@normed/bundle 4.8.2 → 4.8.4

package/bundles/esbuild-plugins/load_pug.d.ts

@@ -1,4 +1,14 @@
 import type * as esbuild from "esbuild";
+export declare function findPackageRoot(filePath: string): string | null;
+/**
+ * Resolve an asset path from a pug file, treating "/" as srcWebRoot (not filesystem root).
+ */
+export declare function resolveAssetPath(assetPath: string, pugDir: string, srcWebRoot: string): string;
+/**
+ * Assert that an absolute path is within one of the allowed source roots.
+ * Throws if the path escapes all allowed roots.
+ */
+export declare function assertWithinAllowedRoots(absolutePath: string, allowedRoots: string[], originalValue: string, pugFilePath: string): void;
 /**
  * Discovered pug file reference from HTML.
  */

package/bundles/index.js

@@ -68367,6 +68367,10 @@ var refinePackageJSON = makePartialRefinement({
 
 // pnp:/builds/normed/bundle/packages/bundle/src/log.ts
 var import_chalk = __toESM(require_source());
+var isAgent = !!process.env["CLAUDECODE"] || !!process.env["CURSOR_AGENT"] || !!process.env["AGENT"];
+if (process.env["NO_COLOR"] !== void 0) {
+  import_chalk.default.level = 0;
+}
 function logStdOut(colour, ...message) {
   console.log(...message.map((m) => typeof m === "string" ? colour(m) : m));
 }
@@ -68629,7 +68633,9 @@ var NoMatchingBuilder = class extends Error {
 
