@nocobase/plugin-file-manager 2.0.60 → 2.0.62

package/dist/client/templates/file.d.ts

@@ -124,10 +124,10 @@ export declare class FileCollectionTemplate extends CollectionTemplate {
         initPrimaryKeyFiledInterface(properties: any): void;
     };
     configurableProperties: {
+        title: any;
         name: any;
         createdAt: any;
         updatedAt: any;
-        title: any;
         description: any;
         updatedBy: any;
         createdBy: any;

package/dist/externalVersion.js

@@ -8,7 +8,7 @@
  */
 
 module.exports = {
-  "@nocobase/client": "2.0.60",
+  "@nocobase/client": "2.0.62",
   "react": "18.2.0",
   "antd": "5.24.2",
   "@ant-design/icons": "5.6.1",
@@ -16,16 +16,16 @@ module.exports = {
   "lodash": "4.18.1",
   "react-i18next": "11.18.6",
   "multer": "1.4.5-lts.2",
-  "@nocobase/database": "2.0.60",
-  "@nocobase/server": "2.0.60",
-  "@nocobase/utils": "2.0.60",
-  "@nocobase/test": "2.0.60",
+  "@nocobase/database": "2.0.62",
+  "@nocobase/server": "2.0.62",
+  "@nocobase/utils": "2.0.62",
+  "@nocobase/test": "2.0.62",
   "@formily/react": "2.3.7",
-  "@nocobase/flow-engine": "2.0.60",
+  "@nocobase/flow-engine": "2.0.62",
   "@emotion/css": "11.13.0",
   "@formily/antd-v5": "1.2.3",
-  "@nocobase/actions": "2.0.60",
-  "@nocobase/plugin-data-source-main": "2.0.60",
+  "@nocobase/actions": "2.0.62",
+  "@nocobase/plugin-data-source-main": "2.0.62",
   "sequelize": "6.35.2",
   "axios": "1.7.7"
 };

