shakapacker 9.3.0.beta.7 → 9.3.1

data/package/configExporter/buildValidator.ts

@@ -1,6 +1,6 @@
 import { spawn } from "child_process"
 import { existsSync } from "fs"
-import { resolve, relative, sep } from "path"
+import { resolve, relative } from "path"
 import { ResolvedBuildConfig, BuildValidationResult } from "./types"
 
 export interface ValidatorOptions {
@@ -173,7 +173,7 @@ export class BuildValidator {
    * @returns The resolved absolute path to the config file
    * @throws Error if the config file does not exist or is outside appRoot
    */
-  private validateConfigPath(
+  private static validateConfigPath(
     configFile: string,
     appRoot: string,
     buildName: string
@@ -222,7 +222,7 @@ export class BuildValidator {
     const isHMR =
       build.environment.WEBPACK_SERVE === "true" ||
       build.environment.HMR === "true"
-    const bundler = build.bundler
+    const { bundler } = build
 
     if (isHMR) {
       return this.validateHMRBuild(build, appRoot, bundler)
@@ -273,7 +273,7 @@ export class BuildValidator {
     // Add config file if specified
     if (build.configFile) {
       try {
-        const configPath = this.validateConfigPath(
+        const configPath = BuildValidator.validateConfigPath(
           build.configFile,
           appRoot,
           build.name
@@ -301,7 +301,7 @@ export class BuildValidator {
       args.push(...build.bundlerEnvArgs)
     }
 
-    return new Promise((resolve) => {
+    return new Promise((resolvePromise) => {
       const child = spawn(devServerBin, args, {
         cwd: appRoot,
         env: this.filterEnvironment(build.environment),
@@ -316,7 +316,7 @@ export class BuildValidator {
       const resolveOnce = (res: BuildValidationResult) => {
         if (!resolved) {
           resolved = true
-          resolve(res)
+          resolvePromise(res)
         }
       }
 
@@ -397,8 +397,8 @@ export class BuildValidator {
         })
       }
 
-      child.stdout?.on("data", (data) => processOutput(data))
-      child.stderr?.on("data", (data) => processOutput(data))
+      child.stdout?.on("data", (data: Buffer) => processOutput(data))
+      child.stderr?.on("data", (data: Buffer) => processOutput(data))
 
       child.on("exit", (code) => {
         clearTimeout(timeoutId)
@@ -428,7 +428,7 @@ export class BuildValidator {
 
         // Check for specific error codes and provide actionable guidance
         if ("code" in err) {
-          const code = (err as NodeJS.ErrnoException).code
+          const { code } = err as NodeJS.ErrnoException
           if (code === "ENOENT") {
             errorMessage += `. Binary not found. Install with: npm install -D ${devServerCmd}`
           } else if (code === "EMFILE" || code === "ENFILE") {
@@ -484,7 +484,7 @@ export class BuildValidator {
     // Add config file if specified
     if (build.configFile) {
       try {
-        const configPath = this.validateConfigPath(
+        const configPath = BuildValidator.validateConfigPath(
           build.configFile,
           appRoot,
           build.name
@@ -515,7 +515,7 @@ export class BuildValidator {
     // Add --json for structured output (helps parse errors)
     args.push("--json")
 
-    return new Promise((resolve) => {
+    return new Promise((resolvePromise) => {
       const child = spawn(bundlerBin, args, {
         cwd: appRoot,
         env: this.filterEnvironment(build.environment),
@@ -534,7 +534,7 @@ export class BuildValidator {
           `Timeout: ${bundler} did not complete within ${this.options.timeout}ms.`
         )
         child.kill("SIGTERM")
-        resolve(result)
+        resolvePromise(result)
       }, this.options.timeout)
 
       child.stdout?.on("data", (data: Buffer) => {
@@ -603,7 +603,7 @@ export class BuildValidator {
 
         // Parse JSON output
         try {
-          const jsonOutput: WebpackJsonOutput = JSON.parse(stdoutData)
+          const jsonOutput = JSON.parse(stdoutData) as WebpackJsonOutput
 
