Build and Module Federation
The rspack entry point connects an Rslib or Rsbuild compilation to the TAP package descriptor.
Use one target-specific compilation per runtime. Then assemble the outputs into one physical package.
Stable Federation Baseline
Use exact 2.8.0 versions for the Module Federation build plugin, runtime tools, and any directly installed manifest package. Mixed versions can produce a graph that builds successfully but reports an incompatible remote-entry type or manifest shape.
Keep the SDK version within the descriptor's compatibility.tapSdk range and the SDK's peer dependency ranges.
Rslib Targets with tapLib
tapLib returns an Rslib library configuration. Important options are:
manifest: source descriptor path, defaulting tomanifest.tap.json;packageTarget: descriptor target being compiled;packageOutputRoot: isolated staging root for that compilation; andfederation: Module Federation name, exposes, and manifest settings.
Build each target separately:
Rsbuild Bundles with pluginTap
pluginTap is the Rsbuild integration for a supported bundle manifest or a target-specific Federation build. Pass the same manifest and Federation identity rules you would use with tapLib.
Use tapLib for an Rslib package and pluginTap for an Rsbuild application. Do not install both into the same compilation.
Assemble the Package
assembleTapPackage verifies the descriptor and every supplied target before replacing the output:
The supplied target keys must exactly equal the descriptor target keys. Target roots must not overlap one another or the final output.
Assembly verifies remote entries, Federation manifests, exposes, target asset locks, shared presentation files, and final descriptor integrity. It uses a recoverable transaction so a failed or interrupted assembly does not publish half a package.
Verify Portability
Scan the final bytes before publication:
The scan rejects symbolic links, local file URLs, and embedded checkout paths. Run it on the assembled output rather than only on source code.
Build Invariants
Before publishing, verify that:
- each remote entry uses an ESM module library;
- every contribution expose exists in its selected target;
- the generated lock covers every emitted asset;
- the descriptor contains final integrity values and one content digest;
- no source map or debug artifact exposes a local path unless intentionally shipped; and
- a clean project can install and build with the public SDK alone.