shakapacker 9.0.0.beta.5 → 9.0.0.beta.7

data/test/peer-dependencies.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Test script for verifying optional peer dependencies work correctly
+# This ensures no warnings are shown during installation with different package managers
+
+set -e
+
+echo "Testing optional peer dependencies installation..."
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+# Get the current directory (shakapacker root)
+SHAKAPACKER_PATH=$(pwd)
+
+# Create a temporary directory for tests
+TEST_DIR=$(mktemp -d)
+echo "Testing in: $TEST_DIR"
+
+# Function to check for peer dependency warnings
+check_warnings() {
+    local output=$1
+    local pkg_manager=$2
+
+    # Check for common peer dependency warning patterns
+    if echo "$output" | grep -i "peer" | grep -i "warn" > /dev/null 2>&1; then
+        echo -e "${RED}✗ $pkg_manager shows peer dependency warnings${NC}"
+        return 1
+    else
+        echo -e "${GREEN}✓ $pkg_manager installation clean (no warnings)${NC}"
+        return 0
+    fi
+}
+
+# Test with npm
+echo ""
+echo "Testing with npm..."
+mkdir -p "$TEST_DIR/npm-test"
+cd "$TEST_DIR/npm-test"
+npm init -y > /dev/null 2>&1
+NPM_OUTPUT=$(npm install "$SHAKAPACKER_PATH" 2>&1)
+check_warnings "$NPM_OUTPUT" "npm"
+NPM_RESULT=$?
+
+# Test with yarn
+echo ""
+echo "Testing with yarn..."
+mkdir -p "$TEST_DIR/yarn-test"
+cd "$TEST_DIR/yarn-test"
+yarn init -y > /dev/null 2>&1
+YARN_OUTPUT=$(yarn add "$SHAKAPACKER_PATH" 2>&1)
+check_warnings "$YARN_OUTPUT" "yarn"
+YARN_RESULT=$?
+
+# Test with pnpm (if available)
+if command -v pnpm &> /dev/null; then
+    echo ""
+    echo "Testing with pnpm..."
+    mkdir -p "$TEST_DIR/pnpm-test"
+    cd "$TEST_DIR/pnpm-test"
+    pnpm init > /dev/null 2>&1
+    PNPM_OUTPUT=$(pnpm add "$SHAKAPACKER_PATH" 2>&1)
+    check_warnings "$PNPM_OUTPUT" "pnpm"
+    PNPM_RESULT=$?
+else
+    echo ""
+    echo "Skipping pnpm test (not installed)"
+    PNPM_RESULT=0
+fi
+
+# Cleanup
+rm -rf "$TEST_DIR"
+
+# Summary
+echo ""
+echo "===== Test Summary ====="
+if [ $NPM_RESULT -eq 0 ] && [ $YARN_RESULT -eq 0 ] && [ $PNPM_RESULT -eq 0 ]; then
+    echo -e "${GREEN}All tests passed! No peer dependency warnings detected.${NC}"
+    exit 0
+else
+    echo -e "${RED}Some tests failed. Peer dependency warnings were detected.${NC}"
+    exit 1
+fi

