@gjsify/cli 0.4.29 → 0.4.31

package/lib/commands/build.d.ts

@@ -1,2 +1,2 @@
 import type { Command, CliBuildOptions } from '../types/index.js';
-export declare const buildCommand: Command<any, CliBuildOptions>;
+export declare const buildCommand: Command<unknown, CliBuildOptions>;

package/lib/commands/create.d.ts

@@ -5,5 +5,5 @@ interface CreateOptions {
     force: boolean;
     install: boolean;
 }
-export declare const createCommand: Command<any, CreateOptions>;
+export declare const createCommand: Command<unknown, CreateOptions>;
 export {};

package/lib/commands/dlx.d.ts

@@ -9,5 +9,5 @@ interface DlxOptions {
     verbose: boolean;
     registry?: string;
 }
-export declare const dlxCommand: Command<any, DlxOptions>;
+export declare const dlxCommand: Command<unknown, DlxOptions>;
 export {};

package/lib/commands/flatpak/sync-flathub.js

@@ -152,7 +152,7 @@ async function resolveCommitForTag(cwd, tag, verbose) {
     }
     catch (err) {
         throw new Error(`[gjsify flatpak sync-flathub] tag ${tag} not found locally. Run \`git fetch --tags\` or pass --commit <sha>.\n` +
-            `  underlying error: ${err?.message ?? err}`);
+            `  underlying error: ${err instanceof Error ? err.message : String(err)}`);
     }
 }
 function normaliseBranchSegment(version) {

package/lib/commands/foreach.d.ts

@@ -13,5 +13,5 @@ interface ForeachOptions {
     jobs?: number;
     exec?: boolean;
 }
-export declare const foreachCommand: Command<any, ForeachOptions>;
+export declare const foreachCommand: Command<unknown, ForeachOptions>;
 export {};

package/lib/commands/generate-installer.d.ts

@@ -6,5 +6,5 @@ interface GenerateInstallerOptions {
     output: string;
     force: boolean;
 }
-export declare const generateInstallerCommand: Command<any, GenerateInstallerOptions>;
+export declare const generateInstallerCommand: Command<unknown, GenerateInstallerOptions>;
 export {};

package/lib/commands/gettext.d.ts

@@ -10,5 +10,5 @@ interface GettextOptions {
     removeXmlComments?: boolean;
     verbose?: boolean;
 }
-export declare const gettextCommand: Command<any, GettextOptions>;
+export declare const gettextCommand: Command<unknown, GettextOptions>;
 export {};

package/lib/commands/gettext.js

@@ -179,15 +179,16 @@ export const gettextCommand = {
             }
         }
         catch (err) {
-            if (err?.code === 'ENOENT') {
+            const e = err;
+            if (e?.code === 'ENOENT') {
                 console.error('[gjsify gettext] msgfmt not found. Install it via your distro (package: gettext).');
             }
             else {
-                if (err?.stderr)
-                    process.stderr.write(err.stderr);
-                console.error(`[gjsify gettext] msgfmt failed${err?.code !== undefined ? ` (exit ${err.code})` : ''}`);
+                if (e?.stderr)
+                    process.stderr.write(e.stderr);
+                console.error(`[gjsify gettext] msgfmt failed${e?.code !== undefined ? ` (exit ${e.code})` : ''}`);
             }
-            process.exitCode = typeof err?.code === 'number' ? err.code : 1;
+            process.exitCode = typeof e?.code === 'number' ? e.code : 1;
         }
     },
 };

package/lib/commands/gresource.d.ts

@@ -5,5 +5,5 @@ interface GResourceOptions {
     target?: string;
     verbose?: boolean;
 }
-export declare const gresourceCommand: Command<any, GResourceOptions>;
+export declare const gresourceCommand: Command<unknown, GResourceOptions>;
 export {};

package/lib/commands/gresource.js

@@ -62,15 +62,16 @@ export const gresourceCommand = {
             }
         }
         catch (err) {
-            if (err?.code === 'ENOENT') {
+            const e = err;
+            if (e?.code === 'ENOENT') {
                 console.error('[gjsify gresource] glib-compile-resources not found. Install it via your distro (package: glib2-devel / libglib2.0-dev).');
             }
             else {
-                if (err?.stderr)
-                    process.stderr.write(err.stderr);
-                console.error(`[gjsify gresource] glib-compile-resources failed${err?.code !== undefined ? ` (exit ${err.code})` : ''}`);
+                if (e?.stderr)
+                    process.stderr.write(e.stderr);
+                console.error(`[gjsify gresource] glib-compile-resources failed${e?.code !== undefined ? ` (exit ${e.code})` : ''}`);
             }
-            process.exitCode = typeof err?.code === 'number' ? err.code : 1;
+            process.exitCode = typeof e?.code === 'number' ? e.code : 1;
         }
     },
 };

