@commercetools-frontend/application-config 25.1.0 → 25.2.0

package/dist/commercetools-frontend-application-config.cjs.dev.js

@@ -31,12 +31,13 @@ var _possibleConstructorReturn = require('@babel/runtime-corejs3/helpers/possibl
 var _getPrototypeOf = require('@babel/runtime-corejs3/helpers/getPrototypeOf');
 var _inherits = require('@babel/runtime-corejs3/helpers/inherits');
 var _wrapNativeSuper = require('@babel/runtime-corejs3/helpers/wrapNativeSuper');
+var _startsWithInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/starts-with');
 var _trimInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/trim');
 var _JSON$stringify = require('@babel/runtime-corejs3/core-js-stable/json/stringify');
-var _startsWithInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/starts-with');
+var path$1 = require('path');
 var _reduceInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/reduce');
 var _bindInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/bind');
-var formatters = require('./formatters-a76b45b9.cjs.dev.js');
+var formatters = require('./formatters-5a68b5ac.cjs.dev.js');
 var _Set = require('@babel/runtime-corejs3/core-js-stable/set');
 var _Array$isArray = require('@babel/runtime-corejs3/core-js-stable/array/is-array');
 var Ajv = require('ajv');
@@ -67,9 +68,10 @@ var _mapInstanceProperty__default = /*#__PURE__*/_interopDefault(_mapInstancePro
 var _parseInt__default = /*#__PURE__*/_interopDefault(_parseInt);
 var fs__default = /*#__PURE__*/_interopDefault(fs);
 var _Reflect$construct__default = /*#__PURE__*/_interopDefault(_Reflect$construct);
+var _startsWithInstanceProperty__default = /*#__PURE__*/_interopDefault(_startsWithInstanceProperty);
 var _trimInstanceProperty__default = /*#__PURE__*/_interopDefault(_trimInstanceProperty);
 var _JSON$stringify__default = /*#__PURE__*/_interopDefault(_JSON$stringify);
-var _startsWithInstanceProperty__default = /*#__PURE__*/_interopDefault(_startsWithInstanceProperty);
+var path__default$1 = /*#__PURE__*/_interopDefault(path$1);
 var _reduceInstanceProperty__default = /*#__PURE__*/_interopDefault(_reduceInstanceProperty);
 var _bindInstanceProperty__default = /*#__PURE__*/_interopDefault(_bindInstanceProperty);
 var _Set__default = /*#__PURE__*/_interopDefault(_Set);
@@ -218,6 +220,11 @@ const variableSyntax = /\${([ ~:\w.'",\-/()@]+?)}/g;
 const envRefSyntax = /^env:/g;
 const intlRefSyntax = /^intl:/g;
 const filePathRefSyntax = /^path:/g;
+
+// Safe regex pattern escaping function
+const escapeRegExp = string => {
+  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+};
 const hasVariablePlaceholder = valueOfEnvConfig => typeof valueOfEnvConfig === 'string' &&
 // Using `{regex}.test()` might cause false positives if called multiple
 // times on a global regular expression:
@@ -237,8 +244,7 @@ const substituteEnvVariablePlaceholder = (valueOfPlaceholder, matchedString, val
   if (!hasEnvField) {
     throw new Error(`Missing environment variable '${requestedEnvVar}' specified in config as 'env:${requestedEnvVar}'.`);
   }
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), loadingOptions.processEnv[requestedEnvVar]);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), loadingOptions.processEnv[requestedEnvVar]);
 };
 const substituteIntlVariablePlaceholder = (valueOfPlaceholder, matchedString, valueOfEnvConfig, loadingOptions) => {
   const _valueOfPlaceholder$s3 = valueOfPlaceholder.split(':'),
@@ -255,43 +261,77 @@ const substituteIntlVariablePlaceholder = (valueOfPlaceholder, matchedString, va
   }
   const translation = translations[requestedIntlMessageId];
   const translationValue = isStructuredJson(translation) ? translation.string : translation;
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), translationValue);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), translationValue);
 };
 const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString, valueOfEnvConfig, loadingOptions) => {
   const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
     _valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
     filePathOrModule = _valueOfPlaceholder$s6[1];
-  const content = fs__default$1["default"].readFileSync(require.resolve(filePathOrModule, {
-    // Relative paths should be resolved from the application folder.
+  const resolvedPath = require.resolve(filePathOrModule, {
     paths: [loadingOptions.applicationPath]
-  }), {
+  });
+
+  // Security check: Prevent path traversal attacks.
+  // require.resolve() already provides protection by only resolving modules
+  // accessible from the applicationPath. However, we add an extra layer to
+  // prevent access to sensitive system files outside the workspace.
+  const normalizedPath = path__default$1["default"].normalize(resolvedPath);
+  const applicationPath = path__default$1["default"].normalize(loadingOptions.applicationPath);
+
+  // Find workspace root by traversing up from applicationPath until we find
+  // package.json, pnpm-workspace.yaml, or reach root
+  let workspaceRoot = applicationPath;
+  let currentPath = applicationPath;
+  const rootPath = path__default$1["default"].parse(currentPath).root;
+  while (currentPath !== rootPath) {
+    const hasPackageJson = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'package.json'));
+    const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
+    if (hasPackageJson) {
+      workspaceRoot = currentPath;
+      if (hasWorkspaceConfig) {
+        // Found workspace root
+        break;
+      }
+    }
+    currentPath = path__default$1["default"].dirname(currentPath);
+  }
+  const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
+
+  // Path is safe if it's within the workspace root.
+  // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
+  const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
+  if (!isSafePath) {
+    throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
+  }
+  const content = fs__default$1["default"].readFileSync(normalizedPath, {
     encoding: 'utf-8'
   });
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), content);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), content);
 };
 const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty__default["default"](varName).call(varName)).replace(/\s/g, '');
-const substituteVariablePlaceholders = (config, loadingOptions) => JSON.parse(_JSON$stringify__default["default"](config), (_key, value) => {
-  // Only strings are allowed
-  let substitutedValue = value;
-  if (hasVariablePlaceholder(substitutedValue)) {
-    const matchResult = substitutedValue.match(variableSyntax);
-    if (matchResult) {
-      _forEachInstanceProperty__default["default"](matchResult).call(matchResult, matchedString => {
-        const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
-        if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        } else if (isIntlVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteIntlVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        } else if (isFilePathVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteFilePathVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        }
-      });
+const substituteVariablePlaceholders = (config, loadingOptions) => {
+  const result = JSON.parse(_JSON$stringify__default["default"](config), (_key, value) => {
+    // Only strings are allowed
+    let substitutedValue = value;
+    if (hasVariablePlaceholder(substitutedValue)) {
+      const matchResult = substitutedValue.match(variableSyntax);
+      if (matchResult) {
+        _forEachInstanceProperty__default["default"](matchResult).call(matchResult, matchedString => {
+          const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
+          if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          } else if (isIntlVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteIntlVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          } else if (isFilePathVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteFilePathVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          }
+        });
+      }
     }
-  }
-  return substitutedValue;
-});
+    return substitutedValue;
+  });
+  return result;
+};
 
