@photostructure/fs-metadata 0.7.1 → 0.8.1

package/CHANGELOG.md

@@ -14,6 +14,45 @@ Fixed for any bug fixes.
 Security in case of vulnerabilities.
 -->
 
+## 0.8.1 - 2025-12-28
+
+### Changed
+
+- Added container runtime paths to the default set of system paths. See SystemPathPatternsDefault
+
+## 0.8.0 - 2025-12-01
+
+### Added
+
+- `FS_METADATA_TIMEOUT_MS` environment variable for configuring operation timeout (see [gotchas.md](./doc/gotchas.md))
+
+### Security
+
+- Fixed TOCTOU race condition in macOS hidden file operations by using `fstat()`/`fchflags()` with file descriptors instead of path-based `stat()`/`chflags()`
+
+### Fixed
+
+- Added `O_CLOEXEC` flag to `open()` calls to prevent fd leaks on fork/exec
+- Fixed logic bug attempting to convert invalid CFStringRef in `ProcessNetworkVolume`
+- Fixed inconsistent `status` field when DiskArbitration returns partial results
+- Added `noexcept` to all RAII destructors to prevent `std::terminate` during stack unwinding
+- Removed `GVolumeMonitor` from Linux GIO metadata enrichment to fix thread safety issues
+- Fixed exception safety in Linux GIO metadata loop using RAII smart pointers
+- Fixed Windows `FindFirstFileEx` handle leak by using `FindClose` instead of `CloseHandle`
+- Fixed Windows promise race condition and resource leak from detached timeout threads
+- Added `CreateEvent` error checking in Windows thread pool
+- Zero-initialized `VolumeInfo` and `DiskSpaceInfo` members to prevent undefined behavior on `ERROR_NOT_READY`
+
+### Changed
+
+- Extracted shared `FdGuard` RAII class to `common/fd_guard.h`
+- Extracted shared `WouldOverflow()` utility to `common/volume_utils.h`
+- Moved `path_security.h` to `common/` (POSIX-portable)
+- Simplified CFString null-terminator handling using `strlen()`
+- Documented intentional static dispatch queue singleton pattern
+- Consolidated Linux GIO RAII helpers (`GFilePtr`, `GVolumePtr`, etc.) in `gio_utils.h`
+- Added move semantics to `BlkidCache` for proper resource transfer
+
 ## 0.7.1 - 2025-10-29
 
 - Audit and address [several resource handling issues](./doc/SECURITY_AUDIT_2025.md)

package/CLAUDE.md

@@ -197,4 +197,4 @@ git push origin main --follow-tags
 
 Never do inline imports like `const { mkdirSync } = await import("node:fs");` -- just use standard imports.
 
-Never include claude code messages in git commits
+**NEVER** add "Generated with Claude Code" or "Co-Authored-By: Claude" lines to git commit messages. Keep commits clean and professional.

package/CONTRIBUTING.md

@@ -6,6 +6,21 @@ For major changes, please open an issue first to discuss what you would like to
 
 Please make sure to update tests and documentation as appropriate.
 
+## Development Setup
+
+This repository uses `ignore-scripts=true` in `.npmrc` as a security measure against [supply chain attacks](https://www.nodejs-security.com/blog/npm-ignore-scripts-best-practices-as-security-mitigation-for-malicious-packages). Since this is a native module, you need to explicitly enable scripts for the initial build:
+
+```bash
+# Clone the repository
+git clone https://github.com/photostructure/fs-metadata.git
+cd fs-metadata
+
+# Install with scripts enabled (required for native module build)
+npm install --ignore-scripts=false
+
+# Subsequent installs of new dependencies will have scripts disabled by default
+```
+
 ## Building from Source
 
 ### On Windows

package/README.md

@@ -1,6 +1,6 @@
 ![PhotoStructure fs-metadata logo](https://raw.githubusercontent.com/photostructure/fs-metadata/main/doc/logo.svg)
 
-Cross-platform native Node.js module for filesystem metadata, mount points, and volume information.
+Cross-platform native Node.js module for filesystem metadata, mount points, and volume information. Built for and supported by [PhotoStructure](https://photostructure.com).
 
 [![npm version](https://img.shields.io/npm/v/@photostructure/fs-metadata.svg)](https://www.npmjs.com/package/@photostructure/fs-metadata)
 [![Build](https://github.com/photostructure/fs-metadata/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/photostructure/fs-metadata/actions/workflows/build.yml)
@@ -48,21 +48,14 @@ console.log(metadata);
 
 ## Documentation
 
-- 📖 [API Reference](https://photostructure.github.io/fs-metadata/modules.html)
-- 💡 [Examples](./doc/examples.md) - Common usage patterns and recipes
-- ⚠️ [Gotchas](./doc/gotchas.md) - Platform quirks, timeouts, and troubleshooting
-- 🔧 [Contributing](./CONTRIBUTING.md) - Build instructions and development guide
+- [API Reference](https://photostructure.github.io/fs-metadata/modules.html)
+- [Examples](./doc/examples.md) - Common usage patterns and recipes
+- [Gotchas](./doc/gotchas.md) - Platform quirks, timeouts, and troubleshooting
+- [Contributing](./CONTRIBUTING.md) - Build instructions and development guide
 