package/lib/commands/gsettings.d.ts

@@ -5,5 +5,5 @@ interface GSettingsOptions {
     strict?: boolean;
     verbose?: boolean;
 }
-export declare const gsettingsCommand: Command<any, GSettingsOptions>;
+export declare const gsettingsCommand: Command<unknown, GSettingsOptions>;
 export {};

package/lib/commands/gsettings.js

@@ -56,15 +56,16 @@ export const gsettingsCommand = {
             }
         }
         catch (err) {
-            if (err?.code === 'ENOENT') {
+            const e = err;
+            if (e?.code === 'ENOENT') {
                 console.error('[gjsify gsettings] glib-compile-schemas not found. Install it via your distro (package: glib2-devel / libglib2.0-dev).');
             }
             else {
-                if (err?.stderr)
-                    process.stderr.write(err.stderr);
-                console.error(`[gjsify gsettings] glib-compile-schemas failed${err?.code !== undefined ? ` (exit ${err.code})` : ''}`);
+                if (e?.stderr)
+                    process.stderr.write(e.stderr);
+                console.error(`[gjsify gsettings] glib-compile-schemas failed${e?.code !== undefined ? ` (exit ${e.code})` : ''}`);
             }
-            process.exitCode = typeof err?.code === 'number' ? err.code : 1;
+            process.exitCode = typeof e?.code === 'number' ? e.code : 1;
         }
     },
 };

package/lib/commands/info.d.ts

@@ -3,5 +3,5 @@ interface InfoOptions {
     export: boolean;
     file?: string;
 }
-export declare const infoCommand: Command<any, InfoOptions>;
+export declare const infoCommand: Command<unknown, InfoOptions>;
 export {};

package/lib/commands/install.d.ts

@@ -9,5 +9,5 @@ interface InstallOptions {
     verbose: boolean;
     backend?: 'native' | 'npm';
 }
-export declare const installCommand: Command<any, InstallOptions>;
+export declare const installCommand: Command<unknown, InstallOptions>;
 export {};

package/lib/commands/install.js

@@ -265,14 +265,39 @@ async function workspaceInstall(cwd, args) {
             for (const [depName, spec] of Object.entries(block)) {
                 if (typeof spec !== 'string')
                     continue;
-                if (spec.startsWith('workspace:')) {
-                    const target = byName.get(depName);
-                    if (!target) {
-                        throw new Error(`gjsify install: ${ws.name} declares "${depName}: ${spec}" but ` +
-                            `no workspace with that name exists`);
+                // A dependency whose NAME matches a local workspace is always
+                // satisfied by that workspace — never by a same-named package on
+                // npm. This holds regardless of the spec form: an explicit
+                // `workspace:` protocol, a plain semver range (`^1.2.3`), or even
+                // a dist-tag. Yarn/npm resolve a workspace-named dep to the local
+                // package first; we MUST do the same. Routing such a dep into the
+                // native fetch/extract queue is the data-loss bug this guards
+                // against — `extractOne` would `rmSync` + drop the published
+                // tarball over the workspace's OWN source tree (the published
+                // tarball ships only `files`, so `src/**` gets wiped). Symlink
+                // it instead, exactly like a `workspace:` ref.
+                const localWorkspace = byName.get(depName);
+                if (localWorkspace) {
+                    // Only an EXPLICIT out-of-workspace protocol (link:/file:/
+                    // portal:/git+/http(s):) opts out of the local workspace. Any
+                    // other shape — `workspace:` or a plain semver range/dist-tag
+                    // (`^1.2.3`, `*`, `latest`) — resolves to the local package.
+                    const explicitOverride = /^(link|file|portal|git\+|https?):/.test(spec);
+                    if (!explicitOverride) {
+                        symlinks.push({
+                            fromWorkspaceName: ws.name,
+                            depName,
+                            targetLocation: localWorkspace.location,
+                        });
+                        continue;
                     }
-                    symlinks.push({ fromWorkspaceName: ws.name, depName, targetLocation: target.location });
-                    continue;
+                    // explicit override → fall through to the existing handling.
+                }
+                if (spec.startsWith('workspace:')) {
+                    // `workspace:` against a name that is NOT a discovered
+                    // workspace is a hard error (typo / missing package).
+                    throw new Error(`gjsify install: ${ws.name} declares "${depName}: ${spec}" but ` +
+                        `no workspace with that name exists`);
                 }
                 if (/^(link|file|portal|git\+|https?):/.test(spec))
                     continue;