 var customApplicationSchemaJson = {
 	$schema: "http://json-schema.org/draft-07/schema",

package/dist/commercetools-frontend-application-config.cjs.prod.js

@@ -31,12 +31,13 @@ var _possibleConstructorReturn = require('@babel/runtime-corejs3/helpers/possibl
 var _getPrototypeOf = require('@babel/runtime-corejs3/helpers/getPrototypeOf');
 var _inherits = require('@babel/runtime-corejs3/helpers/inherits');
 var _wrapNativeSuper = require('@babel/runtime-corejs3/helpers/wrapNativeSuper');
+var _startsWithInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/starts-with');
 var _trimInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/trim');
 var _JSON$stringify = require('@babel/runtime-corejs3/core-js-stable/json/stringify');
-var _startsWithInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/starts-with');
+var path$1 = require('path');
 var _reduceInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/reduce');
 var _bindInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/bind');
-var formatters = require('./formatters-7f327585.cjs.prod.js');
+var formatters = require('./formatters-4515015b.cjs.prod.js');
 var _Set = require('@babel/runtime-corejs3/core-js-stable/set');
 var _Array$isArray = require('@babel/runtime-corejs3/core-js-stable/array/is-array');
 var Ajv = require('ajv');
@@ -67,9 +68,10 @@ var _mapInstanceProperty__default = /*#__PURE__*/_interopDefault(_mapInstancePro
 var _parseInt__default = /*#__PURE__*/_interopDefault(_parseInt);
 var fs__default = /*#__PURE__*/_interopDefault(fs);
 var _Reflect$construct__default = /*#__PURE__*/_interopDefault(_Reflect$construct);
+var _startsWithInstanceProperty__default = /*#__PURE__*/_interopDefault(_startsWithInstanceProperty);
 var _trimInstanceProperty__default = /*#__PURE__*/_interopDefault(_trimInstanceProperty);
 var _JSON$stringify__default = /*#__PURE__*/_interopDefault(_JSON$stringify);
-var _startsWithInstanceProperty__default = /*#__PURE__*/_interopDefault(_startsWithInstanceProperty);
+var path__default$1 = /*#__PURE__*/_interopDefault(path$1);
 var _reduceInstanceProperty__default = /*#__PURE__*/_interopDefault(_reduceInstanceProperty);
 var _bindInstanceProperty__default = /*#__PURE__*/_interopDefault(_bindInstanceProperty);
 var _Set__default = /*#__PURE__*/_interopDefault(_Set);
@@ -218,6 +220,11 @@ const variableSyntax = /\${([ ~:\w.'",\-/()@]+?)}/g;
 const envRefSyntax = /^env:/g;
 const intlRefSyntax = /^intl:/g;
 const filePathRefSyntax = /^path:/g;
+
+// Safe regex pattern escaping function
+const escapeRegExp = string => {
+  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+};
 const hasVariablePlaceholder = valueOfEnvConfig => typeof valueOfEnvConfig === 'string' &&
 // Using `{regex}.test()` might cause false positives if called multiple
 // times on a global regular expression:
@@ -237,8 +244,7 @@ const substituteEnvVariablePlaceholder = (valueOfPlaceholder, matchedString, val
   if (!hasEnvField) {
     throw new Error(`Missing environment variable '${requestedEnvVar}' specified in config as 'env:${requestedEnvVar}'.`);
   }
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), loadingOptions.processEnv[requestedEnvVar]);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), loadingOptions.processEnv[requestedEnvVar]);
 };
 const substituteIntlVariablePlaceholder = (valueOfPlaceholder, matchedString, valueOfEnvConfig, loadingOptions) => {
   const _valueOfPlaceholder$s3 = valueOfPlaceholder.split(':'),
@@ -255,43 +261,77 @@ const substituteIntlVariablePlaceholder = (valueOfPlaceholder, matchedString, va
   }
   const translation = translations[requestedIntlMessageId];
   const translationValue = isStructuredJson(translation) ? translation.string : translation;
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), translationValue);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), translationValue);
 };
 const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString, valueOfEnvConfig, loadingOptions) => {
   const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
     _valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
