@forwardimpact/pathway 0.25.0 → 0.25.1

package/bin/fit-pathway.js

@@ -30,11 +30,13 @@
  */
 
 import { join, resolve, dirname } from "path";
-import { existsSync } from "fs";
-import { homedir } from "os";
 import { fileURLToPath } from "url";
+import fs from "fs/promises";
+import { homedir } from "os";
 import { createDataLoader } from "@forwardimpact/map/loader";
 import { validateAllData } from "@forwardimpact/map/validation";
+import { Finder } from "@forwardimpact/libutil";
+import { createLogger } from "@forwardimpact/libtelemetry";
 import { formatError } from "../src/lib/cli-output.js";
 import { createTemplateLoader } from "@forwardimpact/libtemplate";
 
@@ -336,50 +338,6 @@ function printHelp() {
   console.log(HELP_TEXT);
 }
 
-/**
- * Resolve the data directory path.
- * @param {Object} options - Parsed command options
- * @returns {string} Resolved absolute path to data directory
- */
-function resolveDataPath(options) {
-  if (options.data) {
-    return resolve(options.data);
-  }
-
-  if (process.env.PATHWAY_DATA) {
-    return resolve(process.env.PATHWAY_DATA);
-  }
-
-  const homeData = join(homedir(), ".fit", "pathway", "data");
-  if (existsSync(homeData)) {
-    return homeData;
-  }
-
-  const cwdDataPathway = join(process.cwd(), "data/pathway");
-  if (existsSync(cwdDataPathway)) {
-    return cwdDataPathway;
-  }
-
-  const cwdExamplesPathway = join(process.cwd(), "examples/pathway");
-  if (existsSync(cwdExamplesPathway)) {
-    return cwdExamplesPathway;
-  }
-
-  const cwdData = join(process.cwd(), "data");
-  if (existsSync(cwdData)) {
-    return cwdData;
-  }
-
-  const cwdExamples = join(process.cwd(), "examples");
-  if (existsSync(cwdExamples)) {
-    return cwdExamples;
-  }
-
-  throw new Error(
-    "No data directory found. Create ./data/pathway/ or use --data=<path>",
-  );
-}
-
 /**
  * Main CLI entry point
  */
@@ -404,7 +362,20 @@ async function main() {
     process.exit(0);
   }
 
-  const dataDir = resolveDataPath(options);
+  let dataDir;
+  if (options.data) {
+    dataDir = resolve(options.data);
+  } else {
+    const logger = createLogger("pathway");
+    const finder = new Finder(fs, logger, process);
+    try {
+      dataDir = join(finder.findData("data", homedir()), "pathway");
+    } catch {
+      throw new Error(
+        "No data directory found. Use --data=<path> to specify location.",
+      );
+    }
+  }
 
   if (command === "dev") {
     await runDevCommand({ dataDir, options });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/pathway",
-  "version": "0.25.0",
+  "version": "0.25.1",
   "description": "Career progression web app and CLI for exploring roles and generating agent teams",
   "license": "Apache-2.0",
   "repository": {
@@ -45,8 +45,8 @@
     "@forwardimpact/libtemplate": "^0.2.0",
     "@forwardimpact/libui": "^1.0.0",
     "mustache": "^4.2.0",
-    "simple-icons": "^16.7.0",
-    "yaml": "^2.3.4"
+    "simple-icons": "^16.13.0",
+    "yaml": "^2.8.3"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/commands/update.js

@@ -9,7 +9,7 @@
 import { cp, mkdir, rm, readFile, writeFile, access } from "fs/promises";
 import { join } from "path";
 import { homedir } from "os";
-import { execFileSync, execSync } from "child_process";
+import { execFileSync } from "child_process";
 import { createDataLoader } from "@forwardimpact/map/loader";
 
 const INSTALL_DIR = join(homedir(), ".fit", "pathway");
@@ -112,9 +112,13 @@ export async function runUpdateCommand({ dataDir: _dataDir, options }) {
     // 6. Update global pathway package if version changed
     if (oldVersion !== newVersion) {
       console.log(`   Updating pathway ${oldVersion} → ${newVersion}...`);
-      execSync(`npm install -g @forwardimpact/pathway@${newVersion}`, {
-        stdio: "ignore",
-      });
+      execFileSync(
+        "npm",
+        ["install", "-g", `@forwardimpact/pathway@${newVersion}`],
+        {
+          stdio: "ignore",
+        },
+      );
       console.log("   ✓ Global package updated");
     }
 