package/dist/node_modules/@aws-sdk/client-s3/package.json

@@ -1 +1 @@
-{"name":"@aws-sdk/client-s3","description":"AWS SDK for JavaScript S3 Client for Node.js, Browser and React Native","version":"3.750.0","scripts":{"build":"concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'","build:cjs":"node ../../scripts/compilation/inline client-s3","build:es":"tsc -p tsconfig.es.json","build:include:deps":"lerna run --scope $npm_package_name --include-dependencies build","build:types":"tsc -p tsconfig.types.json","build:types:downlevel":"downlevel-dts dist-types dist-types/ts3.4","clean":"rimraf ./dist-* && rimraf *.tsbuildinfo","extract:docs":"api-extractor run --local","generate:client":"node ../../scripts/generate-clients/single-service --solo s3","test":"yarn g:vitest run","test:browser":"node ./test/browser-build/esbuild && yarn g:vitest run -c vitest.config.browser.ts","test:browser:watch":"node ./test/browser-build/esbuild && yarn g:vitest watch -c vitest.config.browser.ts","test:e2e":"yarn g:vitest run -c vitest.config.e2e.ts && yarn test:browser","test:e2e:watch":"yarn g:vitest watch -c vitest.config.e2e.ts","test:watch":"yarn g:vitest watch"},"main":"./dist-cjs/index.js","types":"./dist-types/index.d.ts","module":"./dist-es/index.js","sideEffects":false,"dependencies":{"@aws-crypto/sha1-browser":"5.2.0","@aws-crypto/sha256-browser":"5.2.0","@aws-crypto/sha256-js":"5.2.0","@aws-sdk/core":"3.750.0","@aws-sdk/credential-provider-node":"3.750.0","@aws-sdk/middleware-bucket-endpoint":"3.734.0","@aws-sdk/middleware-expect-continue":"3.734.0","@aws-sdk/middleware-flexible-checksums":"3.750.0","@aws-sdk/middleware-host-header":"3.734.0","@aws-sdk/middleware-location-constraint":"3.734.0","@aws-sdk/middleware-logger":"3.734.0","@aws-sdk/middleware-recursion-detection":"3.734.0","@aws-sdk/middleware-sdk-s3":"3.750.0","@aws-sdk/middleware-ssec":"3.734.0","@aws-sdk/middleware-user-agent":"3.750.0","@aws-sdk/region-config-resolver":"3.734.0","@aws-sdk/signature-v4-multi-region":"3.750.0","@aws-sdk/types":"3.734.0","@aws-sdk/util-endpoints":"3.743.0","@aws-sdk/util-user-agent-browser":"3.734.0","@aws-sdk/util-user-agent-node":"3.750.0","@aws-sdk/xml-builder":"3.734.0","@smithy/config-resolver":"^4.0.1","@smithy/core":"^3.1.4","@smithy/eventstream-serde-browser":"^4.0.1","@smithy/eventstream-serde-config-resolver":"^4.0.1","@smithy/eventstream-serde-node":"^4.0.1","@smithy/fetch-http-handler":"^5.0.1","@smithy/hash-blob-browser":"^4.0.1","@smithy/hash-node":"^4.0.1","@smithy/hash-stream-node":"^4.0.1","@smithy/invalid-dependency":"^4.0.1","@smithy/md5-js":"^4.0.1","@smithy/middleware-content-length":"^4.0.1","@smithy/middleware-endpoint":"^4.0.5","@smithy/middleware-retry":"^4.0.6","@smithy/middleware-serde":"^4.0.2","@smithy/middleware-stack":"^4.0.1","@smithy/node-config-provider":"^4.0.1","@smithy/node-http-handler":"^4.0.2","@smithy/protocol-http":"^5.0.1","@smithy/smithy-client":"^4.1.5","@smithy/types":"^4.1.0","@smithy/url-parser":"^4.0.1","@smithy/util-base64":"^4.0.0","@smithy/util-body-length-browser":"^4.0.0","@smithy/util-body-length-node":"^4.0.0","@smithy/util-defaults-mode-browser":"^4.0.6","@smithy/util-defaults-mode-node":"^4.0.6","@smithy/util-endpoints":"^3.0.1","@smithy/util-middleware":"^4.0.1","@smithy/util-retry":"^4.0.1","@smithy/util-stream":"^4.1.1","@smithy/util-utf8":"^4.0.0","@smithy/util-waiter":"^4.0.2","tslib":"^2.6.2"},"devDependencies":{"@aws-sdk/signature-v4-crt":"3.750.0","@tsconfig/node18":"18.2.4","@types/node":"^18.19.69","concurrently":"7.0.0","downlevel-dts":"0.10.1","rimraf":"3.0.2","typescript":"~5.2.2"},"engines":{"node":">=18.0.0"},"typesVersions":{"<4.0":{"dist-types/*":["dist-types/ts3.4/*"]}},"files":["dist-*/**"],"author":{"name":"AWS SDK for JavaScript Team","url":"https://aws.amazon.com/javascript/"},"license":"Apache-2.0","browser":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.browser"},"react-native":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.native"},"homepage":"https://github.com/aws/aws-sdk-js-v3/tree/main/clients/client-s3","repository":{"type":"git","url":"https://github.com/aws/aws-sdk-js-v3.git","directory":"clients/client-s3"},"_lastModified":"2026-05-29T10:14:34.207Z"}
+{"name":"@aws-sdk/client-s3","description":"AWS SDK for JavaScript S3 Client for Node.js, Browser and React Native","version":"3.750.0","scripts":{"build":"concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'","build:cjs":"node ../../scripts/compilation/inline client-s3","build:es":"tsc -p tsconfig.es.json","build:include:deps":"lerna run --scope $npm_package_name --include-dependencies build","build:types":"tsc -p tsconfig.types.json","build:types:downlevel":"downlevel-dts dist-types dist-types/ts3.4","clean":"rimraf ./dist-* && rimraf *.tsbuildinfo","extract:docs":"api-extractor run --local","generate:client":"node ../../scripts/generate-clients/single-service --solo s3","test":"yarn g:vitest run","test:browser":"node ./test/browser-build/esbuild && yarn g:vitest run -c vitest.config.browser.ts","test:browser:watch":"node ./test/browser-build/esbuild && yarn g:vitest watch -c vitest.config.browser.ts","test:e2e":"yarn g:vitest run -c vitest.config.e2e.ts && yarn test:browser","test:e2e:watch":"yarn g:vitest watch -c vitest.config.e2e.ts","test:watch":"yarn g:vitest watch"},"main":"./dist-cjs/index.js","types":"./dist-types/index.d.ts","module":"./dist-es/index.js","sideEffects":false,"dependencies":{"@aws-crypto/sha1-browser":"5.2.0","@aws-crypto/sha256-browser":"5.2.0","@aws-crypto/sha256-js":"5.2.0","@aws-sdk/core":"3.750.0","@aws-sdk/credential-provider-node":"3.750.0","@aws-sdk/middleware-bucket-endpoint":"3.734.0","@aws-sdk/middleware-expect-continue":"3.734.0","@aws-sdk/middleware-flexible-checksums":"3.750.0","@aws-sdk/middleware-host-header":"3.734.0","@aws-sdk/middleware-location-constraint":"3.734.0","@aws-sdk/middleware-logger":"3.734.0","@aws-sdk/middleware-recursion-detection":"3.734.0","@aws-sdk/middleware-sdk-s3":"3.750.0","@aws-sdk/middleware-ssec":"3.734.0","@aws-sdk/middleware-user-agent":"3.750.0","@aws-sdk/region-config-resolver":"3.734.0","@aws-sdk/signature-v4-multi-region":"3.750.0","@aws-sdk/types":"3.734.0","@aws-sdk/util-endpoints":"3.743.0","@aws-sdk/util-user-agent-browser":"3.734.0","@aws-sdk/util-user-agent-node":"3.750.0","@aws-sdk/xml-builder":"3.734.0","@smithy/config-resolver":"^4.0.1","@smithy/core":"^3.1.4","@smithy/eventstream-serde-browser":"^4.0.1","@smithy/eventstream-serde-config-resolver":"^4.0.1","@smithy/eventstream-serde-node":"^4.0.1","@smithy/fetch-http-handler":"^5.0.1","@smithy/hash-blob-browser":"^4.0.1","@smithy/hash-node":"^4.0.1","@smithy/hash-stream-node":"^4.0.1","@smithy/invalid-dependency":"^4.0.1","@smithy/md5-js":"^4.0.1","@smithy/middleware-content-length":"^4.0.1","@smithy/middleware-endpoint":"^4.0.5","@smithy/middleware-retry":"^4.0.6","@smithy/middleware-serde":"^4.0.2","@smithy/middleware-stack":"^4.0.1","@smithy/node-config-provider":"^4.0.1","@smithy/node-http-handler":"^4.0.2","@smithy/protocol-http":"^5.0.1","@smithy/smithy-client":"^4.1.5","@smithy/types":"^4.1.0","@smithy/url-parser":"^4.0.1","@smithy/util-base64":"^4.0.0","@smithy/util-body-length-browser":"^4.0.0","@smithy/util-body-length-node":"^4.0.0","@smithy/util-defaults-mode-browser":"^4.0.6","@smithy/util-defaults-mode-node":"^4.0.6","@smithy/util-endpoints":"^3.0.1","@smithy/util-middleware":"^4.0.1","@smithy/util-retry":"^4.0.1","@smithy/util-stream":"^4.1.1","@smithy/util-utf8":"^4.0.0","@smithy/util-waiter":"^4.0.2","tslib":"^2.6.2"},"devDependencies":{"@aws-sdk/signature-v4-crt":"3.750.0","@tsconfig/node18":"18.2.4","@types/node":"^18.19.69","concurrently":"7.0.0","downlevel-dts":"0.10.1","rimraf":"3.0.2","typescript":"~5.2.2"},"engines":{"node":">=18.0.0"},"typesVersions":{"<4.0":{"dist-types/*":["dist-types/ts3.4/*"]}},"files":["dist-*/**"],"author":{"name":"AWS SDK for JavaScript Team","url":"https://aws.amazon.com/javascript/"},"license":"Apache-2.0","browser":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.browser"},"react-native":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.native"},"homepage":"https://github.com/aws/aws-sdk-js-v3/tree/main/clients/client-s3","repository":{"type":"git","url":"https://github.com/aws/aws-sdk-js-v3.git","directory":"clients/client-s3"},"_lastModified":"2026-06-10T17:40:44.066Z"}