     filePathOrModule = _valueOfPlaceholder$s6[1];
-  const content = fs__default$1["default"].readFileSync(require.resolve(filePathOrModule, {
-    // Relative paths should be resolved from the application folder.
+  const resolvedPath = require.resolve(filePathOrModule, {
     paths: [loadingOptions.applicationPath]
-  }), {
+  });
+
+  // Security check: Prevent path traversal attacks.
+  // require.resolve() already provides protection by only resolving modules
+  // accessible from the applicationPath. However, we add an extra layer to
+  // prevent access to sensitive system files outside the workspace.
+  const normalizedPath = path__default$1["default"].normalize(resolvedPath);
+  const applicationPath = path__default$1["default"].normalize(loadingOptions.applicationPath);
+
+  // Find workspace root by traversing up from applicationPath until we find
+  // package.json, pnpm-workspace.yaml, or reach root
+  let workspaceRoot = applicationPath;
+  let currentPath = applicationPath;
+  const rootPath = path__default$1["default"].parse(currentPath).root;
+  while (currentPath !== rootPath) {
+    const hasPackageJson = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'package.json'));
+    const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
+    if (hasPackageJson) {
+      workspaceRoot = currentPath;
+      if (hasWorkspaceConfig) {
+        // Found workspace root
+        break;
+      }
+    }
+    currentPath = path__default$1["default"].dirname(currentPath);
+  }
+  const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
+
+  // Path is safe if it's within the workspace root.
+  // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
+  const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
+  if (!isSafePath) {
+    throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
+  }
+  const content = fs__default$1["default"].readFileSync(normalizedPath, {
     encoding: 'utf-8'
   });
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), content);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), content);
 };
 const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty__default["default"](varName).call(varName)).replace(/\s/g, '');
-const substituteVariablePlaceholders = (config, loadingOptions) => JSON.parse(_JSON$stringify__default["default"](config), (_key, value) => {
-  // Only strings are allowed
-  let substitutedValue = value;
-  if (hasVariablePlaceholder(substitutedValue)) {
-    const matchResult = substitutedValue.match(variableSyntax);
-    if (matchResult) {
-      _forEachInstanceProperty__default["default"](matchResult).call(matchResult, matchedString => {
-        const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
-        if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        } else if (isIntlVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteIntlVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        } else if (isFilePathVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteFilePathVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        }
-      });
+const substituteVariablePlaceholders = (config, loadingOptions) => {
+  const result = JSON.parse(_JSON$stringify__default["default"](config), (_key, value) => {
+    // Only strings are allowed
+    let substitutedValue = value;
+    if (hasVariablePlaceholder(substitutedValue)) {
+      const matchResult = substitutedValue.match(variableSyntax);
+      if (matchResult) {
+        _forEachInstanceProperty__default["default"](matchResult).call(matchResult, matchedString => {
+          const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
+          if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          } else if (isIntlVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteIntlVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          } else if (isFilePathVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteFilePathVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          }
+        });
+      }
     }
-  }
-  return substitutedValue;
-});
+    return substitutedValue;
+  });
+  return result;
+};
 
