@pnpm/symlink-dependency 1000.0.17 → 1000.0.18

package/lib/index.js

@@ -6,18 +6,18 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.symlinkDirectRootDependency = void 0;
 exports.symlinkDependency = symlinkDependency;
 exports.symlinkDependencySync = symlinkDependencySync;
-const path_1 = __importDefault(require("path"));
 const core_loggers_1 = require("@pnpm/core-loggers");
 const symlink_dir_1 = __importDefault(require("symlink-dir"));
+const safeJoinModulesDir_js_1 = require("./safeJoinModulesDir.js");
 var symlinkDirectRootDependency_js_1 = require("./symlinkDirectRootDependency.js");
 Object.defineProperty(exports, "symlinkDirectRootDependency", { enumerable: true, get: function () { return symlinkDirectRootDependency_js_1.symlinkDirectRootDependency; } });
 async function symlinkDependency(dependencyRealLocation, destModulesDir, importAs) {
-    const link = path_1.default.join(destModulesDir, importAs);
+    const link = (0, safeJoinModulesDir_js_1.safeJoinModulesDir)(destModulesDir, importAs);
     core_loggers_1.linkLogger.debug({ target: dependencyRealLocation, link });
     return (0, symlink_dir_1.default)(dependencyRealLocation, link);
 }
 function symlinkDependencySync(dependencyRealLocation, destModulesDir, importAs) {
-    const link = path_1.default.join(destModulesDir, importAs);
+    const link = (0, safeJoinModulesDir_js_1.safeJoinModulesDir)(destModulesDir, importAs);
     core_loggers_1.linkLogger.debug({ target: dependencyRealLocation, link });
     return symlink_dir_1.default.sync(dependencyRealLocation, link);
 }

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;AAMA,8CAQC;AAED,sDAQC;AAxBD,gDAAuB;AACvB,qDAA+C;AAC/C,8DAAoC;AAEpC,mFAA8E;AAArE,6IAAA,2BAA2B,OAAA;AAE7B,KAAK,UAAU,iBAAiB,CACrC,sBAA8B,EAC9B,cAAsB,EACtB,QAAgB;IAEhB,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAA;IAChD,yBAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAA;IAC1D,OAAO,IAAA,qBAAU,EAAC,sBAAsB,EAAE,IAAI,CAAC,CAAA;AACjD,CAAC;AAED,SAAgB,qBAAqB,CACnC,sBAA8B,EAC9B,cAAsB,EACtB,QAAgB;IAEhB,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAA;IAChD,yBAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAA;IAC1D,OAAO,qBAAU,CAAC,IAAI,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAA;AACtD,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;AAOA,8CAQC;AAED,sDAQC;AAzBD,qDAA+C;AAC/C,8DAAoC;AAEpC,mEAA4D;AAE5D,mFAA8E;AAArE,6IAAA,2BAA2B,OAAA;AAE7B,KAAK,UAAU,iBAAiB,CACrC,sBAA8B,EAC9B,cAAsB,EACtB,QAAgB;IAEhB,MAAM,IAAI,GAAG,IAAA,0CAAkB,EAAC,cAAc,EAAE,QAAQ,CAAC,CAAA;IACzD,yBAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAA;IAC1D,OAAO,IAAA,qBAAU,EAAC,sBAAsB,EAAE,IAAI,CAAC,CAAA;AACjD,CAAC;AAED,SAAgB,qBAAqB,CACnC,sBAA8B,EAC9B,cAAsB,EACtB,QAAgB;IAEhB,MAAM,IAAI,GAAG,IAAA,0CAAkB,EAAC,cAAc,EAAE,QAAQ,CAAC,CAAA;IACzD,yBAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAA;IAC1D,OAAO,qBAAU,CAAC,IAAI,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAA;AACtD,CAAC"}

package/lib/safeJoinModulesDir.d.ts

@@ -0,0 +1 @@
+export declare function safeJoinModulesDir(modulesDir: string, alias: string): string;