           // Extract output path if available
           if (jsonOutput.outputPath) {
@@ -613,10 +613,22 @@ export class BuildValidator {
           // Check for errors in webpack/rspack JSON output
           if (jsonOutput.errors && jsonOutput.errors.length > 0) {
             jsonOutput.errors.forEach((error) => {
-              const errorMsg =
-                typeof error === "string"
-                  ? error
-                  : error.message || String(error)
+              let errorMsg: string
+              if (typeof error === "string") {
+                errorMsg = error
+              } else if (error.message) {
+                errorMsg = error.message
+              } else {
+                // Attempt to extract useful info from malformed error using all enumerable props
+                try {
+                  errorMsg = JSON.stringify(
+                    error,
+                    Object.getOwnPropertyNames(error)
+                  )
+                } catch {
+                  errorMsg = "[Error object with no message]"
+                }
+              }
               result.errors.push(errorMsg)
               // Also add to output for visibility
               if (!this.options.verbose) {
@@ -628,10 +640,22 @@ export class BuildValidator {
           // Check for warnings
           if (jsonOutput.warnings && jsonOutput.warnings.length > 0) {
             jsonOutput.warnings.forEach((warning) => {
-              const warningMsg =
-                typeof warning === "string"
-                  ? warning
-                  : warning.message || String(warning)
+              let warningMsg: string
+              if (typeof warning === "string") {
+                warningMsg = warning
+              } else if (warning.message) {
+                warningMsg = warning.message
+              } else {
+                // Attempt to extract useful info from malformed warning using all enumerable props
+                try {
+                  warningMsg = JSON.stringify(
+                    warning,
+                    Object.getOwnPropertyNames(warning)
+                  )
+                } catch {
+                  warningMsg = "[Warning object with no message]"
+                }
+              }
               result.warnings.push(warningMsg)
             })
           }
@@ -683,7 +707,7 @@ export class BuildValidator {
           result.output.push(stderrData)
         }
 
-        resolve(result)
+        resolvePromise(result)
       })
 
       child.on("error", (err) => {
@@ -693,7 +717,7 @@ export class BuildValidator {
 
         // Check for specific error codes and provide actionable guidance
         if ("code" in err) {
-          const code = (err as NodeJS.ErrnoException).code
+          const { code } = err as NodeJS.ErrnoException
           if (code === "ENOENT") {
             errorMessage += `. Binary not found. Install with: npm install -D ${bundler}`
           } else if (code === "EMFILE" || code === "ENFILE") {
@@ -704,7 +728,7 @@ export class BuildValidator {
         }
 
         result.errors.push(errorMessage)
-        resolve(result)
+        resolvePromise(result)
       })
     })
   }
@@ -776,19 +800,19 @@ export class BuildValidator {
   formatResults(results: BuildValidationResult[]): string {
     const lines: string[] = []
 
-    lines.push("\n" + "=".repeat(80))
+    lines.push(`\n${"=".repeat(80)}`)
     lines.push("🔍 Build Validation Results")
-    lines.push("=".repeat(80) + "\n")
+    lines.push(`${"=".repeat(80)}\n`)
 
-    let totalBuilds = results.length
+    const totalBuilds = results.length
     let successCount = 0
     let failureCount = 0
 
     results.forEach((result) => {
       if (result.success) {
-        successCount++
+        successCount += 1
       } else {
-        failureCount++
+        failureCount += 1
       }
 
       const icon = result.success ? "✅" : "❌"

data/package/configExporter/cli.ts

@@ -1,35 +1,40 @@
 // This will be a substantial file - the main CLI entry point
-// Migrating from bin/export-bundler-config but streamlined for TypeScript
+// Originally migrated from bin/export-bundler-config, now bin/shakapacker-config
 
 import { existsSync, readFileSync, writeFileSync } from "fs"
 import { resolve, dirname, sep, delimiter, basename } from "path"
 import { inspect } from "util"
 import { load as loadYaml } from "js-yaml"
 import yargs from "yargs"
-import { ExportOptions, ConfigMetadata, FileOutput } from "./types"
+import {
+  ExportOptions,
+  ConfigMetadata,
+  FileOutput,
+  BUILD_ENV_VARS,
+  isBuildEnvVar,
+  isDangerousEnvVar,
+  DEFAULT_EXPORT_DIR,
+  DEFAULT_CONFIG_FILE
+} from "./types"
 import { YamlSerializer } from "./yamlSerializer"
 import { FileWriter } from "./fileWriter"
 import { ConfigFileLoader, generateSampleConfigFile } from "./configFile"
 import { BuildValidator } from "./buildValidator"
+import { safeResolvePath } from "../utils/pathValidation"
 
