Firefox 147 Adds Module-Type Service Workers — What Full‑Stack Teams Must Do Now
What happened
- Firefox 147 (stable, January 2026) introduced support for service workers as ECMAScript modules — i.e., you can register a service worker with
{ type: 'module' }and use import/export and module semantics inside the worker. (developer.mozilla.org)
Why this matters (high impact)
- Modern, reusable code in the worker: you can import shared utility modules, tree‑shake for smaller payloads, and keep parity between main thread and worker code.
- Top-level await, strict ESM semantics, and built-in module resolution remove the need for importScripts and fragile concatenation patterns.
- Simpler toolchain integration: rollups/bundlers that emit ESM outputs can feed service workers directly, reducing build-time hacks.
- Security and maintainability: clearer module boundaries and easier auditing of dependency graphs inside workers.
What full‑stack teams should do now — concrete, prioritized checklist
-
Quick compatibility check
- Verify your target browsers and user base (Firefox 147+ availability in your telemetry). If a meaningful fraction of users run older Firefox or other browsers that might not be on auto‑update in your environment, plan a fallback. (developer.mozilla.org)
-
Feature-detect and register safely
- Use feature detection and conditional registration: attempt
navigator.serviceWorker.register('/sw.js', { type: 'module' })when supported, otherwise fall back to classic registration. Do not force module registration without a fallback in public-facing products.
- Use feature detection and conditional registration: attempt
-
Migrate worker code to ESM
- Replace
importScripts(...)withimport ... from '...'and convert CommonJS-style code to ESM (or provide ESM-compatible entrypoints). - Remove global-side effects that relied on importScripts ordering; rely on explicit imports and initialization.
- Replace
-
Build pipeline changes
- Configure bundlers to emit ESM outputs for service workers (preserve import statements or emit .mjs where needed).
- Ensure your server returns correct MIME types (e.g., text/javascript or application/javascript) for module files and supports CORS credentials as required by module loading.
- If you use hashed filenames or asset CDNs, confirm workers can import those URLs at runtime (or inline a small manifest).
-
Content Security Policy (CSP) and headers
- Review CSP: module imports in workers are fetched like normal modules; ensure
script-src/worker-srcrules do not block those requests. - If you use service-worker registration options that change fetch behavior, validate same‑origin/cross‑origin rules and cookies/credentials.
- Review CSP: module imports in workers are fetched like normal modules; ensure
-
Libraries and tooling
- Test Workbox and other common SW libraries for module‑mode compatibility; update to versions that explicitly support
type: 'module'(or migrate manual control). - Update local dev servers (and CI) to serve module workers consistently (watch for dev server defaults that inject wrappers or use incorrect CORS headers).
- Test Workbox and other common SW libraries for module‑mode compatibility; update to versions that explicitly support
-
Tests and rollout
- Add end‑to‑end tests that:
- register the worker in module mode,
- confirm imports resolve (and top‑level await works if used),
- validate offline behavior and cache lifecycle on module workers.
- Canary the change for a small percentage of traffic; monitor service worker registrations, activation failures, and error logs.
- Provide telemetry or error trapping (sentry/logging) around
ServiceWorkerContainer.register()to detect unsupported-client fallbacks.
- Add end‑to‑end tests that:
Common pitfalls to watch for
- Bundler output incompatible with module loader (IIFE vs. ESM). Emit ESM entrypoints for workers.
- Relying on importScripts sequence semantics — replace with explicit imports and initialization order.
- Older browsers (or locked enterprise environments) failing registration if you omit a classic fallback.
- Incorrect MIME/CORS or CSP blocking module imports and causing silent failures on registration.
Short rollout plan (one‑page)
- Week 0: Add feature-detect + fallback registration; smoke test on staging.
- Week 1: Convert worker to ESM; update build and server MIME/CORS.
- Week 2: Add e2e tests; deploy to canary (1–5%).
- Week 3: Monitor errors/metrics; expand rollout to 25%, then 100% after clean telemetry.
Bottom line Firefox 147’s module‑type service worker support turns workers into first‑class ESM consumers. For full‑stack teams this means cleaner code sharing, simpler builds, and more powerful service worker logic — but it requires deliberate build, registration, and rollout changes. Start with feature detection and a staged migration to avoid surprises in environments that still run older clients. (developer.mozilla.org)
Source:
Source
Read Next
Chrome 143 changes FedCM: structured ID assertions, stricter client metadata, and breaking API updates
January 31, 2026Chrome 143 (published Jan 12, 2026) changes the FedCM identity flow: ID assertion tokens can be structured JSON, client_metadata validation is enforced, and several API fields move/rename — migration required before Chrome 145.
Undici CVE-2026-22036: unbounded decompression chain allows resource exhaustion — patches released
January 30, 2026A Jan 14, 2026 security advisory for undici (the Node.js HTTP client) describes an unbounded decompression-chain vulnerability that can lead to high CPU and memory usage. Full‑stack teams must find and upgrade affected undici versions and add lightweight runtime protections.
React Router / Remix Patch CSRF Vulnerability in Server Actions (CVE-2026-22030)
January 29, 2026React Router and @remix-run/server-runtime patched a medium-severity CSRF issue affecting server-side action handlers and unstable React Server Actions — what full‑stack teams must check and patch now.