package/lib/commands/pack.d.ts

@@ -23,7 +23,7 @@ interface PackResult {
     /** Absolute path of the written .tgz, or null on --dry-run. */
     absolutePath: string | null;
 }
-export declare const packCommand: Command<any, PackOptions>;
+export declare const packCommand: Command<unknown, PackOptions>;
 export interface PackWorkspaceOptions {
     /** Directory to write the .tgz into. Defaults to the workspace itself. */
     destination?: string;

package/lib/commands/publish.d.ts

@@ -12,5 +12,5 @@ interface PublishOptions {
     trusted?: boolean | 'auto';
     'check-trusted'?: boolean;
 }
-export declare const publishCommand: Command<any, PublishOptions>;
+export declare const publishCommand: Command<unknown, PublishOptions>;
 export {};

package/lib/commands/run.d.ts

@@ -3,5 +3,5 @@ interface RunOptions {
     target: string;
     args: string[];
 }
-export declare const runCommand: Command<any, RunOptions>;
+export declare const runCommand: Command<unknown, RunOptions>;
 export {};

package/lib/commands/self-update.d.ts

@@ -4,5 +4,5 @@ interface SelfUpdateOptions {
     force?: boolean;
     tag: string;
 }
-export declare const selfUpdateCommand: Command<any, SelfUpdateOptions>;
+export declare const selfUpdateCommand: Command<unknown, SelfUpdateOptions>;
 export {};

package/lib/commands/showcase.d.ts

@@ -4,5 +4,5 @@ interface ShowcaseOptions {
     json: boolean;
     list: boolean;
 }
-export declare const showcaseCommand: Command<any, ShowcaseOptions>;
+export declare const showcaseCommand: Command<unknown, ShowcaseOptions>;
 export {};

package/lib/commands/system-check.d.ts

@@ -2,5 +2,5 @@ import type { Command } from '../types/index.js';
 interface CheckOptions {
     json: boolean;
 }
-export declare const systemCheckCommand: Command<any, CheckOptions>;
+export declare const systemCheckCommand: Command<unknown, CheckOptions>;
 export {};

package/lib/commands/uninstall.d.ts

@@ -5,5 +5,5 @@ interface UninstallOptions {
     'dry-run'?: boolean;
     verbose?: boolean;
 }
-export declare const uninstallCommand: Command<any, UninstallOptions>;
+export declare const uninstallCommand: Command<unknown, UninstallOptions>;
 export {};

package/lib/commands/workspace.d.ts

@@ -4,5 +4,5 @@ interface WorkspaceCmdOptions {
     script: string;
     args?: string[];
 }
-export declare const workspaceCommand: Command<any, WorkspaceCmdOptions>;
+export declare const workspaceCommand: Command<unknown, WorkspaceCmdOptions>;
 export {};

package/lib/types/command.d.ts

@@ -1,5 +1,5 @@
 import type { ArgumentsCamelCase, MiddlewareFunction, BuilderCallback } from 'yargs';
-export interface Command<T = any, U = T> {
+export interface Command<T = unknown, U = T> {
     command: string | ReadonlyArray<string>;
     description: string;
     builder?: BuilderCallback<T, U>;

package/lib/types/cosmiconfig-result.d.ts

@@ -1,4 +1,4 @@
-export type CosmiconfigResult<C = any> = {
+export type CosmiconfigResult<C = unknown> = {
     config: C;
     filepath: string;
     isEmpty?: boolean;