 // Read version from package.json
-const packageJson = JSON.parse(
-  readFileSync(resolve(__dirname, "../../package.json"), "utf8")
-)
-const VERSION = packageJson.version
-
-/**
- * Environment variable names that can be set by build configurations
- */
-const BUILD_ENV_VARS = [
-  "NODE_ENV",
-  "RAILS_ENV",
-  "NODE_OPTIONS",
-  "BABEL_ENV",
-  "WEBPACK_SERVE",
-  "CLIENT_BUNDLE_ONLY",
-  "SERVER_BUNDLE_ONLY"
-] as const
+let VERSION = "unknown"
+try {
+  const packageJson = JSON.parse(
+    readFileSync(resolve(__dirname, "../../package.json"), "utf8")
+  ) as { version?: string }
+  VERSION = packageJson.version || "unknown"
+} catch (error) {
+  console.warn(
+    "Could not read version from package.json:",
+    error instanceof Error ? error.message : String(error)
+  )
+}
 
 /**
  * Saves current values of build environment variables for later restoration
@@ -103,6 +108,15 @@ export async function run(args: string[]): Promise<number> {
     // Apply defaults
     const resolvedOptions = applyDefaults(options)
 
+    // Validate paths for security AFTER defaults are applied
+    // Use safeResolvePath which validates and resolves symlinks
+    if (resolvedOptions.output) {
+      safeResolvePath(appRoot, resolvedOptions.output)
+    }
+    if (resolvedOptions.saveDir) {
+      safeResolvePath(appRoot, resolvedOptions.saveDir)
+    }
+
     // Validate after defaults are applied
     if (resolvedOptions.annotate && resolvedOptions.format !== "yaml") {
       throw new Error(
@@ -114,8 +128,7 @@ export async function run(args: string[]): Promise<number> {
     if (resolvedOptions.build) {
       const loader = new ConfigFileLoader(resolvedOptions.configFile)
       if (!loader.exists()) {
-        const configPath =
-          resolvedOptions.configFile || "config/shakapacker-builds.yml"
+        const configPath = resolvedOptions.configFile || DEFAULT_CONFIG_FILE
         throw new Error(
           `--build requires a config file but ${configPath} not found. Run --init to create it.`
         )
@@ -144,7 +157,7 @@ export async function run(args: string[]): Promise<number> {
   }
 }
 