 // pnp:/builds/normed/bundle/packages/bundle/src/builders/copy.ts
 var import_chalk2 = __toESM(require_source());
-import_chalk2.default.level = 3;
+if (process.env["NO_COLOR"] === void 0) {
+  import_chalk2.default.level = 3;
+}
 var copyBuilder = {
   name: "copy",
   color: import_chalk2.default.hex("#CDCDCD"),
@@ -68872,6 +68878,42 @@ function resolvePackagePath(packageSpecifier, fromFile) {
     return null;
   }
 }
+var packageRootCache = /* @__PURE__ */ new Map();
+function findPackageRoot(filePath) {
+  let dir = path5.dirname(path5.resolve(filePath));
+  const cacheKey = dir;
+  if (packageRootCache.has(cacheKey)) return packageRootCache.get(cacheKey);
+  while (true) {
+    if (fs6.existsSync(path5.join(dir, "package.json"))) {
+      packageRootCache.set(cacheKey, dir);
+      return dir;
+    }
+    const parent = path5.dirname(dir);
+    if (parent === dir) {
+      packageRootCache.set(cacheKey, null);
+      return null;
+    }
+    dir = parent;
+  }
+}
+function resolveAssetPath(assetPath, pugDir, srcWebRoot) {
+  if (assetPath.startsWith("/")) {
+    return path5.resolve(srcWebRoot, assetPath.slice(1));
+  }
+  return path5.resolve(pugDir, assetPath);
+}
+function assertWithinAllowedRoots(absolutePath, allowedRoots, originalValue, pugFilePath) {
+  const normalizedPath = path5.resolve(absolutePath);
+  const withinARoot = allowedRoots.some((root) => {
+    const normalizedRoot = path5.resolve(root);
+    return normalizedPath === normalizedRoot || normalizedPath.startsWith(normalizedRoot + path5.sep);
+  });
+  if (!withinARoot) {
+    throw new Error(
+      `Security: asset path "${originalValue}" resolves to "${normalizedPath}" which is outside the allowed source directories [${allowedRoots.join(", ")}]. Referenced in ${pugFilePath}. Use the copy: or build: prefix to resolve via Node module resolution.`
+    );
+  }
+}
 var discoveredPugReferences = /* @__PURE__ */ new Map();
 var discoveredLessReferences = /* @__PURE__ */ new Map();
 var discoveredScriptReferences = /* @__PURE__ */ new Map();
@@ -68906,7 +68948,7 @@ function computeHtmlAssetPath(opts) {
   }
   return path5.relative(opts.htmlOutputDir, opts.absoluteOutput);
 }
-async function processHtmlAssets(html, pugFilePath, options, webRoot) {
+async function processHtmlAssets(html, pugFilePath, options, webRoot, collectedReferences) {
   const assets = [];
   const pugReferences = [];
   const lessReferences = [];
@@ -68917,30 +68959,43 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
   const outbase = options.outbase || path5.dirname(pugFilePath);
   const pugDir = path5.dirname(pugFilePath);
   const publicPath = options.publicPath || "";
-  const processedAssets = /* @__PURE__ */ new Map();
-  const allAttrs = [...new Set(Object.values(ASSET_ATTRIBUTES).flat())].join(
-    "|"
+  const srcWebRoot = webRoot ? path5.join(outbase, webRoot) : outbase;
+  const normalizedOutbase = path5.resolve(outbase);
+  const normalizedPug = path5.resolve(pugFilePath);
+  const pugWithinOutbase = normalizedPug === normalizedOutbase || normalizedPug.startsWith(normalizedOutbase + path5.sep);
+  const packageRoot = pugWithinOutbase ? null : findPackageRoot(pugFilePath);
+  const allowedRoots = [outbase, packageRoot].filter(
+    (r) => r != null
   );
-  const attrRegex = new RegExp(`(${allAttrs})\\s*=\\s*["']([^"']+)["']`, "gi");
+  const processedAssets = /* @__PURE__ */ new Map();
   let modifiedHtml = html;
   const matches = [];
-  let match;
-  while ((match = attrRegex.exec(html)) !== null) {
-    const attr = match[1];
-    const value = match[2];
-    if (attr && value) {
-      matches.push({
-        fullMatch: match[0],
-        attr: attr.toLowerCase(),
-        value
-      });
+  if (collectedReferences && collectedReferences.length > 0) {
+    for (const ref of collectedReferences) {
+      matches.push({ attr: ref.attr, value: ref.value });
+    }
+  } else {
+    const allAttrs = [...new Set(Object.values(ASSET_ATTRIBUTES).flat())].join(
+      "|"
+    );
+    const attrRegex = new RegExp(
+      `(${allAttrs})\\s*=\\s*["']([^"']+)["']`,
+      "gi"
+    );
+    let match;
+    while ((match = attrRegex.exec(html)) !== null) {
+      const attr = match[1];
+      const value = match[2];
+      if (attr && value) {
+        matches.push({ attr: attr.toLowerCase(), value });
+      }
     }
   }
   const discoveredPugPaths = /* @__PURE__ */ new Set();
   const discoveredLessPaths = /* @__PURE__ */ new Set();
   const discoveredScriptPaths = /* @__PURE__ */ new Set();
   const discoveredPackageCssPaths = /* @__PURE__ */ new Set();
-  for (const { fullMatch, attr, value } of matches) {
