Skip to content

SIGSEGV when ESM import() loads large CJS webpack bundle (merve regression in v24.14.0) #62212

Closed
nodejs/merve
#41
Closed
SIGSEGV when ESM import() loads large CJS webpack bundle (merve regression in v24.14.0)#62212
nodejs/merve
#41
Assignees
anonrig
@EgoziE

Description

@EgoziE
EgoziE
opened on Mar 11, 2026

Version

v24.14.0

Platform

Darwin 25.2.0 arm64 (macOS, Apple Silicon)

Subsystem

esm, module

What steps will reproduce the bug?

ESM import() of a large (~3.18 MB) CJS webpack/ncc bundle causes a segmentation fault (SIGSEGV) on Node v24.14.0. The same file loads successfully on v24.13.0 and via CJS require() on v24.14.0.

The bundle is generated by @vercel/ncc and follows the standard webpack bundle pattern:

require('./sourcemap-register.js');(()=>{var __webpack_modules__={
  // ~500 modules across 503 lines, heavily minified, ~3.18MB total
};
// ... webpack runtime ...
module.exports = __webpack_exports__;
})();

Steps to reproduce:

# With any large ncc/webpack CJS bundle saved as bundle.js (~1-3MB+):
# Works on v24.13.0:
node --input-type=module -e "import('./bundle.js').then(() => console.log('ok'))"
# ok

# Segfaults on v24.14.0:
node --input-type=module -e "import('./bundle.js').then(() => console.log('ok'))"
# (no output, exit code 139 / SIGSEGV)

CJS require() works fine on v24.14.0:

node -e "require('./bundle.js'); console.log('ok')"
# ok

The specific package that I encountered the problem with in in private registry, but the issue is likely reproducible with any sufficiently large/complex ncc-bundled CJS module.

How often does it reproduce? Is there a required condition?

100% reproducible.

Key conditions:

  • The CJS module must be loaded via ESM import() (not require())
  • The bundle must be large enough (~1MB+) — a truncated first half (~1.59MB) of the 3.18MB bundle still crashes, but the first quarter (~795KB) does not
  • The crash is pattern-specific, not purely size-based — synthetic large CJS files with simple exports.x = ... patterns do not crash

What is the expected behavior? Why is that the expected behavior?

The CJS module should load successfully via ESM import(), as it does on v24.13.0. A segfault should never occur regardless of module content.

What do you see instead?

The process terminates immediately with SIGSEGV (exit code 139 on macOS/Linux). No error message, no stack trace, no output at all.

Bisected to

This regression was introduced by the replacement of cjs-module-lexer with merve in #61456 (commit 68da144b4e), which landed in v24.14.0.

Evidence:

  • v24.13.0 (uses cjs-module-lexer): ✅ works
  • v24.14.0 (uses merve): ❌ SIGSEGV
  • require() on v24.14.0 (bypasses the CJS lexer): ✅ works
  • import() on v24.14.0 (uses the CJS lexer to detect named exports): ❌ SIGSEGV

The CJS module lexer is invoked when ESM import() loads a CJS module to analyze its exports. The crash occurs during this analysis phase, before any module code executes.

Additional information

Workaround: Use createRequire() from node:module to load the CJS module instead of ESM import:

import { createRequire } from 'node:module';
const require = createRequire(import.meta.url);
const pkg = require('the-large-cjs-package');

cc @anonrig (merve author)

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions