shakapacker 9.0.0.beta.6 → 9.0.0.beta.7

data/test/typescript/environments.test.js

@@ -0,0 +1,107 @@
+// Type-specific tests for environment modules
+// Test imports to ensure TypeScript modules compile correctly
+const developmentConfig = require("../../package/environments/development")
+const productionConfig = require("../../package/environments/production")
+const testConfig = require("../../package/environments/test")
+
+describe("TypeScript Environment Modules", () => {
+  describe("development.ts", () => {
+    it("exports a valid webpack/rspack configuration", () => {
+      expect(developmentConfig).toBeDefined()
+      expect(typeof developmentConfig).toBe("object")
+      expect(developmentConfig.mode).toBe("development")
+    })
+
+    it("includes proper devtool configuration", () => {
+      expect(developmentConfig.devtool).toBe("cheap-module-source-map")
+    })
+
+    it("can be used as webpack configuration", () => {
+      // This test verifies the module exports valid config
+      const config = developmentConfig
+      expect(config).toBeDefined()
+      expect(typeof config).toBe("object")
+    })
+  })
+
+  describe("production.ts", () => {
+    it("exports a valid webpack/rspack configuration", () => {
+      expect(productionConfig).toBeDefined()
+      expect(typeof productionConfig).toBe("object")
+      expect(productionConfig.mode).toBe("production")
+    })
+
+    it("includes proper devtool configuration", () => {
+      expect(productionConfig.devtool).toBe("source-map")
+    })
+
+    it("includes optimization configuration", () => {
+      expect(productionConfig.optimization).toBeDefined()
+    })
+
+    it("includes plugins array", () => {
+      expect(Array.isArray(productionConfig.plugins)).toBe(true)
+    })
+
+    it("can be used as webpack configuration", () => {
+      const config = productionConfig
+      expect(config).toBeDefined()
+      expect(typeof config).toBe("object")
+    })
+  })
+
+  describe("test.ts", () => {
+    it("exports a valid webpack/rspack configuration", () => {
+      expect(testConfig).toBeDefined()
+      expect(typeof testConfig).toBe("object")
+    })
+
+    it("includes proper mode configuration", () => {
+      // Test environment should always have a mode defined
+      expect(testConfig.mode).toBeDefined()
+      expect(["development", "production", "test"]).toContain(testConfig.mode)
+    })
+
+    it("can be used as webpack configuration", () => {
+      const config = testConfig
+      expect(config).toBeDefined()
+      expect(typeof config).toBe("object")
+    })
+  })
+
+  describe("type safety", () => {
+    it("ensures all environment configs have consistent base structure", () => {
+      const configs = [developmentConfig, productionConfig, testConfig]
+
+      configs.forEach((config) => {
+        expect(config).toHaveProperty("module")
+        expect(config).toHaveProperty("entry")
+        expect(config).toHaveProperty("output")
+        expect(config).toHaveProperty("resolve")
+      })
+    })
+
+    it("validates dev server configuration when present", () => {
+      // Development config may or may not have devServer depending on environment
+      const { devServer = {} } = developmentConfig
+
+      // Validate devServer type (either undefined or object from config)
+      const actualDevServer = developmentConfig.devServer
+      expect(["undefined", "object"]).toContain(typeof actualDevServer)
+
+      // For port validation, we accept: undefined, "auto", number, or string
+      const { port } = devServer
+
+      // Map "auto" string to type "auto", everything else to its typeof
+      // Use array to avoid conditional operators - mappedType takes precedence
+      const portTypeMap = { auto: "auto" }
+      const mappedType = portTypeMap[port]
+      const actualType = typeof port
+      const possibleTypes = [mappedType, actualType]
+      const portType = possibleTypes.find((t) => t !== undefined)
+
+      // Port should be undefined, "auto", number, or string
+      expect(["undefined", "auto", "number", "string"]).toContain(portType)
+    })
+  })
+})