package/dist/node_modules/@aws-sdk/lib-storage/package.json

@@ -1 +1 @@
-{"name":"@aws-sdk/lib-storage","version":"3.750.0","description":"Storage higher order operation","main":"./dist-cjs/index.js","module":"./dist-es/index.js","types":"./dist-types/index.d.ts","scripts":{"build":"concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'","build:cjs":"node ../../scripts/compilation/inline lib-storage","build:es":"tsc -p tsconfig.es.json","build:include:deps":"lerna run --scope $npm_package_name --include-dependencies build","build:types":"tsc -p tsconfig.types.json","build:types:downlevel":"downlevel-dts dist-types dist-types/ts3.4","clean":"rimraf ./dist-* && rimraf *.tsbuildinfo","extract:docs":"api-extractor run --local","test":"yarn g:vitest run","test:e2e":"yarn g:vitest run -c vitest.config.e2e.ts --mode development","test:watch":"yarn g:vitest watch","test:e2e:watch":"yarn g:vitest watch -c vitest.config.e2e.ts"},"engines":{"node":">=18.0.0"},"author":{"name":"AWS SDK for JavaScript Team","url":"https://aws.amazon.com/javascript/"},"license":"Apache-2.0","dependencies":{"@smithy/abort-controller":"^4.0.1","@smithy/middleware-endpoint":"^4.0.5","@smithy/smithy-client":"^4.1.5","buffer":"5.6.0","events":"3.3.0","stream-browserify":"3.0.0","tslib":"^2.6.2"},"peerDependencies":{"@aws-sdk/client-s3":"^3.750.0"},"devDependencies":{"@aws-sdk/client-s3":"3.750.0","@smithy/types":"^4.1.0","@tsconfig/recommended":"1.0.1","@types/node":"^18.19.69","concurrently":"7.0.0","downlevel-dts":"0.10.1","rimraf":"3.0.2","typescript":"~5.2.2","web-streams-polyfill":"3.2.1"},"typesVersions":{"<4.0":{"dist-types/*":["dist-types/ts3.4/*"]}},"browser":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.browser","fs":false,"stream":"stream-browserify"},"react-native":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.native"},"files":["dist-*/**"],"homepage":"https://github.com/aws/aws-sdk-js-v3/tree/main/lib/lib-storage","repository":{"type":"git","url":"https://github.com/aws/aws-sdk-js-v3.git","directory":"lib/lib-storage"},"_lastModified":"2026-05-29T10:14:35.407Z"}
+{"name":"@aws-sdk/lib-storage","version":"3.750.0","description":"Storage higher order operation","main":"./dist-cjs/index.js","module":"./dist-es/index.js","types":"./dist-types/index.d.ts","scripts":{"build":"concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'","build:cjs":"node ../../scripts/compilation/inline lib-storage","build:es":"tsc -p tsconfig.es.json","build:include:deps":"lerna run --scope $npm_package_name --include-dependencies build","build:types":"tsc -p tsconfig.types.json","build:types:downlevel":"downlevel-dts dist-types dist-types/ts3.4","clean":"rimraf ./dist-* && rimraf *.tsbuildinfo","extract:docs":"api-extractor run --local","test":"yarn g:vitest run","test:e2e":"yarn g:vitest run -c vitest.config.e2e.ts --mode development","test:watch":"yarn g:vitest watch","test:e2e:watch":"yarn g:vitest watch -c vitest.config.e2e.ts"},"engines":{"node":">=18.0.0"},"author":{"name":"AWS SDK for JavaScript Team","url":"https://aws.amazon.com/javascript/"},"license":"Apache-2.0","dependencies":{"@smithy/abort-controller":"^4.0.1","@smithy/middleware-endpoint":"^4.0.5","@smithy/smithy-client":"^4.1.5","buffer":"5.6.0","events":"3.3.0","stream-browserify":"3.0.0","tslib":"^2.6.2"},"peerDependencies":{"@aws-sdk/client-s3":"^3.750.0"},"devDependencies":{"@aws-sdk/client-s3":"3.750.0","@smithy/types":"^4.1.0","@tsconfig/recommended":"1.0.1","@types/node":"^18.19.69","concurrently":"7.0.0","downlevel-dts":"0.10.1","rimraf":"3.0.2","typescript":"~5.2.2","web-streams-polyfill":"3.2.1"},"typesVersions":{"<4.0":{"dist-types/*":["dist-types/ts3.4/*"]}},"browser":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.browser","fs":false,"stream":"stream-browserify"},"react-native":{"./dist-es/runtimeConfig":"./dist-es/runtimeConfig.native"},"files":["dist-*/**"],"homepage":"https://github.com/aws/aws-sdk-js-v3/tree/main/lib/lib-storage","repository":{"type":"git","url":"https://github.com/aws/aws-sdk-js-v3.git","directory":"lib/lib-storage"},"_lastModified":"2026-06-10T17:40:45.169Z"}