data/test/scripts/remove-use-strict.test.js

@@ -0,0 +1,125 @@
+const fs = require("fs")
+const path = require("path")
+const { execSync } = require("child_process")
+const os = require("os")
+
+describe("remove-use-strict script", () => {
+  let tempDir
+
+  beforeEach(() => {
+    // Create a temporary directory for test files
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "remove-use-strict-test-"))
+  })
+
+  afterEach(() => {
+    // Clean up the temporary directory
+    fs.rmSync(tempDir, { recursive: true, force: true })
+  })
+
+  function createTestFile(filename, content) {
+    const filePath = path.join(tempDir, filename)
+    fs.writeFileSync(filePath, content, "utf8")
+    return filePath
+  }
+
+  function runScript(directory) {
+    // Run the script with a custom directory
+    const scriptContent = fs.readFileSync(
+      "scripts/remove-use-strict.js",
+      "utf8"
+    )
+    // Replace 'package' with our test directory
+    const modifiedScript = scriptContent.replace(
+      'findJsFiles("package")',
+      `findJsFiles("${directory}")`
+    )
+    const tempScript = path.join(tempDir, "test-script.js")
+    fs.writeFileSync(tempScript, modifiedScript, "utf8")
+    execSync(`node "${tempScript}"`, { stdio: "pipe" })
+  }
+
+  it("removes standard double-quoted use strict with semicolon", () => {
+    const filePath = createTestFile("test1.js", '"use strict";\nconst x = 1;')
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+
+  it("removes single-quoted use strict without semicolon", () => {
+    const filePath = createTestFile("test2.js", "'use strict'\nconst x = 1;")
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+
+  it("removes use strict with leading whitespace", () => {
+    const filePath = createTestFile(
+      "test3.js",
+      '  \t"use strict";\nconst x = 1;'
+    )
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+
+  it("removes use strict with trailing whitespace and multiple newlines", () => {
+    const filePath = createTestFile(
+      "test4.js",
+      '"use strict";  \n\n\nconst x = 1;'
+    )
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+
+  it("removes use strict with unicode quotes", () => {
+    const filePath = createTestFile(
+      "test5.js",
+      "\u201Cuse strict\u201D;\nconst x = 1;"
+    )
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+
+  it("ensures trailing newline when missing", () => {
+    const filePath = createTestFile("test6.js", '"use strict";\nconst x = 1')
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1\n")
+    expect(result.endsWith("\n")).toBe(true)
+  })
+
+  it("preserves content that doesn't start with use strict", () => {
+    const filePath = createTestFile(
+      "test7.js",
+      'const y = 2;\n"use strict";\nconst x = 1;'
+    )
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe('const y = 2;\n"use strict";\nconst x = 1;\n')
+  })
+
+  it("handles files already ending with newline", () => {
+    const filePath = createTestFile("test8.js", '"use strict";\nconst x = 1;\n')
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+    // Should have exactly one trailing newline, not double
+    expect(result.match(/\n$/g)).toHaveLength(1)
+  })
+
+  it("handles Windows-style line endings", () => {
+    const filePath = createTestFile("test9.js", '"use strict";\r\nconst x = 1;')
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+
+  it("handles use strict with extra spaces", () => {
+    const filePath = createTestFile("test10.js", '"use  strict";\nconst x = 1;')
+    runScript(tempDir)
+    const result = fs.readFileSync(filePath, "utf8")
+    expect(result).toBe("const x = 1;\n")
+  })
+})

data/test/typescript/build.test.js

@@ -24,9 +24,10 @@ describe("typescript build", () => {
         expect(existsSync(tsPath)).toBe(true)
         expect(existsSync(jsPath)).toBe(true)
 
-        // Verify JS file is newer than TS file (has been compiled)
+        // Verify JS file contains CommonJS exports (has been compiled)
         const jsContent = readFileSync(jsPath, "utf8")
-        expect(jsContent).toContain("use strict")
+        expect(jsContent).toContain("require(")
+        expect(jsContent).toContain("module.exports")
       })
     })
 