 var customApplicationSchemaJson = {
 	$schema: "http://json-schema.org/draft-07/schema",

package/dist/commercetools-frontend-application-config.esm.js

@@ -28,12 +28,13 @@ import _possibleConstructorReturn from '@babel/runtime-corejs3/helpers/esm/possi
 import _getPrototypeOf from '@babel/runtime-corejs3/helpers/esm/getPrototypeOf';
 import _inherits from '@babel/runtime-corejs3/helpers/esm/inherits';
 import _wrapNativeSuper from '@babel/runtime-corejs3/helpers/esm/wrapNativeSuper';
+import _startsWithInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/starts-with';
 import _trimInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/trim';
 import _JSON$stringify from '@babel/runtime-corejs3/core-js-stable/json/stringify';
-import _startsWithInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/starts-with';
+import path$1 from 'path';
 import _reduceInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/reduce';
 import _bindInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/bind';
-import { f as formatEntryPointUriPathToResourceAccessKey, e as entryPointUriPathToResourceAccesses } from './formatters-882eafa8.esm.js';
+import { f as formatEntryPointUriPathToResourceAccessKey, e as entryPointUriPathToResourceAccesses } from './formatters-5629a23b.esm.js';
 import _Set from '@babel/runtime-corejs3/core-js-stable/set';
 import _Array$isArray from '@babel/runtime-corejs3/core-js-stable/array/is-array';
 import Ajv from 'ajv';
@@ -183,6 +184,11 @@ const variableSyntax = /\${([ ~:\w.'",\-/()@]+?)}/g;
 const envRefSyntax = /^env:/g;
 const intlRefSyntax = /^intl:/g;
 const filePathRefSyntax = /^path:/g;
+
+// Safe regex pattern escaping function
+const escapeRegExp = string => {
+  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+};
 const hasVariablePlaceholder = valueOfEnvConfig => typeof valueOfEnvConfig === 'string' &&
 // Using `{regex}.test()` might cause false positives if called multiple
 // times on a global regular expression:
@@ -202,8 +208,7 @@ const substituteEnvVariablePlaceholder = (valueOfPlaceholder, matchedString, val
   if (!hasEnvField) {
     throw new Error(`Missing environment variable '${requestedEnvVar}' specified in config as 'env:${requestedEnvVar}'.`);
   }
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), loadingOptions.processEnv[requestedEnvVar]);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), loadingOptions.processEnv[requestedEnvVar]);
 };
 const substituteIntlVariablePlaceholder = (valueOfPlaceholder, matchedString, valueOfEnvConfig, loadingOptions) => {
   const _valueOfPlaceholder$s3 = valueOfPlaceholder.split(':'),
@@ -220,43 +225,77 @@ const substituteIntlVariablePlaceholder = (valueOfPlaceholder, matchedString, va
   }
   const translation = translations[requestedIntlMessageId];
   const translationValue = isStructuredJson(translation) ? translation.string : translation;
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), translationValue);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), translationValue);
 };
 const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString, valueOfEnvConfig, loadingOptions) => {
   const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
     _valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
     filePathOrModule = _valueOfPlaceholder$s6[1];
-  const content = fs$1.readFileSync(require.resolve(filePathOrModule, {
-    // Relative paths should be resolved from the application folder.
+  const resolvedPath = require.resolve(filePathOrModule, {
     paths: [loadingOptions.applicationPath]
-  }), {
+  });
+
+  // Security check: Prevent path traversal attacks.
+  // require.resolve() already provides protection by only resolving modules
+  // accessible from the applicationPath. However, we add an extra layer to
+  // prevent access to sensitive system files outside the workspace.
+  const normalizedPath = path$1.normalize(resolvedPath);
+  const applicationPath = path$1.normalize(loadingOptions.applicationPath);
+
+  // Find workspace root by traversing up from applicationPath until we find