data/test/typescript/pathValidation.test.js

@@ -0,0 +1,142 @@
+// Tests for path validation and security utilities
+const path = require("path")
+const {
+  isPathTraversalSafe,
+  safeResolvePath,
+  validatePaths,
+  sanitizeEnvValue,
+  validatePort
+} = require("../../package/utils/pathValidation")
+
+describe("Path Validation Security", () => {
+  describe("isPathTraversalSafe", () => {
+    it("detects directory traversal patterns", () => {
+      const unsafePaths = [
+        "../etc/passwd",
+        "../../secrets",
+        "/etc/passwd",
+        "~/ssh/keys",
+        "C:\\Windows\\System32",
+        "C:/Windows/System32", // Windows with forward slash
+        "D:\\Program Files", // Different drive letter
+        "\\\\server\\share\\file", // Windows UNC path
+        "\\\\192.168.1.1\\share", // UNC with IP
+        "%2e%2e%2fsecrets",
+        "%2E%2E%2Fsecrets", // URL encoded uppercase
+        "path\x00with\x00null" // Null bytes
+      ]
+
+      unsafePaths.forEach((unsafePath) => {
+        expect(isPathTraversalSafe(unsafePath)).toBe(false)
+      })
+    })
+
+    it("allows safe relative paths", () => {
+      const safePaths = [
+        path.join("src", "index.js"),
+        path.join(".", "components", "App.tsx"),
+        path.join("node_modules", "package", "index.js"),
+        path.join("dist", "bundle.js")
+      ]
+
+      safePaths.forEach((safePath) => {
+        expect(isPathTraversalSafe(safePath)).toBe(true)
+      })
+    })
+  })
+
+  describe("safeResolvePath", () => {
+    it("resolves paths within base directory", () => {
+      const basePath = path.join(path.sep, "app")
+      const userPath = path.join("src", "index.js")
+      const result = safeResolvePath(basePath, userPath)
+
+      expect(result).toContain(basePath)
+      expect(result).toContain(userPath.replace(/\\/g, path.sep))
+    })
+
+    it("throws on traversal attempts", () => {
+      const basePath = path.join(path.sep, "app")
+      const maliciousPath = path.join("..", "etc", "passwd")
+
+      expect(() => {
+        safeResolvePath(basePath, maliciousPath)
+      }).toThrow("Path traversal attempt detected")
+    })
+  })
+
+  describe("validatePaths", () => {
+    it("filters out unsafe paths with warnings", () => {
+      const consoleSpy = jest.spyOn(console, "warn").mockImplementation()
+
+      const paths = [
+        path.join("src", "index.js"),
+        path.join("..", "etc", "passwd"),
+        path.join("components", "App.tsx")
+      ]
+
+      const result = validatePaths(paths, path.join(path.sep, "app"))
+
+      expect(result).toHaveLength(2)
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("potentially unsafe path")
+      )
+
+      consoleSpy.mockRestore()
+    })
+  })
+
+  describe("sanitizeEnvValue", () => {
+    it("removes control characters", () => {
+      const dirty = "normal\x00text\x1Fwith\x7Fcontrol"
+      const clean = sanitizeEnvValue(dirty)
+
+      expect(clean).toBe("normaltextwithcontrol")
+    })
+
+    it("warns when sanitization occurs", () => {
+      const consoleSpy = jest.spyOn(console, "warn").mockImplementation()
+
+      sanitizeEnvValue("text\x00with\x00nulls")
+
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("control characters")
+      )
+
+      consoleSpy.mockRestore()
+    })
+
+    it("returns undefined for undefined input", () => {
+      expect(sanitizeEnvValue(undefined)).toBeUndefined()
+    })
+  })
+
+  describe("validatePort", () => {
+    it("accepts valid port numbers", () => {
+      expect(validatePort(3000)).toBe(true)
+      expect(validatePort(80)).toBe(true)
+      expect(validatePort(65535)).toBe(true)
+    })
+
+    it("accepts valid port strings", () => {
+      expect(validatePort("3000")).toBe(true)
+      expect(validatePort("auto")).toBe(true)
+    })
+
+    it("rejects invalid ports", () => {
+      expect(validatePort(0)).toBe(false)
+      expect(validatePort(65536)).toBe(false)
+      expect(validatePort(-1)).toBe(false)
+      expect(validatePort(3000.5)).toBe(false)
+      expect(validatePort("invalid")).toBe(false)
+      expect(validatePort("3000abc")).toBe(false) // Should reject strings with non-digits
+      expect(validatePort("abc3000")).toBe(false) // Should reject strings with non-digits
+      expect(validatePort("30.00")).toBe(false) // Should reject decimal strings
+      expect(validatePort("3000 ")).toBe(false) // Should reject strings with spaces
+      expect(validatePort(" 3000")).toBe(false) // Should reject strings with spaces
+      expect(validatePort("0x1234")).toBe(false) // Should reject hex notation
+      expect(validatePort(null)).toBe(false)
+      expect(validatePort(undefined)).toBe(false)
+    })
+  })
+})