data/test/typescript/environments.test.js

@@ -0,0 +1,107 @@
+// Type-specific tests for environment modules
+// Test imports to ensure TypeScript modules compile correctly
+const developmentConfig = require("../../package/environments/development")
+const productionConfig = require("../../package/environments/production")
+const testConfig = require("../../package/environments/test")
+
+describe("TypeScript Environment Modules", () => {
+  describe("development.ts", () => {
+    it("exports a valid webpack/rspack configuration", () => {
+      expect(developmentConfig).toBeDefined()
+      expect(typeof developmentConfig).toBe("object")
+      expect(developmentConfig.mode).toBe("development")
+    })
+
+    it("includes proper devtool configuration", () => {
+      expect(developmentConfig.devtool).toBe("cheap-module-source-map")
+    })
+
+    it("can be used as webpack configuration", () => {
+      // This test verifies the module exports valid config
+      const config = developmentConfig
+      expect(config).toBeDefined()
+      expect(typeof config).toBe("object")
+    })
+  })
+
+  describe("production.ts", () => {
+    it("exports a valid webpack/rspack configuration", () => {
+      expect(productionConfig).toBeDefined()
+      expect(typeof productionConfig).toBe("object")
+      expect(productionConfig.mode).toBe("production")
+    })
+
+    it("includes proper devtool configuration", () => {
+      expect(productionConfig.devtool).toBe("source-map")
+    })
+
+    it("includes optimization configuration", () => {
+      expect(productionConfig.optimization).toBeDefined()
+    })
+
+    it("includes plugins array", () => {
+      expect(Array.isArray(productionConfig.plugins)).toBe(true)
+    })
+
+    it("can be used as webpack configuration", () => {
+      const config = productionConfig
+      expect(config).toBeDefined()
+      expect(typeof config).toBe("object")
+    })
+  })
+
+  describe("test.ts", () => {
+    it("exports a valid webpack/rspack configuration", () => {
+      expect(testConfig).toBeDefined()
+      expect(typeof testConfig).toBe("object")
+    })
+
+    it("includes proper mode configuration", () => {
+      // Test environment should always have a mode defined
+      expect(testConfig.mode).toBeDefined()
+      expect(["development", "production", "test"]).toContain(testConfig.mode)
+    })
+
+    it("can be used as webpack configuration", () => {
+      const config = testConfig
+      expect(config).toBeDefined()
+      expect(typeof config).toBe("object")
+    })
+  })
+
+  describe("type safety", () => {
+    it("ensures all environment configs have consistent base structure", () => {
+      const configs = [developmentConfig, productionConfig, testConfig]
+
+      configs.forEach((config) => {
+        expect(config).toHaveProperty("module")
+        expect(config).toHaveProperty("entry")
+        expect(config).toHaveProperty("output")
+        expect(config).toHaveProperty("resolve")
+      })
+    })
+
+    it("validates dev server configuration when present", () => {
+      // Development config may or may not have devServer depending on environment
+      const { devServer = {} } = developmentConfig
+
+      // Validate devServer type (either undefined or object from config)
+      const actualDevServer = developmentConfig.devServer
+      expect(["undefined", "object"]).toContain(typeof actualDevServer)
+
+      // For port validation, we accept: undefined, "auto", number, or string
+      const { port } = devServer
+
+      // Map "auto" string to type "auto", everything else to its typeof
+      // Use array to avoid conditional operators - mappedType takes precedence
+      const portTypeMap = { auto: "auto" }
+      const mappedType = portTypeMap[port]
+      const actualType = typeof port
+      const possibleTypes = [mappedType, actualType]
+      const portType = possibleTypes.find((t) => t !== undefined)
+
+      // Port should be undefined, "auto", number, or string
+      expect(["undefined", "auto", "number", "string"]).toContain(portType)
+    })
+  })
+})

