Contributing to Fronts
Development setup, change boundaries, testing, documentation, Changesets, and review expectations for Fronts contributors.
Development prerequisites
- Node.js 22.18 or newer;
- pnpm 10 or 11 through Corepack;
- a Chromium installation managed by Playwright for browser E2E;
- macOS, Linux, or another environment capable of running the repository's Node and browser tools.
The root package.json is the source of truth for engines and the pinned package
manager. CI runs the main check on Node 22 and 24.
corepack enable
pnpm install --frozen-lockfileDo not replace pnpm with npm or Yarn when changing the workspace lockfile.
Repository map
| Area | Responsibility |
|---|---|
packages/core | Application protocol, Host, resolvers, containers, services, errors, and iframe transport. |
packages/mf | Adapter over the public official Module Federation runtime instance API. |
packages/react | React producer and Host adapter for the Fronts application contract. |
packages/vue3 | Vue 3 producer and Host adapter for the same contract. |
examples | Executable core-only, framework, iframe, Rsbuild, and Vite integration evidence. |
e2e | Playwright behavior shared by development and production-preview server modes. |
docs | Architecture, contracts, operations, support boundaries, and runbooks. |
.changeset | Pending public-package release notes and prerelease state. |
Read Architecture and the Application contract before changing package boundaries or lifecycle semantics.
Change workflow
- Start from an up-to-date branch and confirm the worktree contains no changes you do not own.
- Reproduce the behavior or define the contract before editing implementation.
- Change one concern at a time and add the narrowest test that proves it.
- Update every affected public README, contract, architecture document, runbook, and example.
- Add a Changeset when a published package changes for consumers.
- Run focused checks while iterating, then the complete required gates.
- Review the diff for unrelated formatting, generated artifacts, secrets, and accidental public API expansion.
Keep commits focused. One independently reviewable concern per commit is preferred. Existing history uses Conventional Commit-style subjects such as:
fix(core): revoke late service scopes
feat(mf): support a public runtime option
test(examples): cover a producer path
docs: define browser supportDo not rewrite or discard another contributor's worktree changes. Do not commit build output, Playwright reports, coverage output, package tarballs, or local environment files unless a task explicitly changes their source-controlled policy.
Changesets
Every consumer-visible change to one or more public packages needs a Changeset:
pnpm changesetSelect all affected packages and describe user impact rather than implementation detail. The four public packages are a fixed Changesets group, so versioning remains synchronized while the 2.0 contract stabilizes.
Typical Changeset decisions:
| Change | Changeset? |
|---|---|
| Public runtime behavior, error, export, type, peer range, package metadata, or security fix | Yes |
| Internal refactor with identical published behavior | Usually no; add one if consumers can observe it |
| Test-only or example-only verification | No, unless it accompanies a package behavior change |
| Documentation-only correction outside packed package READMEs | No |
| Public package README change that affects consumer guidance | Yes when released package content changes materially |
Do not edit package versions or changelogs by hand. The Changesets release flow owns them.
Focused development commands
pnpm lint
pnpm docs:check
pnpm typecheck
pnpm test
pnpm test:coverage
pnpm buildRun a focused Vitest file while iterating:
pnpm exec vitest run packages/core/test/host.test.ts
pnpm exec vitest run packages/core/test/iframe.test.ts
pnpm exec vitest run packages/mf/testRun the complete non-browser gate before handoff:
pnpm checkpnpm check runs formatting/lint, a clean topological build, isolated packed-package consumption,
TypeScript checks, unit/integration tests, and coverage thresholds. Do not treat a focused test as
evidence that the repository gate passes.
Browser E2E
Install the configured Chromium binary once:
pnpm exec playwright install chromiumDevelopment-server mode:
pnpm test:e2eFresh production build and preview mode:
pnpm test:e2e:previewCI requires the production-preview path. Run both when changing Host orchestration, remote output, asset URLs, manifests, shared dependencies, iframe behavior, framework adapters, or example server configuration.
The current server map is owned by e2e/playwright-config.ts:
4100–4103: React Host, React remote, Vue remote, and iframe agent;4110: core-only Host;4200–4203: plain Vite Host and the official, unscoped, and OriginJS producers.