 ### Options
 
 - **Debug**: Set `NODE_DEBUG=fs-meta` for debug output
-- **Timeouts**: Configure [timeout duration](https://photostructure.github.io/fs-metadata/variables/TimeoutMsDefault.html) for slow devices
+- **Timeouts**: Configure [timeout duration](https://photostructure.github.io/fs-metadata/functions/getTimeoutMsDefault.html) for slow devices
+  - Set `FS_METADATA_TIMEOUT_MS` environment variable to override the default (5000ms)
 - **System Volumes**: Control [system volume filtering](https://photostructure.github.io/fs-metadata/interfaces/Options.html)
-
-## Support
-
-Built and supported by [PhotoStructure](https://photostructure.com)
-
-- [GitHub Issues](https://github.com/photostructure/fs-metadata/issues)
-- [Security Policy](./SECURITY.md)
-- [MIT License](./LICENSE.txt)

package/dist/index.cjs

@@ -35,10 +35,10 @@ __export(index_exports, {
   OptionsDefault: () => OptionsDefault,
   SystemFsTypesDefault: () => SystemFsTypesDefault,
   SystemPathPatternsDefault: () => SystemPathPatternsDefault,
-  TimeoutMsDefault: () => TimeoutMsDefault,
   VolumeHealthStatuses: () => VolumeHealthStatuses,
   getAllVolumeMetadata: () => getAllVolumeMetadata,
   getHiddenMetadata: () => getHiddenMetadata,
+  getTimeoutMsDefault: () => getTimeoutMsDefault,
   getVolumeMetadata: () => getVolumeMetadata,
   getVolumeMountPoints: () => getVolumeMountPoints,
   isHidden: () => isHidden,
@@ -612,7 +612,14 @@ async function setHiddenImpl(pathname, hide, method, nativeFn2) {
 
 // src/options.ts
 var import_node_os2 = require("os");
-var TimeoutMsDefault = 5e3;
+var import_node_process3 = require("process");
+var DefaultTimeoutMs = 5e3;
+function getTimeoutMsDefault() {
+  const value = import_node_process3.env["FS_METADATA_TIMEOUT_MS"];
+  if (value == null) return DefaultTimeoutMs;
+  const parsed = parseInt(value, 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : DefaultTimeoutMs;
+}
 var SystemPathPatternsDefault = [
   "/boot",
   "/boot/efi",
@@ -632,6 +639,24 @@ var SystemPathPatternsDefault = [
   // we aren't including /tmp/**, as some people temporarily mount volumes there, like /tmp/project.
   "**/#snapshot",
   // Synology and Kubernetes volume snapshots
+  // Container runtime paths - these are internal infrastructure paths that are
+  // inaccessible to non-root processes and should never be scanned.
+  //
+  // Docker: https://docs.docker.com/engine/storage/drivers/overlayfs-driver/
+  // - /var/lib/docker contains overlay2 filesystems, container layers, images
+  // - /run/docker contains runtime data like network namespaces
+  "/run/docker/**",
+  "/var/lib/docker/**",
+  //
+  // containerd: https://github.com/containerd/containerd/blob/main/docs/ops.md
+  // - Used by Kubernetes, Docker (as backend), and standalone
+  "/run/containerd/**",
+  "/var/lib/containerd/**",
+  //
+  // Podman/CRI-O: https://podman.io/docs/installation#storage
+  // - Rootless and rootful container storage
+  "/run/containers/**",
+  "/var/lib/containers/**",
   // windows for linux:
   "/mnt/wslg/distro",
   "/mnt/wslg/doc",
@@ -681,7 +706,7 @@ var LinuxMountTablePathsDefault = [
 var IncludeSystemVolumesDefault = isWindows;
 var SkipNetworkVolumesDefault = false;
 var OptionsDefault = {
-  timeoutMs: TimeoutMsDefault,
+  timeoutMs: getTimeoutMsDefault(),
   maxConcurrency: (0, import_node_os2.availableParallelism)(),
   systemPathPatterns: [...SystemPathPatternsDefault],
   systemFsTypes: [...SystemFsTypesDefault],
@@ -1456,10 +1481,10 @@ function setHidden(pathname, hidden, method = "auto") {
   OptionsDefault,
   SystemFsTypesDefault,
   SystemPathPatternsDefault,
-  TimeoutMsDefault,
   VolumeHealthStatuses,
   getAllVolumeMetadata,
   getHiddenMetadata,
+  getTimeoutMsDefault,
   getVolumeMetadata,
   getVolumeMountPoints,
   isHidden,