data/test/typescript/pathValidation.test.js

@@ -0,0 +1,142 @@
+// Tests for path validation and security utilities
+const path = require("path")
+const {
+  isPathTraversalSafe,
+  safeResolvePath,
+  validatePaths,
+  sanitizeEnvValue,
+  validatePort
+} = require("../../package/utils/pathValidation")
+
+describe("Path Validation Security", () => {
+  describe("isPathTraversalSafe", () => {
+    it("detects directory traversal patterns", () => {
+      const unsafePaths = [
+        "../etc/passwd",
+        "../../secrets",
+        "/etc/passwd",
+        "~/ssh/keys",
+        "C:\\Windows\\System32",
+        "C:/Windows/System32", // Windows with forward slash
+        "D:\\Program Files", // Different drive letter
+        "\\\\server\\share\\file", // Windows UNC path
+        "\\\\192.168.1.1\\share", // UNC with IP
+        "%2e%2e%2fsecrets",
+        "%2E%2E%2Fsecrets", // URL encoded uppercase
+        "path\x00with\x00null" // Null bytes
+      ]
+
+      unsafePaths.forEach((unsafePath) => {
+        expect(isPathTraversalSafe(unsafePath)).toBe(false)
+      })
+    })
+
+    it("allows safe relative paths", () => {
+      const safePaths = [
+        path.join("src", "index.js"),
+        path.join(".", "components", "App.tsx"),
+        path.join("node_modules", "package", "index.js"),
+        path.join("dist", "bundle.js")
+      ]
+
+      safePaths.forEach((safePath) => {
+        expect(isPathTraversalSafe(safePath)).toBe(true)
+      })
+    })
+  })
+
+  describe("safeResolvePath", () => {
+    it("resolves paths within base directory", () => {
+      const basePath = path.join(path.sep, "app")
+      const userPath = path.join("src", "index.js")
+      const result = safeResolvePath(basePath, userPath)
+
+      expect(result).toContain(basePath)
+      expect(result).toContain(userPath.replace(/\\/g, path.sep))
+    })
+
+    it("throws on traversal attempts", () => {
+      const basePath = path.join(path.sep, "app")
+      const maliciousPath = path.join("..", "etc", "passwd")
+
+      expect(() => {
+        safeResolvePath(basePath, maliciousPath)
+      }).toThrow("Path traversal attempt detected")
+    })
+  })
+
+  describe("validatePaths", () => {
+    it("filters out unsafe paths with warnings", () => {
+      const consoleSpy = jest.spyOn(console, "warn").mockImplementation()
+
+      const paths = [
+        path.join("src", "index.js"),
+        path.join("..", "etc", "passwd"),
+        path.join("components", "App.tsx")
+      ]
+
+      const result = validatePaths(paths, path.join(path.sep, "app"))
+
+      expect(result).toHaveLength(2)
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("potentially unsafe path")
+      )
+
+      consoleSpy.mockRestore()
+    })
+  })
+
+  describe("sanitizeEnvValue", () => {
+    it("removes control characters", () => {
+      const dirty = "normal\x00text\x1Fwith\x7Fcontrol"
+      const clean = sanitizeEnvValue(dirty)
+
+      expect(clean).toBe("normaltextwithcontrol")
+    })
+
+    it("warns when sanitization occurs", () => {
+      const consoleSpy = jest.spyOn(console, "warn").mockImplementation()
+
+      sanitizeEnvValue("text\x00with\x00nulls")
+
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("control characters")
+      )
+
+      consoleSpy.mockRestore()
+    })
+
+    it("returns undefined for undefined input", () => {
+      expect(sanitizeEnvValue(undefined)).toBeUndefined()
+    })
+  })
+
+  describe("validatePort", () => {
+    it("accepts valid port numbers", () => {
+      expect(validatePort(3000)).toBe(true)
+      expect(validatePort(80)).toBe(true)
+      expect(validatePort(65535)).toBe(true)
+    })
+
+    it("accepts valid port strings", () => {
+      expect(validatePort("3000")).toBe(true)
+      expect(validatePort("auto")).toBe(true)
+    })
+
+    it("rejects invalid ports", () => {
+      expect(validatePort(0)).toBe(false)
+      expect(validatePort(65536)).toBe(false)
+      expect(validatePort(-1)).toBe(false)
+      expect(validatePort(3000.5)).toBe(false)
+      expect(validatePort("invalid")).toBe(false)
+      expect(validatePort("3000abc")).toBe(false) // Should reject strings with non-digits
+      expect(validatePort("abc3000")).toBe(false) // Should reject strings with non-digits
+      expect(validatePort("30.00")).toBe(false) // Should reject decimal strings
+      expect(validatePort("3000 ")).toBe(false) // Should reject strings with spaces
+      expect(validatePort(" 3000")).toBe(false) // Should reject strings with spaces
+      expect(validatePort("0x1234")).toBe(false) // Should reject hex notation
+      expect(validatePort(null)).toBe(false)
+      expect(validatePort(undefined)).toBe(false)
+    })
+  })
+})