+  for (const { attr, value } of matches) {
     let newValue = value;
     if (attr === "srcset") {
       const srcsetParts = value.split(",");
@@ -68953,7 +69008,13 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
             [getVerbatimPath(assetPath), ...descriptors].filter(Boolean).join(" ")
           );
         } else if (assetPath && isPugReference(assetPath)) {
-          const absolutePath = path5.resolve(pugDir, assetPath);
+          const absolutePath = resolveAssetPath(assetPath, pugDir, srcWebRoot);
+          assertWithinAllowedRoots(
+            absolutePath,
+            allowedRoots,
+            assetPath,
+            pugFilePath
+          );
           if (!discoveredPugPaths.has(absolutePath)) {
             discoveredPugPaths.add(absolutePath);
             pugReferences.push({ originalHref: assetPath, absolutePath });
@@ -68970,6 +69031,8 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
             publicPath,
             assets,
             processedAssets,
+            srcWebRoot,
+            allowedRoots,
             webRoot
           );
           if (hashedPath) {
@@ -68987,19 +69050,22 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
     } else if (isVerbatimReference(value)) {
       newValue = getVerbatimPath(value);
     } else if (isPugReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredPugPaths.has(absolutePath)) {
         discoveredPugPaths.add(absolutePath);
         pugReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isLessReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredLessPaths.has(absolutePath)) {
         discoveredLessPaths.add(absolutePath);
         lessReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isScriptReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredScriptPaths.has(absolutePath)) {
         discoveredScriptPaths.add(absolutePath);
         scriptReferences.push({ originalHref: value, absolutePath });
@@ -69008,7 +69074,7 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
       const specifier = getResolvedSpecifier(value);
       const absolutePath = resolvePackagePath(specifier, pugFilePath);
       if (!absolutePath) {
-        console.warn(
+        log_default.warn(
           `Warning: Cannot resolve build reference: "${specifier}" (from ${value})
   Referenced in rendered HTML of ${pugFilePath}`
         );
@@ -69036,7 +69102,7 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
             packageCssReferences.push({ originalHref: value, absolutePath });
           }
         } else {
-          console.warn(
+          log_default.warn(
             `Warning: build: prefix used on non-compilable file "${specifier}" (extension: ${ext}). Did you mean copy:?
   Referenced in rendered HTML of ${pugFilePath}`
           );
@@ -69046,7 +69112,7 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
       const specifier = getResolvedSpecifier(value);
       const absolutePath = resolvePackagePath(specifier, pugFilePath);
       if (!absolutePath) {
-        console.warn(
+        log_default.warn(
           `Warning: Cannot resolve copy reference: "${specifier}" (from ${value})
   Referenced in rendered HTML of ${pugFilePath}`
         );
@@ -69076,14 +69142,14 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
         }
       }
     } else if (isPackageCssReference(value)) {
-      console.warn(
+      log_default.warn(
         `Warning: pkg: prefix is deprecated, use copy: instead: "${value}"
   Referenced in rendered HTML of ${pugFilePath}`
       );
       const packageSpecifier = getPackageSpecifier(value);
       const absolutePath = resolvePackagePath(packageSpecifier, pugFilePath);
       if (!absolutePath) {
-        console.warn(
+        log_default.warn(
           `Warning: Package not found: "${packageSpecifier}" (from ${value})
   Referenced in rendered HTML of ${pugFilePath}`
         );
@@ -69092,14 +69158,14 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
         packageCssReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isPackageReference(value)) {
-      console.warn(
+      log_default.warn(
         `Warning: pkg: prefix is deprecated, use copy: instead: "${value}"
   Referenced in rendered HTML of ${pugFilePath}`
       );
       const packageSpecifier = getPackageSpecifier(value);
       const absolutePath = resolvePackagePath(packageSpecifier, pugFilePath);
       if (!absolutePath) {
-        console.warn(
+        log_default.warn(
           `Warning: Package not found: "${packageSpecifier}" (from ${value})
   Referenced in rendered HTML of ${pugFilePath}`
         );
