refactor: add normalizePackageMan helper
#100
Conversation
|
Looks like the tests aren't passing in Windows because of the classic ETA: Look for the lines in the bin normalization code like: |
antongolub
force-pushed
the
fix-mandir-scope
branch
from
903b29c
to
b418d86
Compare
antongolub
changed the title
normalizePackageMan helper
|
The changes are separated now:
|
antongolub
force-pushed
the
fix-mandir-scope
branch
from
b418d86
to
e483b0a
Compare
## What / Why
The current `directories.man` handler allows to reach assets outside the
package scope.
```js
// expand directories.man
if (steps.includes('mans') && !data.man && data.directories?.man) {
const manDir = data.directories.man
const cwd = path.resolve(pkg.path, manDir)
const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
data.man = files.map(man =>
path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
)
```
```js
path.resolve(process.cwd(), '/') → '/' system root
```
## References
* continues npm/read-package-json#177
* relates #100
|
This will need a rebase because of #104 landing |
antongolub
force-pushed
the
fix-mandir-scope
branch
from
59c7e2e
to
a055766
Compare
antongolub
force-pushed
the
fix-mandir-scope
branch
from
a055766
to
38dfa26
Compare
|
|
Please do. I can land this PR now instead of waiting on that. |
|
I wonder how much overlap there truly is between the If there's a 1:1 overlap would it be possible to pass |
|
Also another small note about process. You don't need to |
|
Ah fiddlesticks I merged w/ an invalid prefix. I'll have to edit |
Aligns normalization logic with `directories.bin` See also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105 ```js fixManField: function (data) { if (!data.man) { return } if (typeof data.man === 'string') { data.man = [data.man] } }, ``` * continues npm/read-package-json#177 * relates #104 CC @wraithgar
Aligns normalization logic with `directories.bin` See also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105 ```js fixManField: function (data) { if (!data.man) { return } if (typeof data.man === 'string') { data.man = [data.man] } }, ``` * continues npm/read-package-json#177 * relates #104 CC @wraithgar
|
ok @antongolub the |
## What / Why
* Aligns path normalization logic when processing `bin` and `man` refs.
* Fixes out of scope path traversals for `bin`
```js
function unixifyPath (ref) {
return ref.replace(/\\|:/g, '/')
}
function securePath (ref) {
const secured = path.join('.', path.join('/', unixifyPath(ref)))
return secured.startsWith('.') ? '' : secured
}
function secureAndUnixifyPath (ref) {
return unixifyPath(securePath(ref))
}
```
## References
continues
[#100](#100 (comment)),
#104
🤖 I have created a release *beep* *boop* --- ## [5.1.1](v5.1.0...v5.1.1) (2024-05-28) ### Bug Fixes * [`54756d2`](54756d2) [#105](#105) apply `securePath` to package bin (#105) (@antongolub) * [`46c563b`](46c563b) add `normalizePackageMan` helper (#100) (@antongolub) * [`a974274`](a974274) prevent `directory.man` referencing outside the package root (#104) (@antongolub) * [`191b521`](191b521) [#102](#102) invalid scripts warning fixed for undefined scripts (#102) (@milaninfy) ### Chores * [`45a2937`](45a2937) [#98](#98) bump @npmcli/template-oss to 4.22.0 (@lukekarrys) * [`90863c1`](90863c1) [#98](#98) postinstall for dependabot template-oss PR (@lukekarrys) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
What / Why
Aligns normalization logic with
directories.binSee also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
References
directory.manreferencing outside the package root #104CC @wraithgar