-function parseArguments(args: string[]): ExportOptions {
+export function parseArguments(args: string[]): ExportOptions {
   const argv = yargs(args)
     .version(VERSION)
     .usage(
@@ -164,8 +177,7 @@ QUICK START (for troubleshooting):
     .option("init", {
       type: "boolean",
       default: false,
-      description:
-        "Generate config/shakapacker-builds.yml (use with --ssr for SSR builds)"
+      description: `Generate ${DEFAULT_CONFIG_FILE} (use with --ssr for SSR builds)`
     })
     .option("ssr", {
       type: "boolean",
@@ -188,8 +200,7 @@ QUICK START (for troubleshooting):
     })
     .option("config-file", {
       type: "string",
-      description:
-        "Path to config file (default: config/shakapacker-builds.yml)"
+      description: `Path to config file (default: ${DEFAULT_CONFIG_FILE})`
     })
     // Validation Options
     .option("validate", {
@@ -235,11 +246,26 @@ QUICK START (for troubleshooting):
         "Enable inline documentation (YAML only, default with --doctor or file output)"
     })
     .option("depth", {
-      type: "number",
+      // Note: type omitted to allow string "null" (yargs would reject it).
+      // Coerce function handles validation for both numbers and "null".
       default: 20,
       coerce: (value: number | string) => {
+        // Handle "null" string for unlimited depth
         if (value === "null" || value === null) return null
-        return typeof value === "number" ? value : parseInt(String(value), 10)
+
+        // Reject non-numeric types (arrays, objects, etc.)
+        if (typeof value !== "number" && typeof value !== "string") {
+          throw new Error(
+            `--depth must be a number or 'null', got: ${typeof value}`
+          )
+        }
+
+        const parsed =
+          typeof value === "number" ? value : parseInt(String(value), 10)
+        if (Number.isNaN(parsed)) {
+          throw new Error(`--depth must be a number or 'null', got: ${value}`)
+        }
+        return parsed
       },
       description: "Inspection depth (use 'null' for unlimited)"
     })
@@ -283,43 +309,61 @@ QUICK START (for troubleshooting):
       description:
         "Generate only server config (fallback when no config file exists)"
     })
-    .check((argv) => {
-      if (argv.webpack && argv.rspack) {
+    .check((parsedArgs) => {
+      if (parsedArgs.webpack && parsedArgs.rspack) {
         throw new Error(
           "--webpack and --rspack are mutually exclusive. Please specify only one."
         )
       }
-      if (argv["client-only"] && argv["server-only"]) {
+      if (parsedArgs["client-only"] && parsedArgs["server-only"]) {
         throw new Error(
           "--client-only and --server-only are mutually exclusive. Please specify only one."
         )
       }
-      if (argv.output && argv["save-dir"]) {
+      if (parsedArgs.output && parsedArgs["save-dir"]) {
         throw new Error(
           "--output and --save-dir are mutually exclusive. Use one or the other."
         )
       }
-      if (argv.stdout && argv["save-dir"]) {
+      if (parsedArgs.stdout && parsedArgs["save-dir"]) {
         throw new Error(
           "--stdout and --save-dir are mutually exclusive. Use one or the other."
         )
       }
-      if (argv.build && argv["all-builds"]) {
+      if (parsedArgs.build && parsedArgs["all-builds"]) {
         throw new Error(
           "--build and --all-builds are mutually exclusive. Use one or the other."
         )
       }
-      if (argv.validate && argv["validate-build"]) {
+      if (parsedArgs.validate && parsedArgs["validate-build"]) {
         throw new Error(
           "--validate and --validate-build are mutually exclusive. Use one or the other."
         )
       }
-      if (argv.validate && (argv.build || argv["all-builds"])) {
+      if (
+        parsedArgs.validate &&
+        (parsedArgs.build || parsedArgs["all-builds"])
+      ) {
         throw new Error(
           "--validate cannot be used with --build or --all-builds."
         )
       }
-      if (argv.ssr && !argv.init) {
+      if (parsedArgs["all-builds"] && parsedArgs.output) {
+        throw new Error(
+          "--all-builds and --output are mutually exclusive. Use --save-dir instead."
+        )
+      }
+      if (parsedArgs["all-builds"] && parsedArgs.stdout) {
+        throw new Error(
+          "--all-builds and --stdout are mutually exclusive. Use --save-dir instead."
+        )
+      }
+      if (parsedArgs.stdout && parsedArgs.output) {
+        throw new Error(
+          "--stdout and --output are mutually exclusive. Use one or the other."
+        )
+      }
+      if (parsedArgs.ssr && !parsedArgs.init) {
         throw new Error(
           "--ssr can only be used with --init. Use: bin/shakapacker-config --init --ssr"
         )
@@ -358,21 +402,18 @@ QUICK START (for troubleshooting):
 