+  // package.json, pnpm-workspace.yaml, or reach root
+  let workspaceRoot = applicationPath;
+  let currentPath = applicationPath;
+  const rootPath = path$1.parse(currentPath).root;
+  while (currentPath !== rootPath) {
+    const hasPackageJson = fs$1.existsSync(path$1.join(currentPath, 'package.json'));
+    const hasWorkspaceConfig = fs$1.existsSync(path$1.join(currentPath, 'pnpm-workspace.yaml')) || fs$1.existsSync(path$1.join(currentPath, 'lerna.json'));
+    if (hasPackageJson) {
+      workspaceRoot = currentPath;
+      if (hasWorkspaceConfig) {
+        // Found workspace root
+        break;
+      }
+    }
+    currentPath = path$1.dirname(currentPath);
+  }
+  const relativePath = path$1.relative(workspaceRoot, normalizedPath);
+
+  // Path is safe if it's within the workspace root.
+  // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
+  const isSafePath = !_startsWithInstanceProperty(relativePath).call(relativePath, '..') && !path$1.isAbsolute(relativePath);
+  if (!isSafePath) {
+    throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
+  }
+  const content = fs$1.readFileSync(normalizedPath, {
     encoding: 'utf-8'
   });
-  const escapedMatchedString = matchedString.replace(/[${}:]/g, '\\$&');
-  return valueOfEnvConfig.replace(new RegExp(`(${escapedMatchedString})+`, 'g'), content);
+  return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), content);
 };
 const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty(varName).call(varName)).replace(/\s/g, '');
-const substituteVariablePlaceholders = (config, loadingOptions) => JSON.parse(_JSON$stringify(config), (_key, value) => {
-  // Only strings are allowed
-  let substitutedValue = value;
-  if (hasVariablePlaceholder(substitutedValue)) {
-    const matchResult = substitutedValue.match(variableSyntax);
-    if (matchResult) {
-      _forEachInstanceProperty(matchResult).call(matchResult, matchedString => {
-        const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
-        if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        } else if (isIntlVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteIntlVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        } else if (isFilePathVariablePlaceholder(valueOfPlaceholder)) {
-          substitutedValue = substituteFilePathVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
-        }
-      });
+const substituteVariablePlaceholders = (config, loadingOptions) => {
+  const result = JSON.parse(_JSON$stringify(config), (_key, value) => {
+    // Only strings are allowed
+    let substitutedValue = value;
+    if (hasVariablePlaceholder(substitutedValue)) {
+      const matchResult = substitutedValue.match(variableSyntax);
+      if (matchResult) {
+        _forEachInstanceProperty(matchResult).call(matchResult, matchedString => {
+          const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
+          if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          } else if (isIntlVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteIntlVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          } else if (isFilePathVariablePlaceholder(valueOfPlaceholder)) {
+            substitutedValue = substituteFilePathVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
+          }
+        });
+      }
     }
-  }
-  return substitutedValue;
-});
+    return substitutedValue;
+  });
+  return result;
+};
 
 var customApplicationSchemaJson = {
 	$schema: "http://json-schema.org/draft-07/schema",

package/dist/{formatters-7f327585.cjs.prod.js → formatters-4515015b.cjs.prod.js}

@@ -59,7 +59,7 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
     // Regex below checking if the character is numeric.
     // If the word after the hyphen is numeric, replace the hyphen with a forward slash.
     // If not, omit the hyphen and uppercase the first character
-    if (i > 0 && /^-?\d+$/.test(word[0])) {
+    if (i > 0 && /^\d+$/.test(word[0])) {
       return `/${word}`;
     }
     return upperFirst__default["default"](word);