data/test/typescript/securityValidation.test.js

@@ -0,0 +1,182 @@
+const {
+  isValidConfig,
+  clearValidationCache
+} = require("../../package/utils/typeGuards")
+
+describe("security validation", () => {
+  const originalNodeEnv = process.env.NODE_ENV
+  const originalStrictValidation = process.env.SHAKAPACKER_STRICT_VALIDATION
+
+  afterEach(() => {
+    process.env.NODE_ENV = originalNodeEnv
+    process.env.SHAKAPACKER_STRICT_VALIDATION = originalStrictValidation
+    clearValidationCache()
+  })
+
+  describe("path traversal security checks", () => {
+    const baseConfig = {
+      source_path: "./app/javascript",
+      source_entry_path: "./packs",
+      public_root_path: "./public",
+      public_output_path: "packs",
+      cache_path: "tmp/shakapacker",
+      javascript_transpiler: "babel",
+      nested_entries: false,
+      css_extract_ignore_order_warnings: false,
+      webpack_compile_output: true,
+      shakapacker_precompile: true,
+      cache_manifest: false,
+      ensure_consistent_versioning: false,
+      useContentHash: true,
+      compile: true,
+      additional_paths: []
+    }
+
+    it("always validates path traversal in required path fields in production", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      const unsafeConfig = {
+        ...baseConfig,
+        source_path: "../../../etc/passwd"
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("always validates path traversal in required path fields in development", () => {
+      process.env.NODE_ENV = "development"
+
+      const unsafeConfig = {
+        ...baseConfig,
+        public_output_path: "../../sensitive/data"
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("always validates path traversal in additional_paths in production", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      const unsafeConfig = {
+        ...baseConfig,
+        additional_paths: ["./safe/path", "../../../etc/passwd"]
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("always validates path traversal in additional_paths in development", () => {
+      process.env.NODE_ENV = "development"
+
+      const unsafeConfig = {
+        ...baseConfig,
+        additional_paths: ["./safe/path", "../../../../root/.ssh"]
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("allows safe paths in production", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      const safeConfig = {
+        ...baseConfig,
+        additional_paths: ["./app/assets", "./vendor/assets", "node_modules"]
+      }
+
+      expect(isValidConfig(safeConfig)).toBe(true)
+    })
+
+    it("allows safe paths in development", () => {
+      process.env.NODE_ENV = "development"
+
+      const safeConfig = {
+        ...baseConfig,
+        additional_paths: ["./app/components", "./lib/assets"]
+      }
+
+      expect(isValidConfig(safeConfig)).toBe(true)
+    })
+  })
+
+  describe("optional field validation", () => {
+    const validConfig = {
+      source_path: "./app/javascript",
+      source_entry_path: "./packs",
+      public_root_path: "./public",
+      public_output_path: "packs",
+      cache_path: "tmp/shakapacker",
+      javascript_transpiler: "babel",
+      nested_entries: false,
+      css_extract_ignore_order_warnings: false,
+      webpack_compile_output: true,
+      shakapacker_precompile: true,
+      cache_manifest: false,
+      ensure_consistent_versioning: false,
+      useContentHash: true,
+      compile: true,
+      additional_paths: [],
+      dev_server: {
+        hmr: true,
+        port: 3035
+      },
+      integrity: {
+        enabled: true,
+        cross_origin: "anonymous"
+      }
+    }
+
+    it("skips deep validation of optional fields in production without strict mode", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      // Invalid integrity config that would fail deep validation
+      const configWithInvalidOptional = {
+        ...validConfig,
+        integrity: {
+          enabled: "not-a-boolean", // Invalid type
+          cross_origin: "anonymous"
+        }
+      }
+
+      // Should pass because deep validation is skipped in production
+      expect(isValidConfig(configWithInvalidOptional)).toBe(true)
+    })
+
+    it("performs deep validation of optional fields in development", () => {
+      process.env.NODE_ENV = "development"
+
+      // Invalid integrity config
+      const configWithInvalidOptional = {
+        ...validConfig,
+        integrity: {
+          enabled: "not-a-boolean", // Invalid type
+          cross_origin: "anonymous"
+        }
+      }
+
+      // Should fail because deep validation runs in development
+      expect(isValidConfig(configWithInvalidOptional)).toBe(false)
+    })
+
+    it("performs deep validation in production with strict mode", () => {
+      process.env.NODE_ENV = "production"
+      process.env.SHAKAPACKER_STRICT_VALIDATION = "true"
+
+      // Invalid integrity config
+      const configWithInvalidOptional = {
+        ...validConfig,
+        integrity: {
+          enabled: "not-a-boolean", // Invalid type
+          cross_origin: "anonymous"
+        }
+      }
+
+      // Should fail because strict validation is enabled
+      expect(isValidConfig(configWithInvalidOptional)).toBe(false)
+    })
+  })
+})