   // Type assertions are safe here because yargs validates choices at runtime
   // Handle --webpack and --rspack flags
-  let bundler: "webpack" | "rspack" | undefined = argv.bundler as
-    | "webpack"
-    | "rspack"
-    | undefined
+  let { bundler } = argv
   if (argv.webpack) bundler = "webpack"
   if (argv.rspack) bundler = "rspack"
 
   return {
     bundler,
-    env: argv.env as "development" | "production" | "test" | undefined,
+    env: argv.env,
     clientOnly: argv["client-only"],
     serverOnly: argv["server-only"],
     output: argv.output,
-    depth: argv.depth as number | null,
-    format: argv.format as "yaml" | "json" | "inspect" | undefined,
+    depth: argv.depth,
+    format: argv.format,
     help: false, // yargs handles help internally
     verbose: argv.verbose,
     doctor: argv.doctor,
@@ -411,17 +452,14 @@ function applyDefaults(options: ExportOptions): ExportOptions {
     !updatedOptions.output &&
     !updatedOptions.saveDir
   ) {
-    updatedOptions.saveDir = resolve(
-      process.cwd(),
-      "shakapacker-config-exports"
-    )
+    updatedOptions.saveDir = resolve(process.cwd(), DEFAULT_EXPORT_DIR)
   }
 
   return updatedOptions
 }
 
 function runInitCommand(options: ExportOptions): number {
-  const configPath = options.configFile || "config/shakapacker-builds.yml"
+  const configPath = options.configFile || DEFAULT_CONFIG_FILE
   const fullPath = resolve(process.cwd(), configPath)
 
   // Check if SSR variant is requested via --ssr flag
@@ -504,7 +542,7 @@ end
   // Make executable
   try {
     chmodSync(binStubPath, 0o755)
-  } catch (e) {
+  } catch (_e) {
     // chmod might fail on some systems, but mode in writeFileSync should handle it
   }
 }
@@ -528,7 +566,7 @@ async function runValidateCommand(options: ExportOptions): Promise<number> {
     // Validate that config file exists
     const loader = new ConfigFileLoader(options.configFile)
     if (!loader.exists()) {
-      const configPath = options.configFile || "config/shakapacker-builds.yml"
+      const configPath = options.configFile || DEFAULT_CONFIG_FILE
       throw new Error(
         `Config file ${configPath} not found. Run --init to create it.`
       )
@@ -561,7 +599,7 @@ async function runValidateCommand(options: ExportOptions): Promise<number> {
       // Handle empty builds edge case
       if (buildsToValidate.length === 0) {
         throw new Error(
-          `No builds found in config file. Add at least one build to config/shakapacker-builds.yml or run --init to see examples.`
+          `No builds found in config file. Add at least one build to ${DEFAULT_CONFIG_FILE} or run --init to see examples.`
         )
       }
     }
@@ -611,6 +649,7 @@ async function runValidateCommand(options: ExportOptions): Promise<number> {
         "development"
 
       // Auto-detect bundler using the build's environment
+      // eslint-disable-next-line no-await-in-loop -- Sequential execution required: each build modifies shared global state (env vars, config cache) that must be cleared/restored between iterations
       const defaultBundler = await autoDetectBundler(
         buildEnv,
         appRoot,
@@ -625,6 +664,7 @@ async function runValidateCommand(options: ExportOptions): Promise<number> {
       )
 
       // Validate the build
+      // eslint-disable-next-line no-await-in-loop -- Sequential execution required: each build modifies shared global state (env vars, config cache) that must be cleared/restored between iterations
       const result = await validator.validateBuild(resolvedBuild, appRoot)
       results.push(result)
 
@@ -674,8 +714,7 @@ async function runAllBuildsCommand(options: ExportOptions): Promise<number> {
 
     const loader = new ConfigFileLoader(resolvedOptions.configFile)
     if (!loader.exists()) {
-      const configPath =
-        resolvedOptions.configFile || "config/shakapacker-builds.yml"
+      const configPath = resolvedOptions.configFile || DEFAULT_CONFIG_FILE
       throw new Error(
         `Config file ${configPath} not found. Run --init to create it.`
       )
@@ -704,6 +743,7 @@ async function runAllBuildsCommand(options: ExportOptions): Promise<number> {
 