package/dist/{formatters-882eafa8.esm.js → formatters-5629a23b.esm.js}

@@ -42,7 +42,7 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
     // Regex below checking if the character is numeric.
     // If the word after the hyphen is numeric, replace the hyphen with a forward slash.
     // If not, omit the hyphen and uppercase the first character
-    if (i > 0 && /^-?\d+$/.test(word[0])) {
+    if (i > 0 && /^\d+$/.test(word[0])) {
       return `/${word}`;
     }
     return upperFirst(word);

package/dist/{formatters-a76b45b9.cjs.dev.js → formatters-5a68b5ac.cjs.dev.js}

@@ -59,7 +59,7 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
     // Regex below checking if the character is numeric.
     // If the word after the hyphen is numeric, replace the hyphen with a forward slash.
     // If not, omit the hyphen and uppercase the first character
-    if (i > 0 && /^-?\d+$/.test(word[0])) {
+    if (i > 0 && /^\d+$/.test(word[0])) {
       return `/${word}`;
     }
     return upperFirst__default["default"](word);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commercetools-frontend/application-config",
-  "version": "25.1.0",
+  "version": "25.2.0",
   "description": "Configuration utilities for building Custom Applications",
   "bugs": "https://github.com/commercetools/merchant-center-application-kit/issues",
   "repository": {
@@ -45,7 +45,7 @@
     "@babel/register": "^7.22.15",
     "@babel/runtime": "^7.22.15",
     "@babel/runtime-corejs3": "^7.22.15",
-    "@commercetools-frontend/constants": "25.1.0",
+    "@commercetools-frontend/constants": "25.2.0",
     "@types/lodash": "^4.14.198",
     "@types/react": "^19.0.3",
     "ajv": "8.17.1",
@@ -54,13 +54,13 @@
     "cosmiconfig-typescript-loader": "6.1.0",
     "dompurify": "^3.0.0",
     "jsdom": "^21.1.2",
-    "lodash": "4.17.21",
+    "lodash": "4.17.23",
     "omit-empty-es": "1.2.0"
   },
   "devDependencies": {
     "@types/jsdom": "^21.1.2",
     "json-schema-to-typescript": "15.0.4",
-    "@commercetools-frontend/assets": "25.1.0"
+    "@commercetools-frontend/assets": "25.2.0"
   },
   "engines": {
     "node": "18.x || 20.x || >=22.0.0"

package/ssr/dist/commercetools-frontend-application-config-ssr.cjs.dev.js

@@ -2,7 +2,7 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var formatters = require('../../dist/formatters-a76b45b9.cjs.dev.js');
+var formatters = require('../../dist/formatters-5a68b5ac.cjs.dev.js');
 require('@babel/runtime-corejs3/core-js-stable/object/keys');
 require('@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols');
 require('@babel/runtime-corejs3/core-js-stable/instance/filter');

package/ssr/dist/commercetools-frontend-application-config-ssr.cjs.prod.js

@@ -2,7 +2,7 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var formatters = require('../../dist/formatters-7f327585.cjs.prod.js');
+var formatters = require('../../dist/formatters-4515015b.cjs.prod.js');
 require('@babel/runtime-corejs3/core-js-stable/object/keys');
 require('@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols');
 require('@babel/runtime-corejs3/core-js-stable/instance/filter');

package/ssr/dist/commercetools-frontend-application-config-ssr.esm.js

@@ -1,4 +1,4 @@
-export { d as computeCustomViewPermissionsKeys, c as computeCustomViewResourceAccesses, a as entryPointUriPathToPermissionKeys, e as entryPointUriPathToResourceAccesses, f as formatEntryPointUriPathToResourceAccessKey, b as formatPermissionGroupNameToResourceAccessKey } from '../../dist/formatters-882eafa8.esm.js';
+export { d as computeCustomViewPermissionsKeys, c as computeCustomViewResourceAccesses, a as entryPointUriPathToPermissionKeys, e as entryPointUriPathToResourceAccesses, f as formatEntryPointUriPathToResourceAccessKey, b as formatPermissionGroupNameToResourceAccessKey } from '../../dist/formatters-5629a23b.esm.js';
 import '@babel/runtime-corejs3/core-js-stable/object/keys';
 import '@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols';
 import '@babel/runtime-corejs3/core-js-stable/instance/filter';