package/src/components/skill-matrix.js

@@ -30,8 +30,12 @@ import { truncate } from "../formatters/shared.js";
 function sortByCapabilityThenLevel(skills, capabilityOrder) {
   const orderMap = new Map(capabilityOrder.map((id, i) => [id, i]));
   return [...skills].sort((a, b) => {
-    const capA = orderMap.has(a.capability) ? orderMap.get(a.capability) : capabilityOrder.length;
-    const capB = orderMap.has(b.capability) ? orderMap.get(b.capability) : capabilityOrder.length;
+    const capA = orderMap.has(a.capability)
+      ? orderMap.get(a.capability)
+      : capabilityOrder.length;
+    const capB = orderMap.has(b.capability)
+      ? orderMap.get(b.capability)
+      : capabilityOrder.length;
     if (capA !== capB) return capA - capB;
     const levelA = SKILL_PROFICIENCY_ORDER.indexOf(a.proficiency);
     const levelB = SKILL_PROFICIENCY_ORDER.indexOf(b.proficiency);

package/src/lib/radar.js

@@ -2,6 +2,20 @@
  * Radar chart visualization using SVG
  */
 
+/**
+ * Escape HTML special characters to prevent XSS
+ * @param {string} text
+ * @returns {string}
+ */
+function escapeHtml(text) {
+  return text
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}
+
 /**
  * @typedef {Object} RadarDataPoint
  * @property {string} label - Label for this axis
@@ -393,9 +407,9 @@ export class RadarChart {
     const y = event.clientY - rect.top;
 
     this.tooltip.innerHTML = `
-      <strong>${data.label}</strong><br>
+      <strong>${escapeHtml(data.label)}</strong><br>
       Value: ${data.value}/${data.maxValue}
-      ${data.description ? `<br><small>${data.description}</small>` : ""}
+      ${data.description ? `<br><small>${escapeHtml(data.description)}</small>` : ""}
     `;
 
     this.tooltip.style.left = `${x + 10}px`;
@@ -815,9 +829,9 @@ export class ComparisonRadarChart {
     const typeLabel = type === "current" ? "Current" : "Target";
 
     this.tooltip.innerHTML = `
-      <strong>${data.label}</strong><br>
+      <strong>${escapeHtml(data.label)}</strong><br>
       ${typeLabel}: ${data.value}/${data.maxValue}
-      ${data.description ? `<br><small>${data.description}</small>` : ""}
+      ${data.description ? `<br><small>${escapeHtml(data.description)}</small>` : ""}
     `;
 
     this.tooltip.style.left = `${x + 10}px`;
@@ -844,7 +858,7 @@ export class ComparisonRadarChart {
           : "<span style='color: #94a3b8'>No change</span>";
 
     this.tooltip.innerHTML = `
-      <strong>${currentData.label}</strong><br>
+      <strong>${escapeHtml(currentData.label)}</strong><br>
       Current: ${currentData.value}/${currentData.maxValue}<br>
       Target: ${targetData.value}/${targetData.maxValue}<br>
       ${diffText}

package/src/slide-main.js

@@ -53,6 +53,20 @@ function showLoading() {
   }
 }
 
+/**
+ * Escape HTML special characters to prevent XSS
+ * @param {string} text
+ * @returns {string}
+ */
+function escapeHtml(text) {
+  return text
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}
+
 /**
  * Render error slide
  * @param {string} title
@@ -62,8 +76,8 @@ function renderError(title, message) {
   const container = getSlideContent();
   container.innerHTML = `
     <div class="slide-error">
-      <h1>${title}</h1>
-      <p>${message}</p>
+      <h1>${escapeHtml(title)}</h1>
+      <p>${escapeHtml(message)}</p>
       <a href="#/">← Back to Index</a>
     </div>
   `;