking if the client's cached module matches the server's resolved module. Fix: - Server now includes the resolved module ID in `{ cache: true }` responses via the new optional `id` field on `CachedFetchResult`. - Client verifies that its cached module ID matches the server's. On mismatch, the client refetches the module without the cache flag. This prevents silent data corruption when multiple versions of a dependency exist in a monorepo with nested `node_modules`. Fixes #22079 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/packages/vite/src/module-runner/runner.ts b/packages/vite/src/module-runner/runner.ts
@@ -8,7 +8,7 @@ import {
 } from '../shared/moduleRunnerTransport'
 import { createIsBuiltin } from '../shared/builtin'
 import type { EvaluatedModuleNode } from './evaluatedModules'
-import { EvaluatedModules } from './evaluatedModules'
+import { EvaluatedModules, normalizeModuleId } from './evaluatedModules'
 import type {
   ModuleEvaluator,
   ModuleRunnerContext,
@@ -309,6 +309,25 @@ export class ModuleRunner {
           `Module "${url}" was mistakenly invalidated during fetch phase.`,
         )
       }
+      // Verify the server resolved to the same module we have cached.
+      // When a bare specifier maps to different physical packages for
+      // different importers (e.g. monorepos with duplicate deps), the
+      // urlToIdModuleMap may hold a stale entry. If the server resolved
+      // to a different module, refetch without the cache flag.
+      if (
+        fetchedModule.id &&
+        cachedModule.id !== normalizeModuleId(fetchedModule.id)
+      ) {
+        this.debug?.(
+          '[module runner] cache identity mismatch for',
+          url,
+          '- cached:',
+          cachedModule.id,
+          'server:',
+          fetchedModule.id,
+        )
+        return this.getModuleInformation(url, importer, undefined)
+      }
       return cachedModule
     }
 
diff --git a/packages/vite/src/node/ssr/fetchModule.ts b/packages/vite/src/node/ssr/fetchModule.ts
@@ -85,7 +85,7 @@ export async function fetchModule(
 
   // if url is already cached, we can just confirm it's also cached on the server
   if (options.cached && cached) {
-    return { cache: true }
+    return { cache: true, id: mod.id }
   }
 
   let result = await environment.transformRequest(url)
diff --git a/packages/vite/src/shared/invokeMethods.ts b/packages/vite/src/shared/invokeMethods.ts
@@ -14,6 +14,13 @@ export interface CachedFetchResult {
    * it wasn't invalidated on the server side.
    */
   cache: true
+  /**
+   * The resolved module ID on the server. The client uses this to verify
+   * that its cached module matches what the server resolved. When a bare
+   * specifier maps to different physical packages for different importers,
+   * the client's cache may hold the wrong version.
+   */
+  id?: string
 }
 
 export interface ExternalFetchResult {

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ export async function fetchModule(`
`85`	`85`
`86`	`86`	`// if url is already cached, we can just confirm it's also cached on the server`
`87`	`87`	`if (options.cached && cached) {`
`88`		`- return { cache: true }`
	`88`	`+ return { cache: true, id: mod.id }`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`let result = await environment.transformRequest(url)`