package/dist/node_modules/ali-oss/package.json

@@ -1 +1 @@
-{"name":"ali-oss","version":"6.20.0","description":"aliyun oss(object storage service) node client","main":"./lib/client.js","files":["lib","shims","dist"],"browser":{"./lib/client.js":"./dist/aliyun-oss-sdk.js","mime":"mime/lite","urllib":"./shims/xhr.js","utility":"./shims/utility.js","crypto":"./shims/crypto/crypto.js","debug":"./shims/debug","fs":false,"child_process":false,"is-type-of":"./shims/is-type-of.js"},"scripts":{"build-change-log":"standard-version","test":"npm run tsc && mocha -t 120000 -r should -r dotenv/config test/node/*.test.js test/node/**/*.test.js","test-cov":"npm run tsc && nyc --reporter=lcov node_modules/.bin/_mocha -t 120000 -r should test/node/*.test.js test/node/**/*.test.js","jshint":"jshint .","build-test":"MINIFY=1 node browser-build.js > test/browser/build/aliyun-oss-sdk.min.js && node -r dotenv/config task/browser-test-build.js > test/browser/build/tests.js","browser-test":"npm run build-test && karma start","build-dist":"npm run tsc && node browser-build.js > dist/aliyun-oss-sdk.js && MINIFY=1 node browser-build.js > dist/aliyun-oss-sdk.min.js","publish-to-npm":"node publish-npm-check.js && npm publish","publish-to-cdn":"node publish.js","snyk-protect":"snyk-protect","lint-staged":"lint-staged","detect-secrets":"node task/detect-secrets","tsc":"npm run tsc:clean && npm run tsc:build","tsc:build":"tsc -b tsconfig.json tsconfig-cjs.json","tsc:watch":"tsc -b tsconfig.json tsconfig-cjs.json --watch","tsc:clean":"tsc -b tsconfig.json tsconfig-cjs.json --clean ","prepare":"husky install"},"git-pre-hooks":{"pre-release":"npm run build-dist","post-release":["npm run publish-to-npm","npm run publish-to-cdn"]},"homepage":"https://github.com/ali-sdk/ali-oss","bugs":{"url":"https://github.com/ali-sdk/ali-oss/issues"},"publishConfig":{"registry":"https://registry.npmjs.org/","access":"public"},"repository":{"type":"git","url":"https://github.com/ali-sdk/ali-oss.git"},"keywords":["oss","client","file","aliyun"],"author":"dead_horse","license":"MIT","engines":{"node":">=8"},"devDependencies":{"@babel/core":"^7.11.6","@babel/plugin-transform-regenerator":"^7.10.4","@babel/plugin-transform-runtime":"^7.11.5","@babel/preset-env":"^7.11.5","@babel/runtime":"^7.11.2","@commitlint/cli":"^17.6.7","@commitlint/config-conventional":"^16.2.4","@octokit/core":"^5.0.0","@semantic-release/exec":"^6.0.3","@semantic-release/git":"^10.0.1","@semantic-release/npm":"^10.0.5","@snyk/protect":"^1.1196.0","@types/node":"^14.0.12","@typescript-eslint/eslint-plugin":"^5.0.0","@typescript-eslint/parser":"^5.0.0","aliasify":"^2.0.0","axios":"0.27.2","babelify":"^10.0.0","beautify-benchmark":"^0.2.4","benchmark":"^2.1.1","bluebird":"^3.1.5","browserify":"^17.0.0","core-js":"^3.6.5","crypto-js":"^3.1.9-1","dotenv":"^8.2.0","eslint":"^8.44.0","eslint-config-airbnb":"^19.0.4","eslint-config-ali":"^13.0.0","eslint-config-prettier":"^8.8.0","eslint-plugin-import":"^2.21.1","eslint-plugin-jsx-a11y":"^6.0.3","eslint-plugin-prettier":"^4.2.1","filereader":"^0.10.3","form-data":"^4.0.0","git-pre-hooks":"^1.2.0","husky":"^7.0.4","immediate":"^3.3.0","karma":"^6.3.4","karma-browserify":"^8.1.0","karma-chrome-launcher":"^2.2.0","karma-firefox-launcher":"^1.0.1","karma-ie-launcher":"^1.0.0","karma-mocha":"^2.0.1","karma-safari-launcher":"^1.0.0","lint-staged":"^12.4.1","mm":"^2.0.0","mocha":"^9.1.2","nyc":"^15.1.0","prettier":"^3.0.0","promise-polyfill":"^6.0.2","puppeteer":"19.0.0","semantic-release":"^21.1.1","should":"^11.0.0","sinon":"^15.2.0","standard-version":"^9.3.1","stream-equal":"^1.1.0","timemachine":"^0.3.0","typescript":"^3.9.5","uglify-js":"^3.14.2","watchify":"^4.0.0"},"dependencies":{"address":"^1.2.2","agentkeepalive":"^3.4.1","bowser":"^1.6.0","copy-to":"^2.0.1","dateformat":"^2.0.0","debug":"^4.3.4","destroy":"^1.0.4","end-or-error":"^1.0.1","get-ready":"^1.0.0","humanize-ms":"^1.2.0","is-type-of":"^1.4.0","js-base64":"^2.5.2","jstoxml":"^2.0.0","lodash":"^4.17.21","merge-descriptors":"^1.0.1","mime":"^2.4.5","platform":"^1.3.1","pump":"^3.0.0","qs":"^6.4.0","sdk-base":"^2.0.1","stream-http":"2.8.2","stream-wormhole":"^1.0.4","urllib":"2.41.0","utility":"^1.18.0","xml2js":"^0.6.2"},"snyk":true,"lint-staged":{"**/!(dist)/*":["npm run detect-secrets --"],"**/*.{js,ts}":["eslint --cache --fix --ext .js,.ts","prettier --write","git add"]},"_lastModified":"2026-05-29T10:14:32.593Z"}
+{"name":"ali-oss","version":"6.20.0","description":"aliyun oss(object storage service) node client","main":"./lib/client.js","files":["lib","shims","dist"],"browser":{"./lib/client.js":"./dist/aliyun-oss-sdk.js","mime":"mime/lite","urllib":"./shims/xhr.js","utility":"./shims/utility.js","crypto":"./shims/crypto/crypto.js","debug":"./shims/debug","fs":false,"child_process":false,"is-type-of":"./shims/is-type-of.js"},"scripts":{"build-change-log":"standard-version","test":"npm run tsc && mocha -t 120000 -r should -r dotenv/config test/node/*.test.js test/node/**/*.test.js","test-cov":"npm run tsc && nyc --reporter=lcov node_modules/.bin/_mocha -t 120000 -r should test/node/*.test.js test/node/**/*.test.js","jshint":"jshint .","build-test":"MINIFY=1 node browser-build.js > test/browser/build/aliyun-oss-sdk.min.js && node -r dotenv/config task/browser-test-build.js > test/browser/build/tests.js","browser-test":"npm run build-test && karma start","build-dist":"npm run tsc && node browser-build.js > dist/aliyun-oss-sdk.js && MINIFY=1 node browser-build.js > dist/aliyun-oss-sdk.min.js","publish-to-npm":"node publish-npm-check.js && npm publish","publish-to-cdn":"node publish.js","snyk-protect":"snyk-protect","lint-staged":"lint-staged","detect-secrets":"node task/detect-secrets","tsc":"npm run tsc:clean && npm run tsc:build","tsc:build":"tsc -b tsconfig.json tsconfig-cjs.json","tsc:watch":"tsc -b tsconfig.json tsconfig-cjs.json --watch","tsc:clean":"tsc -b tsconfig.json tsconfig-cjs.json --clean ","prepare":"husky install"},"git-pre-hooks":{"pre-release":"npm run build-dist","post-release":["npm run publish-to-npm","npm run publish-to-cdn"]},"homepage":"https://github.com/ali-sdk/ali-oss","bugs":{"url":"https://github.com/ali-sdk/ali-oss/issues"},"publishConfig":{"registry":"https://registry.npmjs.org/","access":"public"},"repository":{"type":"git","url":"https://github.com/ali-sdk/ali-oss.git"},"keywords":["oss","client","file","aliyun"],"author":"dead_horse","license":"MIT","engines":{"node":">=8"},"devDependencies":{"@babel/core":"^7.11.6","@babel/plugin-transform-regenerator":"^7.10.4","@babel/plugin-transform-runtime":"^7.11.5","@babel/preset-env":"^7.11.5","@babel/runtime":"^7.11.2","@commitlint/cli":"^17.6.7","@commitlint/config-conventional":"^16.2.4","@octokit/core":"^5.0.0","@semantic-release/exec":"^6.0.3","@semantic-release/git":"^10.0.1","@semantic-release/npm":"^10.0.5","@snyk/protect":"^1.1196.0","@types/node":"^14.0.12","@typescript-eslint/eslint-plugin":"^5.0.0","@typescript-eslint/parser":"^5.0.0","aliasify":"^2.0.0","axios":"0.27.2","babelify":"^10.0.0","beautify-benchmark":"^0.2.4","benchmark":"^2.1.1","bluebird":"^3.1.5","browserify":"^17.0.0","core-js":"^3.6.5","crypto-js":"^3.1.9-1","dotenv":"^8.2.0","eslint":"^8.44.0","eslint-config-airbnb":"^19.0.4","eslint-config-ali":"^13.0.0","eslint-config-prettier":"^8.8.0","eslint-plugin-import":"^2.21.1","eslint-plugin-jsx-a11y":"^6.0.3","eslint-plugin-prettier":"^4.2.1","filereader":"^0.10.3","form-data":"^4.0.0","git-pre-hooks":"^1.2.0","husky":"^7.0.4","immediate":"^3.3.0","karma":"^6.3.4","karma-browserify":"^8.1.0","karma-chrome-launcher":"^2.2.0","karma-firefox-launcher":"^1.0.1","karma-ie-launcher":"^1.0.0","karma-mocha":"^2.0.1","karma-safari-launcher":"^1.0.0","lint-staged":"^12.4.1","mm":"^2.0.0","mocha":"^9.1.2","nyc":"^15.1.0","prettier":"^3.0.0","promise-polyfill":"^6.0.2","puppeteer":"19.0.0","semantic-release":"^21.1.1","should":"^11.0.0","sinon":"^15.2.0","standard-version":"^9.3.1","stream-equal":"^1.1.0","timemachine":"^0.3.0","typescript":"^3.9.5","uglify-js":"^3.14.2","watchify":"^4.0.0"},"dependencies":{"address":"^1.2.2","agentkeepalive":"^3.4.1","bowser":"^1.6.0","copy-to":"^2.0.1","dateformat":"^2.0.0","debug":"^4.3.4","destroy":"^1.0.4","end-or-error":"^1.0.1","get-ready":"^1.0.0","humanize-ms":"^1.2.0","is-type-of":"^1.4.0","js-base64":"^2.5.2","jstoxml":"^2.0.0","lodash":"^4.17.21","merge-descriptors":"^1.0.1","mime":"^2.4.5","platform":"^1.3.1","pump":"^3.0.0","qs":"^6.4.0","sdk-base":"^2.0.1","stream-http":"2.8.2","stream-wormhole":"^1.0.4","urllib":"2.41.0","utility":"^1.18.0","xml2js":"^0.6.2"},"snyk":true,"lint-staged":{"**/!(dist)/*":["npm run detect-secrets --"],"**/*.{js,ts}":["eslint --cache --fix --ext .js,.ts","prettier --write","git add"]},"_lastModified":"2026-06-10T17:40:42.586Z"}