@@ -69131,6 +69197,8 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
         publicPath,
         assets,
         processedAssets,
+        srcWebRoot,
+        allowedRoots,
         webRoot
       );
       if (hashedPath) {
@@ -69138,8 +69206,9 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
       }
     }
     if (newValue !== value) {
-      const newFullMatch = fullMatch.replace(value, newValue);
-      modifiedHtml = modifiedHtml.replace(fullMatch, newFullMatch);
+      const escapedValue = value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const valueRegex = new RegExp(`(["'])${escapedValue}\\1`);
+      modifiedHtml = modifiedHtml.replace(valueRegex, `$1${newValue}$1`);
     }
   }
   return {
@@ -69151,13 +69220,19 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
     packageCssReferences
   };
 }
-async function processAsset(assetPath, pugDir, pugFilePath, outdir, outbase, assetNames, publicPath, assets, processedAssets, webRoot) {
-  const absoluteSource = path5.resolve(pugDir, assetPath);
+async function processAsset(assetPath, pugDir, pugFilePath, outdir, outbase, assetNames, publicPath, assets, processedAssets, srcWebRoot, allowedRoots, webRoot) {
+  const absoluteSource = resolveAssetPath(assetPath, pugDir, srcWebRoot);
+  assertWithinAllowedRoots(
+    absoluteSource,
+    allowedRoots,
+    assetPath,
+    pugFilePath
+  );
   if (processedAssets.has(absoluteSource)) {
     return processedAssets.get(absoluteSource);
   }
   if (!fs6.existsSync(absoluteSource)) {
-    console.warn(
+    log_default.warn(
       `Warning: Asset not found: "${assetPath}" (resolved to ${absoluteSource})
   Referenced in rendered HTML of ${pugFilePath}`
     );
@@ -69347,6 +69422,36 @@ function createRebaseAssetsPlugin(entryFilePath) {
     }
   };
 }
+function createAssetCollectorPlugin(collectedReferences) {
+  return {
+    preCodeGen(ast) {
+      const pending = [...ast?.nodes || []];
+      while (pending.length > 0) {
+        const node = pending.shift();
+        if (!node) continue;
+        if (node.block?.nodes) {
+          pending.push(...node.block.nodes);
+        }
+        if (node.nodes) {
+          pending.push(...node.nodes);
+        }
+        const assetAttrs = ASSET_ATTRIBUTES[node.name];
+        if (!assetAttrs) continue;
+        if (!node.attrs) continue;
+        for (const attr of node.attrs) {
+          if (!assetAttrs.includes(attr.name)) continue;
+          const extracted = extractStaticString(attr.val);
+          if (!extracted) continue;
+          collectedReferences.push({
+            attr: attr.name,
+            value: extracted.value
+          });
+        }
+      }
+      return ast;
+    }
+  };
+}
 async function loadAsText2(_filepath) {
   return {
     loader: "text"
@@ -69388,12 +69493,14 @@ async function loadAsHtml(filepath, options) {
 }
 async function loadAsEntrypoint(filepath, options, webRoot) {
   const fileData = await fs6.promises.readFile(filepath, "utf8");
+  const collectedReferences = [];
   let contents = import_pug.default.render(fileData, {
     filename: filepath,
     basedir: options.outbase,
     name: "render",
     plugins: [
       createRebaseAssetsPlugin(filepath),
+      createAssetCollectorPlugin(collectedReferences),
       pugTransformer(isScriptNodeWithSrcAttr, (nodes) => {
         nodes;
       })
@@ -69407,7 +69514,13 @@ async function loadAsEntrypoint(filepath, options, webRoot) {
     lessReferences,
     scriptReferences,
     packageCssReferences
-  } = await processHtmlAssets(contents, filepath, options, webRoot);
+  } = await processHtmlAssets(
+    contents,
+    filepath,
+    options,
+    webRoot,
+    collectedReferences
+  );
   contents = processedHtml;
   if (pugReferences.length > 0) {
     discoveredPugReferences.set(filepath, pugReferences);
@@ -69660,7 +69773,9 @@ var import_esbuild_plugin_pnp = __toESM(require_lib15());
 import * as ts from "typescript";
 import path8 from "path";
 import fs9 from "fs";
-import_chalk3.default.level = 3;
+if (process.env["NO_COLOR"] === void 0) {
+  import_chalk3.default.level = 3;
+}
 function rewritePugReferencesInHtml(html, pugReferences, pugToOutputPath, htmlOutputDir, outdir) {
   let result = html;
   for (const ref of pugReferences) {
@@ -70329,7 +70444,9 @@ async function compileToTypeDeclarations(fileNames, options) {
 
 // pnp:/builds/normed/bundle/packages/bundle/src/builders/index.ts
 var import_chalk4 = __toESM(require_source());
-import_chalk4.default.level = 3;
+if (process.env["NO_COLOR"] === void 0) {
+  import_chalk4.default.level = 3;
+}
 function verifyBuilder(builder) {
   const tests = [
     (builder2) => {