package/lib/safeJoinModulesDir.js

@@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeJoinModulesDir = safeJoinModulesDir;
+const path_1 = __importDefault(require("path"));
+// `path.join(modulesDir, alias)` paired with a containment check, so a
+// caller can't accidentally use the joined path without verifying that
+// it lives inside `modulesDir`. Earlier passes reject path-traversal
+// aliases at manifest-read time, but this layer also runs for paths
+// reconstructed from lockfiles and snapshots, so the check stays here
+// as a final guarantee.
+function safeJoinModulesDir(modulesDir, alias) {
+    const link = path_1.default.join(modulesDir, alias);
+    const resolvedDir = path_1.default.resolve(modulesDir);
+    const resolvedLink = path_1.default.resolve(link);
+    if (resolvedLink === resolvedDir || !resolvedLink.startsWith(resolvedDir + path_1.default.sep)) {
+        const error = new Error(`Refusing to symlink dependency outside ${modulesDir}: alias ${JSON.stringify(alias)} resolves to ${resolvedLink}`);
+        error.code = 'ERR_PNPM_INVALID_DEPENDENCY_NAME';
+        throw error;
+    }
+    return link;
+}
+//# sourceMappingURL=safeJoinModulesDir.js.map

package/lib/safeJoinModulesDir.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safeJoinModulesDir.js","sourceRoot":"","sources":["../src/safeJoinModulesDir.ts"],"names":[],"mappings":";;;;;AAQA,gDAUC;AAlBD,gDAAuB;AAEvB,uEAAuE;AACvE,uEAAuE;AACvE,qEAAqE;AACrE,oEAAoE;AACpE,sEAAsE;AACtE,wBAAwB;AACxB,SAAgB,kBAAkB,CAAE,UAAkB,EAAE,KAAa;IACnE,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;IACzC,MAAM,WAAW,GAAG,cAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,YAAY,GAAG,cAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IACvC,IAAI,YAAY,KAAK,WAAW,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,WAAW,GAAG,cAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,0CAA0C,UAAU,WAAW,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,gBAAgB,YAAY,EAAE,CAA6B,CAAA;QACvK,KAAK,CAAC,IAAI,GAAG,kCAAkC,CAAA;QAC/C,MAAM,KAAK,CAAA;IACb,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/lib/symlinkDirectRootDependency.js

@@ -5,10 +5,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.symlinkDirectRootDependency = symlinkDirectRootDependency;
 const fs_1 = require("fs");
-const path_1 = __importDefault(require("path"));
 const util_1 = __importDefault(require("util"));
 const core_loggers_1 = require("@pnpm/core-loggers");
 const symlink_dir_1 = __importDefault(require("symlink-dir"));
+const safeJoinModulesDir_js_1 = require("./safeJoinModulesDir.js");
 const DEP_TYPE_BY_DEPS_FIELD_NAME = {
     dependencies: 'prod',
     devDependencies: 'dev',
@@ -33,7 +33,7 @@ async function symlinkDirectRootDependency(dependencyLocation, destModulesDir, i
             throw err;
         }
     }
-    const dest = path_1.default.join(destModulesDirReal, importAs);
+    const dest = (0, safeJoinModulesDir_js_1.safeJoinModulesDir)(destModulesDirReal, importAs);
     const { reused } = await (0, symlink_dir_1.default)(dependencyLocation, dest);
     if (reused)
         return; // if the link was already present, don't log