package/dist/node_modules/cos-nodejs-sdk-v5/package.json

@@ -1 +1 @@
-{"name":"cos-nodejs-sdk-v5","version":"2.12.6","description":"cos nodejs sdk v5","main":"index.js","types":"index.d.ts","scripts":{"prettier":"prettier --write sdk demo/demo.js test/test.js index.d.ts","demo":"node demo/demo.js","demo-sts":"node demo/demo-sts.js","demo-sts-scope":"node demo/demo-sts-scope.js","test":"mocha test/test.js","cov":"istanbul cover _mocha -- -u exports 'test/test.js'","nyc":"nyc --reporter=clover --reporter=cobertura mocha --reporter xunit --reporter-options output=mocha.xml test/test.js","csp":"mocha test/csp.js"},"repository":{"type":"git","url":"git+https://github.com/tencentyun/cos-nodejs-sdk-v5.git"},"keywords":["tencent","tencent cloud","qcloud","cos","cos-sdk"],"author":"carsonxu","license":"ISC","bugs":{"url":"https://github.com/tencentyun/cos-nodejs-sdk-v5/issues"},"homepage":"https://github.com/tencentyun/cos-nodejs-sdk-v5#readme","dependencies":{"conf":"^9.0.0","fast-xml-parser":"4.2.5","mime-types":"^2.1.24","request":"^2.88.2"},"devDependencies":{"@types/node":"^14.14.20","batch":"^0.6.1","crc64-ecma182.js":"^1.0.0","mocha":"^4.0.1","nyc":"^15.1.0","prettier":"^3.0.1","qcloud-cos-sts":"^3.0.0"},"engines":{"node":">= 6"},"_lastModified":"2026-05-29T10:14:39.199Z"}
+{"name":"cos-nodejs-sdk-v5","version":"2.12.6","description":"cos nodejs sdk v5","main":"index.js","types":"index.d.ts","scripts":{"prettier":"prettier --write sdk demo/demo.js test/test.js index.d.ts","demo":"node demo/demo.js","demo-sts":"node demo/demo-sts.js","demo-sts-scope":"node demo/demo-sts-scope.js","test":"mocha test/test.js","cov":"istanbul cover _mocha -- -u exports 'test/test.js'","nyc":"nyc --reporter=clover --reporter=cobertura mocha --reporter xunit --reporter-options output=mocha.xml test/test.js","csp":"mocha test/csp.js"},"repository":{"type":"git","url":"git+https://github.com/tencentyun/cos-nodejs-sdk-v5.git"},"keywords":["tencent","tencent cloud","qcloud","cos","cos-sdk"],"author":"carsonxu","license":"ISC","bugs":{"url":"https://github.com/tencentyun/cos-nodejs-sdk-v5/issues"},"homepage":"https://github.com/tencentyun/cos-nodejs-sdk-v5#readme","dependencies":{"conf":"^9.0.0","fast-xml-parser":"4.2.5","mime-types":"^2.1.24","request":"^2.88.2"},"devDependencies":{"@types/node":"^14.14.20","batch":"^0.6.1","crc64-ecma182.js":"^1.0.0","mocha":"^4.0.1","nyc":"^15.1.0","prettier":"^3.0.1","qcloud-cos-sts":"^3.0.0"},"engines":{"node":">= 6"},"_lastModified":"2026-06-10T17:40:48.698Z"}

package/dist/node_modules/mime-match/package.json

@@ -1 +1 @@
-{"name":"mime-match","version":"1.0.2","description":"A simple function to check whether a mimetype matches the specified mimetype (with wildcard support)","main":"index.js","scripts":{"test":"node test.js","gendocs":"gendocs > README.md"},"repository":{"type":"git","url":"https://github.com/DamonOehlman/mime-match.git"},"keywords":["mime","wildcard"],"author":"Damon Oehlman <damon.oehlman@gmail.com>","license":"ISC","bugs":{"url":"https://github.com/DamonOehlman/mime-match/issues"},"homepage":"https://github.com/DamonOehlman/mime-match","dependencies":{"wildcard":"^1.1.0"},"devDependencies":{"tape":"^4.5.1"},"_lastModified":"2026-05-29T10:14:27.082Z"}
+{"name":"mime-match","version":"1.0.2","description":"A simple function to check whether a mimetype matches the specified mimetype (with wildcard support)","main":"index.js","scripts":{"test":"node test.js","gendocs":"gendocs > README.md"},"repository":{"type":"git","url":"https://github.com/DamonOehlman/mime-match.git"},"keywords":["mime","wildcard"],"author":"Damon Oehlman <damon.oehlman@gmail.com>","license":"ISC","bugs":{"url":"https://github.com/DamonOehlman/mime-match/issues"},"homepage":"https://github.com/DamonOehlman/mime-match","dependencies":{"wildcard":"^1.1.0"},"devDependencies":{"tape":"^4.5.1"},"_lastModified":"2026-06-10T17:40:37.430Z"}