The OriginJS workspace's dev command intentionally builds and previews its remote. It does not
provide a bundleless remote dev mode.
Adding or changing public APIs
A public API change is incomplete until all applicable evidence exists:
- implementation and types are exported only through an intended package
exportsentry; - unit/contract tests cover success, failure, cancellation, and cleanup;
- package README and the relevant contract guide explain intent and boundaries;
- runtime identifiers, input envelopes, and extension contexts follow existing validation and snapshot rules;
- ESM and CommonJS packed-package imports still pass;
- a Changeset records consumer impact;
- compatibility and rollback implications are reviewed before stable.
Avoid adding a convenience API that bypasses the Host transaction. Standalone development should compose a normal Host with a static resolver and local loader so readiness, services, cancellation, and cleanup remain identical to production.
Module Federation changes
@fronts/mf MUST remain an adapter over public official runtime instance methods. It must not:
- parse or mutate MF manifests/snapshots;
- import private
runtime-coreinternals; - implement shared dependency selection;
- discover or mutate a hidden global default instance;
- add bundler-specific behavior to
@fronts/core.
When adding a producer compatibility claim, follow the acceptance checklist in Module Federation integrations. A load-only smoke test is insufficient: prove readiness, services, update, unmount, idle audit, production output, and shared behavior where applicable.
Iframe and capability changes
Iframe, identity, capability, and service-scope changes are security-sensitive. Preserve these invariants:
- exact origins; never
targetOrigin="*"; - dedicated child origin with the required sandbox tokens;
- validation of both message origin and expected source window;
- random channel ID and exactly one transferred port;
- final grant as the intersection of proxy maximum, Host-authorized services, and child declaration;
- parent-side validation on every privileged call;
- revocation on abort/unmount and deterministic provider, peer, agent, and container cleanup.
Run the complete iframe tests and cross-origin browser E2E. Review Iframe deployment, Isolation and security, and SECURITY.md. Security reports must not be moved into a public issue or normal pull request before coordinated disclosure.
Documentation changes
Documentation should capture intent, ownership boundaries, invariants, trade-offs, and verification paths rather than restating implementation line by line.
For a new concept document under docs:
- add YAML frontmatter with
type,title,description,owner, andstatus; - use
status: proposeduntil maintainers accept new policy or design commitments; - link source types/tests instead of copying volatile field lists and defaults;
- include a
## Verificationsection with commands or explicit missing evidence; - add it to
docs/index.mdand link that index from any relevant package README; - use Mermaid only when it materially clarifies a boundary, sequence, lifecycle, or decision tree;
- run
pnpm docs:checkand Prettier so relative links, metadata, API coverage, and navigation remain valid.
Update documentation in the same concern commit as the behavior that makes it stale. Do not add pre-2.0 migration or compatibility material to current Fronts 2.0 documentation.
Pull request checklist
- The change has one clear responsibility and no unrelated worktree edits.
- Public behavior has focused success, failure, cancellation, and cleanup evidence.
-
pnpm checkpasses. -
pnpm docs:checkpasses when Markdown or public Host types changed. - Relevant development and production-preview E2E pass.
- Public package changes include a Changeset.
- READMEs, contracts, support tables, and runbooks match the new behavior.
- New producer claims state their exact tested boundary.
- Security-sensitive changes received explicit human review.
- Logs, fixtures, screenshots, and reports contain no credentials or tenant-sensitive data.
- The commit history is focused and reviewable.
Reporting problems
Use GitHub issues for reproducible bugs, documentation gaps, and feature proposals. Include the diagnostic evidence requested by Troubleshooting and Support policy.
Do not report vulnerabilities publicly. Follow SECURITY.md.
Verification
package.jsonowns required commands, engines, and package-manager configuration.- CI owns the Node and Chromium release gates.
- Releasing owns Changesets, prerelease, provenance, and publication flow.
pnpm checkis the complete local non-browser gate.pnpm test:e2eandpnpm test:e2e:previewprove development and built example composition.