package/lib/symlinkDirectRootDependency.js.map

@@ -1 +1 @@
-{"version":3,"file":"symlinkDirectRootDependency.js","sourceRoot":"","sources":["../src/symlinkDirectRootDependency.ts"],"names":[],"mappings":";;;;;AAgBA,kEA2CC;AA3DD,2BAAmC;AACnC,gDAAuB;AACvB,gDAAuB;AACvB,qDAG2B;AAE3B,8DAAoC;AAEpC,MAAM,2BAA2B,GAAG;IAClC,YAAY,EAAE,MAAM;IACpB,eAAe,EAAE,KAAK;IACtB,oBAAoB,EAAE,UAAU;CACjC,CAAA;AAEM,KAAK,UAAU,2BAA2B,CAC/C,kBAA0B,EAC1B,cAAsB,EACtB,QAAgB,EAChB,IAOC;IAED,iEAAiE;IACjE,gCAAgC;IAChC,gEAAgE;IAChE,0DAA0D;IAC1D,mEAAmE;IACnE,IAAI,kBAAkB,CAAA;IACtB,IAAI,CAAC;QACH,kBAAkB,GAAG,MAAM,aAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;IACxD,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,cAAI,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5E,MAAM,aAAE,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;YACnD,kBAAkB,GAAG,MAAM,aAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QACxD,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAA;IACpD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAU,EAAC,kBAAkB,EAAE,IAAI,CAAC,CAAA;IAC7D,IAAI,MAAM;QAAE,OAAM,CAAC,6CAA6C;IAChE,yBAAU,CAAC,KAAK,CAAC;QACf,KAAK,EAAE;YACL,cAAc,EAAE,IAAI,CAAC,qBAAqB,IAAI,2BAA2B,CAAC,IAAI,CAAC,qBAAqB,CAAmB;YACvH,UAAU,EAAE,kBAAkB;YAC9B,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;YACjC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,OAAO;SACpC;QACD,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC,CAAA;AACJ,CAAC"}
+{"version":3,"file":"symlinkDirectRootDependency.js","sourceRoot":"","sources":["../src/symlinkDirectRootDependency.ts"],"names":[],"mappings":";;;;;AAiBA,kEA2CC;AA5DD,2BAAmC;AACnC,gDAAuB;AACvB,qDAG2B;AAE3B,8DAAoC;AAEpC,mEAA4D;AAE5D,MAAM,2BAA2B,GAAG;IAClC,YAAY,EAAE,MAAM;IACpB,eAAe,EAAE,KAAK;IACtB,oBAAoB,EAAE,UAAU;CACjC,CAAA;AAEM,KAAK,UAAU,2BAA2B,CAC/C,kBAA0B,EAC1B,cAAsB,EACtB,QAAgB,EAChB,IAOC;IAED,iEAAiE;IACjE,gCAAgC;IAChC,gEAAgE;IAChE,0DAA0D;IAC1D,mEAAmE;IACnE,IAAI,kBAAkB,CAAA;IACtB,IAAI,CAAC;QACH,kBAAkB,GAAG,MAAM,aAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;IACxD,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,cAAI,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5E,MAAM,aAAE,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;YACnD,kBAAkB,GAAG,MAAM,aAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QACxD,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,IAAA,0CAAkB,EAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAA;IAC7D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAU,EAAC,kBAAkB,EAAE,IAAI,CAAC,CAAA;IAC7D,IAAI,MAAM;QAAE,OAAM,CAAC,6CAA6C;IAChE,yBAAU,CAAC,KAAK,CAAC;QACf,KAAK,EAAE;YACL,cAAc,EAAE,IAAI,CAAC,qBAAqB,IAAI,2BAA2B,CAAC,IAAI,CAAC,qBAAqB,CAAmB;YACvH,UAAU,EAAE,kBAAkB;YAC9B,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;YACjC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,OAAO;SACpC;QACD,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC,CAAA;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/symlink-dependency",
-  "version": "1000.0.17",
+  "version": "1000.0.18",
   "description": "Symlink a dependency to node_modules",
   "keywords": [
     "pnpm",
@@ -28,16 +28,16 @@
   },
   "dependencies": {
     "symlink-dir": "^6.0.5",
-    "@pnpm/core-loggers": "1001.0.9",
-    "@pnpm/types": "1001.3.0"
+    "@pnpm/types": "1001.3.0",
+    "@pnpm/core-loggers": "1001.0.9"
   },
   "peerDependencies": {
-    "@pnpm/logger": ">=1001.0.0 <1002.0.0"
+    "@pnpm/logger": "^1001.0.1"
   },
   "devDependencies": {
-    "@pnpm/prepare": "1000.0.12",
-    "@pnpm/logger": "1001.0.1",
-    "@pnpm/symlink-dependency": "1000.0.17"
+    "@pnpm/symlink-dependency": "1000.0.18",
+    "@pnpm/prepare": "1000.0.17",
+    "@pnpm/logger": "1001.0.1"
   },
   "engines": {
     "node": ">=18.12"