data/test/typescript/securityValidation.test.js

@@ -0,0 +1,182 @@
+const {
+  isValidConfig,
+  clearValidationCache
+} = require("../../package/utils/typeGuards")
+
+describe("security validation", () => {
+  const originalNodeEnv = process.env.NODE_ENV
+  const originalStrictValidation = process.env.SHAKAPACKER_STRICT_VALIDATION
+
+  afterEach(() => {
+    process.env.NODE_ENV = originalNodeEnv
+    process.env.SHAKAPACKER_STRICT_VALIDATION = originalStrictValidation
+    clearValidationCache()
+  })
+
+  describe("path traversal security checks", () => {
+    const baseConfig = {
+      source_path: "./app/javascript",
+      source_entry_path: "./packs",
+      public_root_path: "./public",
+      public_output_path: "packs",
+      cache_path: "tmp/shakapacker",
+      javascript_transpiler: "babel",
+      nested_entries: false,
+      css_extract_ignore_order_warnings: false,
+      webpack_compile_output: true,
+      shakapacker_precompile: true,
+      cache_manifest: false,
+      ensure_consistent_versioning: false,
+      useContentHash: true,
+      compile: true,
+      additional_paths: []
+    }
+
+    it("always validates path traversal in required path fields in production", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      const unsafeConfig = {
+        ...baseConfig,
+        source_path: "../../../etc/passwd"
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("always validates path traversal in required path fields in development", () => {
+      process.env.NODE_ENV = "development"
+
+      const unsafeConfig = {
+        ...baseConfig,
+        public_output_path: "../../sensitive/data"
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("always validates path traversal in additional_paths in production", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      const unsafeConfig = {
+        ...baseConfig,
+        additional_paths: ["./safe/path", "../../../etc/passwd"]
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("always validates path traversal in additional_paths in development", () => {
+      process.env.NODE_ENV = "development"
+
+      const unsafeConfig = {
+        ...baseConfig,
+        additional_paths: ["./safe/path", "../../../../root/.ssh"]
+      }
+
+      expect(isValidConfig(unsafeConfig)).toBe(false)
+    })
+
+    it("allows safe paths in production", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      const safeConfig = {
+        ...baseConfig,
+        additional_paths: ["./app/assets", "./vendor/assets", "node_modules"]
+      }
+
+      expect(isValidConfig(safeConfig)).toBe(true)
+    })
+
+    it("allows safe paths in development", () => {
+      process.env.NODE_ENV = "development"
+
+      const safeConfig = {
+        ...baseConfig,
+        additional_paths: ["./app/components", "./lib/assets"]
+      }
+
+      expect(isValidConfig(safeConfig)).toBe(true)
+    })
+  })
+
+  describe("optional field validation", () => {
+    const validConfig = {
+      source_path: "./app/javascript",
+      source_entry_path: "./packs",
+      public_root_path: "./public",
+      public_output_path: "packs",
+      cache_path: "tmp/shakapacker",
+      javascript_transpiler: "babel",
+      nested_entries: false,
+      css_extract_ignore_order_warnings: false,
+      webpack_compile_output: true,
+      shakapacker_precompile: true,
+      cache_manifest: false,
+      ensure_consistent_versioning: false,
+      useContentHash: true,
+      compile: true,
+      additional_paths: [],
+      dev_server: {
+        hmr: true,
+        port: 3035
+      },
+      integrity: {
+        enabled: true,
+        cross_origin: "anonymous"
+      }
+    }
+
+    it("skips deep validation of optional fields in production without strict mode", () => {
+      process.env.NODE_ENV = "production"
+      delete process.env.SHAKAPACKER_STRICT_VALIDATION
+
+      // Invalid integrity config that would fail deep validation
+      const configWithInvalidOptional = {
+        ...validConfig,
+        integrity: {
+          enabled: "not-a-boolean", // Invalid type
+          cross_origin: "anonymous"
+        }
+      }
+
+      // Should pass because deep validation is skipped in production
+      expect(isValidConfig(configWithInvalidOptional)).toBe(true)
+    })
+