package/dist/node_modules/mime-types/package.json

@@ -1 +1 @@
-{"name":"mime-types","description":"The ultimate javascript content-type utility.","version":"3.0.1","contributors":["Douglas Christopher Wilson <doug@somethingdoug.com>","Jeremiah Senkpiel <fishrock123@rocketmail.com> (https://searchbeam.jit.su)","Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)"],"license":"MIT","keywords":["mime","types"],"repository":"jshttp/mime-types","dependencies":{"mime-db":"^1.54.0"},"devDependencies":{"eslint":"8.33.0","eslint-config-standard":"14.1.1","eslint-plugin-import":"2.27.5","eslint-plugin-markdown":"3.0.0","eslint-plugin-node":"11.1.0","eslint-plugin-promise":"6.1.1","eslint-plugin-standard":"4.1.0","mocha":"10.2.0","nyc":"15.1.0"},"files":["HISTORY.md","LICENSE","index.js","mimeScore.js"],"engines":{"node":">= 0.6"},"scripts":{"lint":"eslint .","test":"mocha --reporter spec test/test.js","test-ci":"nyc --reporter=lcov --reporter=text npm test","test-cov":"nyc --reporter=html --reporter=text npm test"},"_lastModified":"2026-05-29T10:14:27.414Z"}
+{"name":"mime-types","description":"The ultimate javascript content-type utility.","version":"3.0.1","contributors":["Douglas Christopher Wilson <doug@somethingdoug.com>","Jeremiah Senkpiel <fishrock123@rocketmail.com> (https://searchbeam.jit.su)","Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)"],"license":"MIT","keywords":["mime","types"],"repository":"jshttp/mime-types","dependencies":{"mime-db":"^1.54.0"},"devDependencies":{"eslint":"8.33.0","eslint-config-standard":"14.1.1","eslint-plugin-import":"2.27.5","eslint-plugin-markdown":"3.0.0","eslint-plugin-node":"11.1.0","eslint-plugin-promise":"6.1.1","eslint-plugin-standard":"4.1.0","mocha":"10.2.0","nyc":"15.1.0"},"files":["HISTORY.md","LICENSE","index.js","mimeScore.js"],"engines":{"node":">= 0.6"},"scripts":{"lint":"eslint .","test":"mocha --reporter spec test/test.js","test-ci":"nyc --reporter=lcov --reporter=text npm test","test-cov":"nyc --reporter=html --reporter=text npm test"},"_lastModified":"2026-06-10T17:40:37.748Z"}

package/dist/node_modules/mkdirp/package.json

@@ -1 +1 @@
-{"name":"mkdirp","description":"Recursively mkdir, like `mkdir -p`","version":"0.5.6","publishConfig":{"tag":"legacy"},"author":"James Halliday <mail@substack.net> (http://substack.net)","main":"index.js","keywords":["mkdir","directory"],"repository":{"type":"git","url":"https://github.com/substack/node-mkdirp.git"},"scripts":{"test":"tap test/*.js"},"dependencies":{"minimist":"^1.2.6"},"devDependencies":{"tap":"^16.0.1"},"bin":"bin/cmd.js","license":"MIT","files":["bin","index.js"],"_lastModified":"2026-05-29T10:14:32.692Z"}
+{"name":"mkdirp","description":"Recursively mkdir, like `mkdir -p`","version":"0.5.6","publishConfig":{"tag":"legacy"},"author":"James Halliday <mail@substack.net> (http://substack.net)","main":"index.js","keywords":["mkdir","directory"],"repository":{"type":"git","url":"https://github.com/substack/node-mkdirp.git"},"scripts":{"test":"tap test/*.js"},"dependencies":{"minimist":"^1.2.6"},"devDependencies":{"tap":"^16.0.1"},"bin":"bin/cmd.js","license":"MIT","files":["bin","index.js"],"_lastModified":"2026-06-10T17:40:42.687Z"}

package/dist/node_modules/url-join/package.json

@@ -1 +1 @@
-{"name":"url-join","version":"4.0.1","description":"Join urls and normalize as in path.join.","main":"lib/url-join.js","scripts":{"test":"mocha --require should"},"repository":{"type":"git","url":"git://github.com/jfromaniello/url-join.git"},"keywords":["url","join"],"author":"José F. Romaniello <jfromaniello@gmail.com> (http://joseoncode.com)","license":"MIT","devDependencies":{"conventional-changelog":"^1.1.10","mocha":"^3.2.0","should":"~1.2.1"},"_lastModified":"2026-05-29T10:14:27.177Z"}
+{"name":"url-join","version":"4.0.1","description":"Join urls and normalize as in path.join.","main":"lib/url-join.js","scripts":{"test":"mocha --require should"},"repository":{"type":"git","url":"git://github.com/jfromaniello/url-join.git"},"keywords":["url","join"],"author":"José F. Romaniello <jfromaniello@gmail.com> (http://joseoncode.com)","license":"MIT","devDependencies":{"conventional-changelog":"^1.1.10","mocha":"^3.2.0","should":"~1.2.1"},"_lastModified":"2026-06-10T17:40:37.526Z"}

package/dist/server/actions/attachments.js

@@ -221,10 +221,10 @@ async function createMiddleware(ctx, next) {
       const filePath = (values == null ? void 0 : values.path) ?? "";
       const filename = (values == null ? void 0 : values.filename) ?? "";
       try {
-        (0, import_local.resolveSafePath)((0, import_local.getDocumentRoot)(storage), filePath, filename);
+        (0, import_local.resolveSafePath)((0, import_local.getDocumentRoot)(storage), (0, import_local.normalizeLocalStoragePath)(filePath), filename);
       } catch (error) {
         if (error.code === "PATH_TRAVERSAL") {
-          return ctx.throw(400, error);
+          return ctx.throw(400, error.message);
         }
         throw error;
       }

package/dist/server/actions/index.js

@@ -41,11 +41,18 @@ __export(actions_exports, {
 module.exports = __toCommonJS(actions_exports);
 var import_actions = __toESM(require("@nocobase/actions"));
 var import_attachments = require("./attachments");
+var import_storage_validation = require("./storage-validation");
 var storageActions = __toESM(require("./storages"));
 function actions_default({ app }) {
   app.resourcer.define({
     name: "storages",
-    actions: storageActions
+    actions: storageActions,
+    middlewares: [
+      {
+        only: ["create", "update"],
+        handler: import_storage_validation.validateStorageMiddleware
+      }
+    ]
   });
   app.resourcer.use(import_attachments.createMiddleware, { tag: "createMiddleware", after: "auth" });
   app.resourcer.registerActionHandler("upload", import_actions.default.create);

package/dist/server/actions/storage-validation.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Context, Next } from '@nocobase/actions';
+export declare function validateStorageMiddleware(ctx: Context, next: Next): Promise<never>;