       // Create a modified options object for this build
       const buildOptions = { ...resolvedOptions, build: buildName }
+      // eslint-disable-next-line no-await-in-loop -- Sequential execution required: each build modifies shared global state (env vars, config cache) that must be cleared/restored between iterations
       const configs = await loadConfigsForEnv(undefined, buildOptions, appRoot)
 
       for (const { config: cfg, metadata } of configs) {
@@ -762,7 +802,7 @@ async function runDoctorMode(
     const createdFiles: string[] = []
 
     // Check if config file exists - always use it for doctor mode
-    const configFilePath = options.configFile || "config/shakapacker-builds.yml"
+    const configFilePath = options.configFile || DEFAULT_CONFIG_FILE
     const loader = new ConfigFileLoader(configFilePath)
 
     if (loader.exists()) {
@@ -783,6 +823,7 @@ async function runDoctorMode(
           // Clear shakapacker config cache between builds
           shakapackerConfigCache = null
 
+          // eslint-disable-next-line no-await-in-loop -- Sequential execution required: each build modifies shared global state (env vars, config cache) that must be cleared/restored between iterations
           const configs = await loadConfigsForEnv(
             undefined,
             { ...options, build: buildName },
@@ -850,6 +891,7 @@ async function runDoctorMode(
         process.env.WEBPACK_SERVE = "true"
       }
 
+      // eslint-disable-next-line no-await-in-loop -- Sequential execution required: each config modifies shared global state (env vars, config cache) that must be cleared/restored between iterations
       const configs = await loadConfigsForEnv(env, options, appRoot)
 
       for (const { config, metadata } of configs) {
@@ -888,7 +930,6 @@ async function runDoctorMode(
         }
 
         const fullPath = resolve(targetDir, filename)
-        const fileOutput: FileOutput = { filename, content: output, metadata }
         FileWriter.writeSingleFile(fullPath, output)
         createdFiles.push(fullPath)
       }
@@ -1054,15 +1095,6 @@ async function loadConfigsForEnv(
 
     // Set environment variables from config
     // Security: Only allow specific environment variables to prevent malicious configs
-    const DANGEROUS_ENV_VARS = [
-      "PATH",
-      "HOME",
-      "LD_PRELOAD",
-      "LD_LIBRARY_PATH",
-      "DYLD_LIBRARY_PATH",
-      "DYLD_INSERT_LIBRARIES"
-    ]
-
     if (options.verbose) {
       console.log(
         `[Config Exporter] Setting environment variables from build config...`
@@ -1070,23 +1102,21 @@ async function loadConfigsForEnv(
     }
 
     for (const [key, value] of Object.entries(resolvedBuild.environment)) {
-      if (DANGEROUS_ENV_VARS.includes(key)) {
+      if (isDangerousEnvVar(key)) {
         console.warn(
           `[Config Exporter] Warning: Skipping dangerous environment variable: ${key}`
         )
-        continue
-      }
-      if (!(BUILD_ENV_VARS as readonly string[]).includes(key)) {
+      } else if (!isBuildEnvVar(key)) {
         console.warn(
           `[Config Exporter] Warning: Skipping non-whitelisted environment variable: ${key}. ` +
             `Allowed variables are: ${BUILD_ENV_VARS.join(", ")}`
         )
-        continue
-      }
-      if (options.verbose) {
-        console.log(`[Config Exporter]   ${key}=${value}`)
+      } else {
+        if (options.verbose) {
+          console.log(`[Config Exporter]   ${key}=${value}`)
+        }
+        process.env[key] = value
       }
-      process.env[key] = value
     }
 
     // Determine final env: CLI flag > build config NODE_ENV > default
@@ -1168,7 +1198,7 @@ async function loadConfigsForEnv(
   if (configFile.endsWith(".ts")) {
     try {
       require("ts-node/register/transpile-only")
-    } catch (error) {
+    } catch (_error) {
       throw new Error(
         "TypeScript config detected but ts-node is not available. " +
           "Install ts-node as a dev dependency: npm install --save-dev ts-node"
@@ -1605,7 +1635,7 @@ function loadShakapackerConfig(
 
       return result
     }
-  } catch (error: unknown) {
+  } catch (_error: unknown) {
     console.warn(
       `[Config Exporter] Error loading shakapacker config, defaulting to webpack`
     )