@db-ux/core-foundations 3.0.0 → 3.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/assets/fonts/generate-eu-fonts.ts +23 -10
- package/package.json +17 -17
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { glob } from 'glob';
|
|
2
|
-
import {
|
|
2
|
+
import { execFile } from 'node:child_process';
|
|
3
3
|
import { promisify } from 'node:util';
|
|
4
4
|
|
|
5
5
|
import { dirname } from 'path';
|
|
@@ -8,12 +8,16 @@ import { fileURLToPath } from 'url';
|
|
|
8
8
|
const __filename = fileURLToPath(import.meta.url);
|
|
9
9
|
const __dirname = dirname(__filename).replaceAll('\\', '/');
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
// Security: Using execFile instead of exec to eliminate shell injection risks
|
|
12
|
+
// execFile directly executes the binary without involving a shell
|
|
13
|
+
const execFileAsync = promisify(execFile);
|
|
12
14
|
|
|
13
15
|
const generateFonts = async () => {
|
|
14
16
|
console.log('Generating EU fonts...');
|
|
15
17
|
try {
|
|
16
|
-
|
|
18
|
+
// Security: Using array arguments instead of concatenated string
|
|
19
|
+
// This prevents shell interpretation of special characters
|
|
20
|
+
await execFileAsync('pyftsubset', ['--help']);
|
|
17
21
|
} catch (e) {
|
|
18
22
|
console.warn(
|
|
19
23
|
'You need to install pyftsubset. Check packages/foundations/assets/fonts/README.md for more information.'
|
|
@@ -22,19 +26,28 @@ const generateFonts = async () => {
|
|
|
22
26
|
|
|
23
27
|
try {
|
|
24
28
|
const files = await glob(`${__dirname}/*.ttf`);
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
29
|
+
|
|
30
|
+
for (const file of files) {
|
|
31
|
+
// Security: Validate that the file is within the expected directory
|
|
32
|
+
// and has the expected extension to prevent path traversal attacks
|
|
33
|
+
if (!file.startsWith(__dirname) || !file.endsWith('.ttf')) {
|
|
34
|
+
console.warn(`Skipping potentially unsafe file path: ${file}`);
|
|
35
|
+
continue;
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
// Security: Arguments are passed as separate array elements
|
|
39
|
+
// No shell concatenation means no risk of command injection
|
|
40
|
+
const args = [
|
|
28
41
|
file,
|
|
29
42
|
'--layout-features=*',
|
|
30
43
|
'--flavor=woff2',
|
|
31
44
|
`--unicodes-file=${__dirname}/unicode-eu.txt`,
|
|
32
45
|
`--output-file=${file.replace('.ttf', '-EU.woff2')}`
|
|
33
|
-
]
|
|
34
|
-
);
|
|
46
|
+
];
|
|
35
47
|
|
|
36
|
-
|
|
37
|
-
|
|
48
|
+
// Security: execFile provides better performance and type safety
|
|
49
|
+
// as it doesn't spawn a shell process
|
|
50
|
+
const { stdout, stderr } = await execFileAsync('pyftsubset', args);
|
|
38
51
|
if (stdout) console.log(`stdout: ${stdout}`);
|
|
39
52
|
if (stderr) console.error(`stderr: ${stderr}`);
|
|
40
53
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@db-ux/core-foundations",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.2",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "Provides basic tokens and assets based on DB UX Design System (Version 3).",
|
|
6
6
|
"repository": {
|
|
@@ -20,27 +20,27 @@
|
|
|
20
20
|
"build:01_normalize": "npm-run-all copy-prepare:*",
|
|
21
21
|
"build:02_copy": "npm run copy:scss",
|
|
22
22
|