package/dist/server/actions/storage-validation.js

@@ -0,0 +1,73 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var storage_validation_exports = {};
+__export(storage_validation_exports, {
+  validateStorageMiddleware: () => validateStorageMiddleware
+});
+module.exports = __toCommonJS(storage_validation_exports);
+var import_local = require("../storages/local");
+async function validateStorageMiddleware(ctx, next) {
+  const { actionName, params } = ctx.action;
+  const values = params.values || {};
+  let storage = values;
+  const hasSubmittedDocumentRoot = Object.prototype.hasOwnProperty.call(values.options || {}, "documentRoot");
+  if (actionName === "update" && params.filterByTk) {
+    const repository = ctx.db.getRepository("storages");
+    let existing = await repository.findById(params.filterByTk);
+    if (!existing) {
+      existing = await repository.findOne({
+        filter: {
+          name: params.filterByTk
+        }
+      });
+    }
+    if (existing) {
+      const existingValues = existing.toJSON();
+      storage = {
+        ...existingValues,
+        ...values,
+        options: {
+          ...existingValues.options || {},
+          ...values.options || {}
+        }
+      };
+    }
+  }
+  try {
+    (0, import_local.validateLocalStorageConfig)(storage, { validateDocumentRoot: hasSubmittedDocumentRoot });
+  } catch (error) {
+    if (error.code === "PATH_TRAVERSAL") {
+      return ctx.throw(400, error.message);
+    }
+    throw error;
+  }
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  validateStorageMiddleware
+});

package/dist/server/server.d.ts

@@ -17,11 +17,13 @@ export type FileRecordOptions = {
     collectionName: string;
     filePath: string;
     storageName?: string;
+    subPath?: string;
     values?: any;
 } & Transactionable;
 export type UploadFileOptions = {
     filePath: string;
     storageName?: string;
+    subPath?: string;
     documentRoot?: string;
 };
 export declare class PluginFileManagerServer extends Plugin {

package/dist/server/server.js

@@ -100,29 +100,34 @@ class PluginFileManagerServer extends import_server.Plugin {
     this.storageTypes.register(type, Type);
   }
   async createFileRecord(options) {
-    const { values, storageName, collectionName, filePath, transaction } = options;
+    const { values, storageName, subPath, collectionName, filePath, transaction } = options;
     const collection = this.db.getCollection(collectionName);
     if (!collection) {
       throw new Error(`collection does not exist`);
     }
     const collectionRepository = this.db.getRepository(collectionName);
     const name = storageName || collection.options.storage;
-    const data = await this.uploadFile({ storageName: name, filePath });
+    const data = await this.uploadFile({ storageName: name, subPath, filePath });
     return await collectionRepository.create({ values: { ...data, ...values }, transaction });
   }
   parseStorage(instance) {
     return this.app.environment.renderJsonTemplate(instance.toJSON());
   }
   async uploadFile(options) {
-    const { storageName, filePath, documentRoot } = options;
+    const { storageName, subPath, filePath, documentRoot } = options;
     if (!this.storagesCache.size) {
       await this.loadStorages();
     }
     const storages = Array.from(this.storagesCache.values());
-    const storage = storages.find((item) => item.name === storageName) || storages.find((item) => item.default);
-    if (!storage) {
+    const cachedStorage = storages.find((item) => item.name === storageName) || storages.find((item) => item.default);
+    if (!cachedStorage) {
       throw new Error("[file-manager] no linked or default storage provided");
     }
+    const storage = {
+      ...cachedStorage,
+      options: { ...cachedStorage.options || {} },
+      path: (0, import_utils2.resolveStoragePath)(cachedStorage.path, subPath)
+    };
     const fileStream = import_fs.default.createReadStream(filePath);
     if (documentRoot) {
       storage.options["documentRoot"] = documentRoot;
@@ -216,6 +221,9 @@ class PluginFileManagerServer extends import_server.Plugin {
     this.storageTypes.register(import_constants.STORAGE_TYPE_S3, import_s3.default);
     this.storageTypes.register(import_constants.STORAGE_TYPE_TX_COS, import_tx_cos.default);
     const Storage = this.db.getModel("storages");
+    Storage.beforeSave((m) => {
+      (0, import_local.validateLocalStorageConfig)(m.toJSON());
+    });
     Storage.afterSave(async (m, { transaction }) => {
       await this.loadStorages({ transaction });
       this.sendSyncMessage({ type: "reloadStorages" }, { transaction });

package/dist/server/storages/local.d.ts

@@ -10,8 +10,12 @@
 import multer from 'multer';
 import type { Readable } from 'stream';
 import { AttachmentModel, StorageType } from '.';
+export declare function normalizeLocalStoragePath(storagePath?: unknown): string;
 export declare function getDocumentRoot(storage: any): string;
 export declare function resolveSafePath(documentRoot: string, filePath?: string, filename?: string): string;
+export declare function validateLocalStorageConfig(storage: Pick<StorageType['storage'], 'type' | 'options' | 'path'>, { validateDocumentRoot }?: {
+    validateDocumentRoot?: boolean;
+}): void;
 export default class extends StorageType {
     static defaults(): {
         title: string;