package/lib/utils/install-backend-native.js

@@ -486,6 +486,15 @@ async function downloadAndExtractAll(nodes, prefix, npmrc, log) {
 }
 async function extractOne(node, prefix, npmrc, log) {
     const dest = path.join(prefix, node.installPath);
+    // Defense-in-depth against the workspace-source-wipe data-loss bug:
+    // every extractable node MUST land inside a `node_modules/` directory.
+    // The resolver only ever produces `installPath`s of that shape, so this
+    // can only fail if a workspace package leaked into the fetch/extract
+    // queue (the root cause fixed in `workspaceInstall`). Refusing here means
+    // a regression in the resolver can never again `rmSync` a working-tree
+    // source dir — the realpath check additionally rejects a `dest` that
+    // resolves THROUGH a symlink into a directory outside node_modules.
+    assertNodeModulesDest(dest, node);
     log('fetch: %s@%s ← %s (→ %s)', node.name, node.version, node.tarballUrl, node.installPath);
     const bytes = await fetchTarball(node.tarballUrl, {
         npmrc,
@@ -498,6 +507,44 @@ async function extractOne(node, prefix, npmrc, log) {
     fs.mkdirSync(dest, { recursive: true });
     await extractTarball(bytes, dest);
 }
+/**
+ * Guard: a tarball may only be extracted into a `node_modules/` directory.
+ *
+ * Two checks, both belt-and-suspenders against ever wiping a working-tree
+ * source dir (the install-deletes-workspace-sources data-loss bug):
+ *
+ *   1. The logical `installPath` must contain a `node_modules` path segment.
+ *      The resolver always produces such paths; a workspace package that
+ *      slipped into the queue would not.
+ *   2. If `dest` already exists and resolves (via symlink) to a directory
+ *      whose REAL path is not under a `node_modules/` segment, refuse. This
+ *      catches the case where `node_modules/<name>` is a symlink to a
+ *      workspace's source tree — `rmSync(dest, { recursive: true })` would
+ *      then delete the link's target contents.
+ */
+function assertNodeModulesDest(dest, node) {
+    const segments = dest.split(path.sep);
+    if (!segments.includes('node_modules')) {
+        throw new Error(`gjsify install: refusing to extract ${node.name}@${node.version} into ${dest} — ` +
+            `target is not inside a node_modules/ directory. This would overwrite working-tree files. ` +
+            `A workspace package likely leaked into the fetch queue (it must be symlinked, not fetched).`);
+    }
+    let real;
+    try {
+        real = fs.realpathSync(dest);
+    }
+    catch {
+        // `dest` doesn't exist yet (fresh install) — nothing to resolve, the
+        // logical-path check above is sufficient.
+        return;
+    }
+    const realSegments = real.split(path.sep);
+    if (!realSegments.includes('node_modules')) {
+        throw new Error(`gjsify install: refusing to extract ${node.name}@${node.version} — ${dest} resolves to ${real}, ` +
+            `which is outside any node_modules/ directory (likely a symlink to a workspace source tree). ` +
+            `Extracting here would delete working-tree source files.`);
+    }
+}
 function depth(installPath) {
     // Count `node_modules/` segments to know nesting depth.
     // `node_modules/foo` = 1, `node_modules/foo/node_modules/bar` = 2, etc.

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@gjsify/cli",
-    "version": "0.4.29",
+    "version": "0.4.31",
     "description": "CLI for Gjsify",
     "type": "module",
     "main": "lib/index.js",
@@ -120,18 +120,18 @@
         "cli"
     ],
     "dependencies": {
-        "@gjsify/buffer": "^0.4.29",
-        "@gjsify/create-app": "^0.4.29",
-        "@gjsify/node-globals": "^0.4.29",
-        "@gjsify/node-polyfills": "^0.4.29",
-        "@gjsify/npm-registry": "^0.4.29",
-        "@gjsify/resolve-npm": "^0.4.29",
-        "@gjsify/rolldown-plugin-gjsify": "^0.4.29",
-        "@gjsify/rolldown-plugin-pnp": "^0.4.29",
-        "@gjsify/semver": "^0.4.29",
-        "@gjsify/tar": "^0.4.29",
-        "@gjsify/web-polyfills": "^0.4.29",
-        "@gjsify/workspace": "^0.4.29",
+        "@gjsify/buffer": "^0.4.31",
+        "@gjsify/create-app": "^0.4.31",
+        "@gjsify/node-globals": "^0.4.31",
+        "@gjsify/node-polyfills": "^0.4.31",
+        "@gjsify/npm-registry": "^0.4.31",
+        "@gjsify/resolve-npm": "^0.4.31",
+        "@gjsify/rolldown-plugin-gjsify": "^0.4.31",
+        "@gjsify/rolldown-plugin-pnp": "^0.4.31",
+        "@gjsify/semver": "^0.4.31",
+        "@gjsify/tar": "^0.4.31",
+        "@gjsify/web-polyfills": "^0.4.31",
+        "@gjsify/workspace": "^0.4.31",
         "cosmiconfig": "^9.0.1",
         "get-tsconfig": "^4.14.0",
         "pkg-types": "^2.3.1",
@@ -139,12 +139,12 @@
         "yargs": "^18.0.0"
     },
     "devDependencies": {
-        "@gjsify/unit": "^0.4.29",
+        "@gjsify/unit": "^0.4.31",
         "@types/yargs": "^17.0.35",
         "typescript": "^6.0.3"
     },
     "peerDependencies": {
-        "@gjsify/rolldown-native": "^0.4.29"
+        "@gjsify/rolldown-native": "^0.4.31"
     },
     "peerDependenciesMeta": {
         "@gjsify/rolldown-native": {