-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: add normalizePackageMan
helper
#100
Conversation
Looks like the tests aren't passing in Windows because of the classic ETA: Look for the lines in the bin normalization code like: |
903b29c
to
b418d86
Compare
normalizePackageMan
helper
The changes are separated now:
|
b418d86
to
e483b0a
Compare
## What / Why The current `directories.man` handler allows to reach assets outside the package scope. ```js // expand directories.man if (steps.includes('mans') && !data.man && data.directories?.man) { const manDir = data.directories.man const cwd = path.resolve(pkg.path, manDir) const files = await lazyLoadGlob()('**/*.[0-9]', { cwd }) data.man = files.map(man => path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/') ) ``` ```js path.resolve(process.cwd(), '/') → '/' system root ``` ## References * continues npm/read-package-json#177 * relates #100
This will need a rebase because of #104 landing |
59c7e2e
to
a055766
Compare
a055766
to
38dfa26
Compare
|
Please do. I can land this PR now instead of waiting on that. |
I wonder how much overlap there truly is between the If there's a 1:1 overlap would it be possible to pass |
Also another small note about process. You don't need to |
Ah fiddlesticks I merged w/ an invalid prefix. I'll have to edit |
Aligns normalization logic with `directories.bin` See also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105 ```js fixManField: function (data) { if (!data.man) { return } if (typeof data.man === 'string') { data.man = [data.man] } }, ``` * continues npm/read-package-json#177 * relates #104 CC @wraithgar
Aligns normalization logic with `directories.bin` See also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105 ```js fixManField: function (data) { if (!data.man) { return } if (typeof data.man === 'string') { data.man = [data.man] } }, ``` * continues npm/read-package-json#177 * relates #104 CC @wraithgar
ok @antongolub the |
## What / Why * Aligns path normalization logic when processing `bin` and `man` refs. * Fixes out of scope path traversals for `bin` ```js function unixifyPath (ref) { return ref.replace(/\\|:/g, '/') } function securePath (ref) { const secured = path.join('.', path.join('/', unixifyPath(ref))) return secured.startsWith('.') ? '' : secured } function secureAndUnixifyPath (ref) { return unixifyPath(securePath(ref)) } ``` ## References continues [#100](#100 (comment)), #104
🤖 I have created a release *beep* *boop* --- ## [5.1.1](v5.1.0...v5.1.1) (2024-05-28) ### Bug Fixes * [`54756d2`](54756d2) [#105](#105) apply `securePath` to package bin (#105) (@antongolub) * [`46c563b`](46c563b) add `normalizePackageMan` helper (#100) (@antongolub) * [`a974274`](a974274) prevent `directory.man` referencing outside the package root (#104) (@antongolub) * [`191b521`](191b521) [#102](#102) invalid scripts warning fixed for undefined scripts (#102) (@milaninfy) ### Chores * [`45a2937`](45a2937) [#98](#98) bump @npmcli/template-oss to 4.22.0 (@lukekarrys) * [`90863c1`](90863c1) [#98](#98) postinstall for dependabot template-oss PR (@lukekarrys) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
What / Why
Aligns normalization logic with
directories.bin
See also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
References
directory.man
referencing outside the package root #104CC @wraithgar