+    it("performs deep validation of optional fields in development", () => {
+      process.env.NODE_ENV = "development"
+
+      // Invalid integrity config
+      const configWithInvalidOptional = {
+        ...validConfig,
+        integrity: {
+          enabled: "not-a-boolean", // Invalid type
+          cross_origin: "anonymous"
+        }
+      }
+
+      // Should fail because deep validation runs in development
+      expect(isValidConfig(configWithInvalidOptional)).toBe(false)
+    })
+
+    it("performs deep validation in production with strict mode", () => {
+      process.env.NODE_ENV = "production"
+      process.env.SHAKAPACKER_STRICT_VALIDATION = "true"
+
+      // Invalid integrity config
+      const configWithInvalidOptional = {
+        ...validConfig,
+        integrity: {
+          enabled: "not-a-boolean", // Invalid type
+          cross_origin: "anonymous"
+        }
+      }
+
+      // Should fail because strict validation is enabled
+      expect(isValidConfig(configWithInvalidOptional)).toBe(false)
+    })
+  })
+})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakapacker
 version: !ruby/object:Gem::Version
-  version: 9.0.0.beta.6
+  version: 9.0.0.beta.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -147,6 +147,7 @@ files:
 - ".github/workflows/test-bundlers.yml"
 - ".gitignore"
 - ".node-version"
+- ".npmignore"
 - ".rspec"
 - ".rubocop.yml"
 - ".yalcignore"
@@ -180,8 +181,10 @@ files:
 - docs/sprockets.md
 - docs/style_loader_vs_mini_css.md
 - docs/subresource_integrity.md
+- docs/transpiler-migration.md
 - docs/transpiler-performance.md
 - docs/troubleshooting.md
+- docs/typescript-migration.md
 - docs/typescript.md
 - docs/using_esbuild_loader.md
 - docs/using_swc_loader.md
@@ -248,15 +251,16 @@ files:
 - lib/tasks/shakapacker/verify_config.rake
 - lib/tasks/shakapacker/verify_install.rake
 - package.json
+- package/.npmignore
 - package/babel/preset.js
 - package/config.ts
 - package/dev_server.ts
 - package/env.ts
-- package/environments/base.js
 - package/environments/base.ts
-- package/environments/development.js
-- package/environments/production.js
-- package/environments/test.js
+- package/environments/development.ts
+- package/environments/production.ts
+- package/environments/test.ts
+- package/environments/types.ts
 - package/esbuild/index.js
 - package/index.d.ts
 - package/index.ts
@@ -282,13 +286,17 @@ files:
 - package/rules/webpack.js
 - package/swc/index.js
 - package/types.ts
+- package/types/README.md
+- package/types/index.ts
 - package/utils/configPath.ts
 - package/utils/debug.ts
 - package/utils/defaultConfigPath.ts
+- package/utils/errorCodes.ts
 - package/utils/errorHelpers.ts
 - package/utils/getStyleRule.ts
 - package/utils/helpers.ts
 - package/utils/inliningCss.ts
+- package/utils/pathValidation.ts
 - package/utils/requireOrError.ts
 - package/utils/snakeToCamelCase.ts
 - package/utils/typeGuards.ts
@@ -296,6 +304,7 @@ files:
 - package/webpack-types.d.ts
 - package/webpackDevServerConfig.ts
 - prettier.config.js
+- scripts/remove-use-strict.js
 - shakapacker.gemspec
 - test/helpers.js
 - test/package/config.test.js
@@ -318,9 +327,14 @@ files:
 - test/package/rules/webpack.test.js
 - test/package/staging.test.js
 - test/package/test.test.js
+- test/package/transpiler-defaults.test.js
 - test/peer-dependencies.sh
 - test/resolver.js
+- test/scripts/remove-use-strict.test.js
 - test/typescript/build.test.js
+- test/typescript/environments.test.js
+- test/typescript/pathValidation.test.js
+- test/typescript/securityValidation.test.js
 - tools/README.md
 - tools/css-modules-v9-codemod.js
 - tsconfig.json
@@ -329,7 +343,7 @@ homepage: https://github.com/shakacode/shakapacker
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/shakacode/shakapacker/tree/v9.0.0.beta.6
+  source_code_uri: https://github.com/shakacode/shakapacker/tree/v9.0.0.beta.7
 rdoc_options: []
 require_paths:
 - lib
@@ -369,6 +383,11 @@ test_files:
 - test/package/rules/webpack.test.js
 - test/package/staging.test.js
 - test/package/test.test.js
+- test/package/transpiler-defaults.test.js
 - test/peer-dependencies.sh
 - test/resolver.js
+- test/scripts/remove-use-strict.test.js
 - test/typescript/build.test.js
+- test/typescript/environments.test.js
+- test/typescript/pathValidation.test.js
+- test/typescript/securityValidation.test.js