"build:03_css": "sass --no-source-map --load-path=node_modules/ --load-path=../../node_modules/ build/styles --fatal-deprecation=mixed-decls",
|
|
23
|
-
"build:04_tailwind": "cpr tailwind build/tailwind
|
|
23
|
+
"build:04_tailwind": "cpr tailwind build/tailwind --overwrite",
|
|
24
24
|
"build:05_postcss": "postcss build/styles/**/*.css --replace",
|
|
25
25
|
"build:05_tailwind_scss": "sass --no-source-map build/tailwind/theme --fatal-deprecation=mixed-decls",
|
|
26
|
-
"build:06_ide": "cpr ide build/ide
|
|
26
|
+
"build:06_ide": "cpr ide build/ide --overwrite",
|
|
27
27
|
"build:06_ts": "tsc",
|
|
28
|
-
"clean": "rm
|
|
28
|
+
"clean": "rm --recursive --force build",
|
|
29
29
|
"copy-build": "npm-run-all copy-build:*",
|
|
30
|
-
"copy-build:assets": "cpr assets ../../build-outputs/foundations/assets
|
|
31
|
-
"copy-build:package.json": "cpr package.json ../../build-outputs/foundations/package.json
|
|
32
|
-
"copy-build:readme": "cpr README.md ../../build-outputs/foundations/README.md
|
|
33
|
-
"copy-build:web": "cpr build ../../build-outputs/foundations/build
|
|
30
|
+
"copy-build:assets": "cpr assets ../../build-outputs/foundations/assets --overwrite",
|
|
31
|
+
"copy-build:package.json": "cpr package.json ../../build-outputs/foundations/package.json --overwrite",
|
|
32
|
+
"copy-build:readme": "cpr README.md ../../build-outputs/foundations/README.md --overwrite",
|
|
33
|
+
"copy-build:web": "cpr build ../../build-outputs/foundations/build --overwrite",
|
|
34
34
|
"copy-prepare:icon-overview": "tsx scripts/local/generate-icon-overview.ts",
|
|
35
|
-
"copy-prepare:normalize": "cpr ../../node_modules/@csstools/normalize.css/normalize.css scss/_normalize.scss
|
|
36
|
-
"copy:scss": "cpr scss build/styles
|
|
35
|
+
"copy-prepare:normalize": "cpr ../../node_modules/@csstools/normalize.css/normalize.css scss/_normalize.scss --overwrite",
|
|
36
|
+
"copy:scss": "cpr scss build/styles --overwrite",
|
|
37
37
|
"dev": "vite --open",
|
|
38
38
|
"generate:fonts": "tsx assets/fonts/generate-eu-fonts.ts",
|
|
39
39
|
"generate:icons": "tsx scripts/local/generate-icon-font.ts",
|
|
40
40
|
"prebuild": "npm-run-all copy-prepare:*",
|
|
41
41
|
"predev": "npm-run-all copy-prepare:*",
|
|
42
42
|
"prestart": "npm-run-all copy-prepare:*",
|
|
43
|
-
"regenerate:screenshots": "npx playwright test
|
|
43
|
+
"regenerate:screenshots": "npx playwright test --config ./test/playwright.config.js --update-snapshots",
|
|
44
44
|
"start": "nodemon --config nodemon.json",
|
|
45
45
|
"test:e2e": "npx playwright test --config=./test/playwright.config.js"
|
|
46
46
|
},
|
|
@@ -49,15 +49,15 @@
|
|
|
49
49
|
"@db-ux/icon-font-tools": "0.3.4",
|
|
50
50
|
"@playwright/test": "1.54.1",
|
|
51
51
|
"cpr": "3.0.1",
|
|
52
|
-
"cssnano": "
|
|
53
|
-
"dotenv": "
|
|
52
|
+
"cssnano": "7.1.0",
|
|
53
|
+
"dotenv": "17.2.0",
|
|
54
54
|
"glob": "11.0.3",
|
|
55
55
|
"nodemon": "3.1.10",
|
|
56
|
-
"prettier": "
|
|
56
|
+
"prettier": "3.6.2",
|
|
57
57
|
"sass": "1.85.0",
|
|
58
|
-
"tsx": "
|
|
59
|
-
"typescript": "
|
|
60
|
-
"vite": "
|
|
58
|
+
"tsx": "4.20.3",
|
|
59
|
+
"typescript": "5.8.3",
|
|
60
|
+
"vite": "6.3.5"
|
|
61
61
|
},
|
|
62
62
|
"publishConfig": {
|
|
63
63
|
"registry": "https://registry.npmjs.org/",
|