package/dist/server/storages/local.js

@@ -38,7 +38,9 @@ var local_exports = {};
 __export(local_exports, {
   default: () => local_default,
   getDocumentRoot: () => getDocumentRoot,
-  resolveSafePath: () => resolveSafePath
+  normalizeLocalStoragePath: () => normalizeLocalStoragePath,
+  resolveSafePath: () => resolveSafePath,
+  validateLocalStorageConfig: () => validateLocalStorageConfig
 });
 module.exports = __toCommonJS(local_exports);
 var import_utils = require("@nocobase/utils");
@@ -51,21 +53,64 @@ var import__ = require(".");
 var import_constants = require("../../constants");
 var import_utils2 = require("../utils");
 const DEFAULT_BASE_URL = "/storage/uploads";
-function getDocumentRoot(storage) {
-  const { documentRoot = process.env.LOCAL_STORAGE_DEST || import_path.default.join(process.cwd(), "storage", "uploads") } = storage.options || {};
+const DEFAULT_DOCUMENT_ROOT = process.env.LOCAL_STORAGE_DEST || import_path.default.join(process.cwd(), "storage", "uploads");
+function pathError(message) {
+  const error = new Error(message);
+  error.code = "PATH_TRAVERSAL";
+  return error;
+}
+function isInside(base, target) {
+  const relative = import_path.default.relative(base, target);
+  return !relative.startsWith("..") && !import_path.default.isAbsolute(relative);
+}
+function resolveDocumentRoot(documentRoot) {
+  if (typeof documentRoot !== "string" || !documentRoot || documentRoot.includes("\0")) {
+    throw pathError("Invalid local storage document root");
+  }
   return import_path.default.resolve(import_path.default.isAbsolute(documentRoot) ? documentRoot : import_path.default.join(process.cwd(), documentRoot));
 }
+function allowedRoots() {
+  var _a;
+  const roots = [import_path.default.resolve(process.cwd(), "storage")];
+  const extra = [process.env.LOCAL_STORAGE_DEST, ...((_a = process.env.LOCAL_STORAGE_ALLOWED_ROOTS) == null ? void 0 : _a.split(",")) ?? []];
+  for (const item of extra) {
+    if (item == null ? void 0 : item.trim()) {
+      roots.push(resolveDocumentRoot(item.trim()));
+    }
+  }
+  return roots;
+}
+function normalizeLocalStoragePath(storagePath) {
+  if (storagePath == null || storagePath === "") {
+    return "";
+  }
+  if (typeof storagePath !== "string" || storagePath.includes("\0")) {
+    throw pathError("Invalid local storage path");
+  }
+  return storagePath.replace(/\\/g, "/").replace(/^\/+/, "");
+}
+function getDocumentRoot(storage) {
+  const { documentRoot = DEFAULT_DOCUMENT_ROOT } = storage.options || {};
+  return resolveDocumentRoot(documentRoot);
+}
 function resolveSafePath(documentRoot, filePath, filename) {
   const root = import_path.default.resolve(documentRoot);
   const target = import_path.default.resolve(root, filePath || "", filename || "");
-  const relative = import_path.default.relative(root, target);
-  if (relative.startsWith("..") || import_path.default.isAbsolute(relative)) {
-    const error = new Error("Access denied");
-    error.code = "PATH_TRAVERSAL";
-    throw error;
+  if (!isInside(root, target)) {
+    throw pathError("Access denied");
   }
   return target;
 }
+function validateLocalStorageConfig(storage, { validateDocumentRoot = false } = {}) {
+  if (storage.type !== import_constants.STORAGE_TYPE_LOCAL) {
+    return;
+  }
+  const root = getDocumentRoot(storage);
+  if (validateDocumentRoot && !allowedRoots().some((allowed) => isInside(allowed, root))) {
+    throw pathError("Invalid local storage document root");
+  }
+  resolveSafePath(root, normalizeLocalStoragePath(storage.path));
+}
 class local_default extends import__.StorageType {
   static defaults() {
     return {
@@ -85,7 +130,7 @@ class local_default extends import__.StorageType {
   make() {
     return import_multer.default.diskStorage({
       destination: (req, file, cb) => {
-        const destPath = import_path.default.join(getDocumentRoot(this.storage), this.storage.path || "");
+        const destPath = resolveSafePath(getDocumentRoot(this.storage), normalizeLocalStoragePath(this.storage.path));
         const mkdirp = require("mkdirp");
         mkdirp(destPath, (err) => cb(err, destPath));
       },
@@ -158,5 +203,7 @@ class local_default extends import__.StorageType {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   getDocumentRoot,
-  resolveSafePath
+  normalizeLocalStoragePath,
+  resolveSafePath,
+  validateLocalStorageConfig
 });

package/dist/server/utils.d.ts

@@ -10,5 +10,7 @@ export declare function getFilename(req: any, file: any, cb: any): void;
 export declare const cloudFilenameGetter: (storage: any) => (req: any, file: any, cb: any) => void;
 export declare const diskFilenameGetter: (storage: any) => (req: any, file: any, cb: any) => void;
 export declare function getFileKey(record: any): any;
+export declare function normalizeStorageSubPath(subPath?: unknown): string;
+export declare function resolveStoragePath(storagePath?: unknown, subPath?: unknown): string;
 export declare function ensureUrlEncoded(value: any): any;
 export declare function encodeURL(url: any): any;

package/dist/server/utils.js

@@ -41,7 +41,9 @@ __export(utils_exports, {
   encodeURL: () => encodeURL,
   ensureUrlEncoded: () => ensureUrlEncoded,
   getFileKey: () => getFileKey,
-  getFilename: () => getFilename
+  getFilename: () => getFilename,
+  normalizeStorageSubPath: () => normalizeStorageSubPath,
+  resolveStoragePath: () => resolveStoragePath
 });
 module.exports = __toCommonJS(utils_exports);
 var import_utils = require("@nocobase/utils");
@@ -128,6 +130,41 @@ const diskFilenameGetter = (storage) => (req, file, cb) => {
 function getFileKey(record) {
   return (0, import_url_join.default)(record.path || "", record.filename).replace(/^\//, "");
 }
+function pathError(message) {
+  const error = new Error(message);
+  error.code = "PATH_TRAVERSAL";
+  return error;
+}
+function normalizeStoragePathForJoin(value, message, { allowLeadingSlash = false } = {}) {
+  if (value == null || value === "") {
+    return "";
+  }
+  if (typeof value !== "string" || value.includes("\0")) {
+    throw pathError(message);
+  }
+  const normalized = value.replace(/\\/g, "/");
+  if (!allowLeadingSlash && normalized.startsWith("/")) {
+    throw pathError(message);
+  }
+  const segments = normalized.replace(/^\/+|\/+$/g, "").split("/").filter((segment) => segment && segment !== ".");
+  if (segments.some((segment) => segment === "..")) {
+    throw pathError("Access denied");
+  }
+  return segments.join("/");
+}
+function normalizeStorageSubPath(subPath) {
+  return normalizeStoragePathForJoin(subPath, "Invalid storage sub path");
+}
+function resolveStoragePath(storagePath, subPath) {
+  const normalizedSubPath = normalizeStorageSubPath(subPath);
+  if (!normalizedSubPath) {
+    return typeof storagePath === "string" ? storagePath : "";
+  }
+  const normalizedStoragePath = normalizeStoragePathForJoin(storagePath, "Invalid storage path", {
+    allowLeadingSlash: true
+  });
+  return normalizedStoragePath ? `${normalizedStoragePath}/${normalizedSubPath}` : normalizedSubPath;
+}
 function ensureUrlEncoded(value) {
   try {
     if (decodeURIComponent(value) !== value) {
@@ -157,5 +194,7 @@ function encodeURL(url) {
   encodeURL,
   ensureUrlEncoded,
   getFileKey,
-  getFilename
+  getFilename,
+  normalizeStorageSubPath,
+  resolveStoragePath
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-file-manager",
-  "version": "2.0.60",
+  "version": "2.0.62",
   "displayName": "File manager",
   "displayName.ru-RU": "Менеджер файлов",
   "displayName.zh-CN": "文件管理器",
@@ -55,5 +55,5 @@
     "Collections",
     "Collection fields"
   ],
-  "gitHead": "c9bdc985d79d20e88c93cb2eee9bbf24a382ee08"
+  "gitHead": "b21b0a5111d188ba495eb579fdae674c5680fff2"
 }