data/package/environments/base.js

@@ -1,103 +0,0 @@
-"use strict";
-/* eslint global-require: 0 */
-/* eslint import/no-dynamic-require: 0 */
-const { basename, dirname, join, relative, resolve } = require("path");
-const { existsSync, readdirSync } = require("fs");
-const extname = require("path-complete-extname");
-const config = require("../config");
-const { isProduction } = require("../env");
-const pluginsPath = resolve(__dirname, "..", "plugins", `${config.assets_bundler}.js`);
-const { getPlugins } = require(pluginsPath);
-const rulesPath = resolve(__dirname, "..", "rules", `${config.assets_bundler}.js`);
-const rules = require(rulesPath);
-// Don't use contentHash except for production for performance
-// https://webpack.js.org/guides/build-performance/#avoid-production-specific-tooling
-const hash = isProduction || config.useContentHash ? "-[contenthash]" : "";
-const getFilesInDirectory = (dir, includeNested) => {
-    if (!existsSync(dir)) {
-        return [];
-    }
-    return readdirSync(dir, { withFileTypes: true }).flatMap((dirent) => {
-        const filePath = join(dir, dirent.name);
-        if (dirent.isDirectory() && includeNested) {
-            return getFilesInDirectory(filePath, includeNested);
-        }
-        if (dirent.isFile()) {
-            return filePath;
-        }
-        return [];
-    });
-};
-const getEntryObject = () => {
-    const entries = {};
-    const rootPath = join(config.source_path, config.source_entry_path);
-    if (config.source_entry_path === "/" && config.nested_entries) {
-        throw new Error(`Invalid Shakapacker configuration detected!\n\n` +
-            `You have set source_entry_path to '/' with nested_entries enabled.\n` +
-            `This would create webpack entry points for EVERY file in your source directory,\n` +
-            `which would severely impact build performance.\n\n` +
-            `To fix this issue, either:\n` +
-            `1. Set 'nested_entries: false' in your shakapacker.yml\n` +
-            `2. Change 'source_entry_path' to a specific subdirectory (e.g., 'packs')\n` +
-            `3. Or use both options for better organization of your entry points`);
-    }
-    getFilesInDirectory(rootPath, config.nested_entries).forEach((path) => {
-        const namespace = relative(join(rootPath), dirname(path));
-        const name = join(namespace, basename(path, extname(path)));
-        const assetPath = resolve(path);
-        // Allows for multiple filetypes per entry (https://webpack.js.org/guides/entry-advanced/)
-        // Transforms the config object value to an array with all values under the same name
-        const previousPaths = entries[name];
-        if (previousPaths) {
-            const pathArray = Array.isArray(previousPaths)
-                ? previousPaths
-                : [previousPaths];
-            pathArray.push(assetPath);
-            entries[name] = pathArray;
-        }
-        else {
-            entries[name] = assetPath;
-        }
-    });
-    return entries;
-};
-const getModulePaths = () => {
-    const result = [resolve(config.source_path)];
-    if (config.additional_paths) {
-        config.additional_paths.forEach((path) => result.push(resolve(path)));
-    }
-    result.push("node_modules");
-    return result;
-};
-const baseConfig = {
-    mode: "production",
-    output: {
-        filename: `js/[name]${hash}.js`,
-        chunkFilename: `js/[name]${hash}.chunk.js`,
-        // https://webpack.js.org/configuration/output/#outputhotupdatechunkfilename
-        hotUpdateChunkFilename: "js/[id].[fullhash].hot-update.js",
-        path: config.outputPath,
-        publicPath: config.publicPath,
-        // This is required for SRI to work.
-        crossOriginLoading: config.integrity && config.integrity.enabled
-            ? config.integrity.cross_origin
-            : false
-    },
-    entry: getEntryObject(),
-    resolve: {
-        extensions: [".js", ".jsx", ".mjs", ".ts", ".tsx", ".coffee"],
-        modules: getModulePaths()
-    },
-    plugins: getPlugins(),
-    resolveLoader: {
-        modules: ["node_modules"]
-    },
-    optimization: {
-        splitChunks: { chunks: "all" },
-        runtimeChunk: "single"
-    },
-    module: {
-        rules
-    }
-};
-module.exports = baseConfig;

data/package/environments/test.js

@@ -1,19 +0,0 @@
-const { merge } = require("webpack-merge")
-const config = require("../config")
-const baseConfig = require("./base")
-
-const rspackTestConfig = () => ({
-  mode: "development",
-  devtool: "cheap-module-source-map",
-  // Disable file watching in test mode
-  watchOptions: {
-    ignored: /node_modules/
-  }
-})
-
-const webpackTestConfig = () => ({})
-
-const bundlerConfig =
-  config.assets_bundler === "rspack" ? rspackTestConfig() : webpackTestConfig()
-
-module.exports = merge(baseConfig, bundlerConfig)