@runa-ai/runa-cli 0.5.47 → 0.5.49
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -240,7 +240,7 @@ export declare const ciMachine: import("xstate").StateMachine<CiContext, CiEvent
|
|
|
240
240
|
summaryPath?: string | undefined;
|
|
241
241
|
error?: string | undefined;
|
|
242
242
|
}, import("xstate").EventObject, import("xstate").MetaObject, {
|
|
243
|
-
id: "
|
|
243
|
+
id: "ci";
|
|
244
244
|
states: {
|
|
245
245
|
readonly idle: {};
|
|
246
246
|
readonly setup: {
|
package/dist/index.js
CHANGED
|
@@ -929,7 +929,7 @@ var CLI_VERSION, HAS_ADMIN_COMMAND;
|
|
|
929
929
|
var init_version = __esm({
|
|
930
930
|
"src/version.ts"() {
|
|
931
931
|
init_esm_shims();
|
|
932
|
-
CLI_VERSION = "0.5.
|
|
932
|
+
CLI_VERSION = "0.5.49";
|
|
933
933
|
HAS_ADMIN_COMMAND = false;
|
|
934
934
|
}
|
|
935
935
|
});
|
|
@@ -5422,8 +5422,9 @@ var TRUSTED_DIRECTORIES_UNIX = [
|
|
|
5422
5422
|
// Homebrew on macOS
|
|
5423
5423
|
"/opt/homebrew/bin",
|
|
5424
5424
|
"/opt/homebrew/sbin",
|
|
5425
|
-
// Node.js version managers
|
|
5425
|
+
// Node.js version managers and corepack symlink targets
|
|
5426
5426
|
"/usr/local/lib/node_modules/.bin",
|
|
5427
|
+
"/usr/local/lib/node_modules",
|
|
5427
5428
|
// Common package manager locations
|
|
5428
5429
|
"/usr/local/share/npm/bin"
|
|
5429
5430
|
];
|
|
@@ -5471,6 +5472,37 @@ function resolveAndValidateSymlink(filePath) {
|
|
|
5471
5472
|
return null;
|
|
5472
5473
|
}
|
|
5473
5474
|
}
|
|
5475
|
+
var TRUSTED_VERSION_MANAGER_PATTERNS_UNIX = [
|
|
5476
|
+
// Homebrew Cellar (macOS)
|
|
5477
|
+
/^\/opt\/homebrew\/Cellar\/[^/]+\/[^/]+\/bin$/,
|
|
5478
|
+
// nvm
|
|
5479
|
+
/^\/Users\/[^/]+\/\.nvm\/versions\/node\/[^/]+\/bin$/,
|
|
5480
|
+
/^\/home\/[^/]+\/\.nvm\/versions\/node\/[^/]+\/bin$/,
|
|
5481
|
+
// fnm
|
|
5482
|
+
/^\/Users\/[^/]+\/\.fnm\/node-versions\/[^/]+\/installation\/bin$/,
|
|
5483
|
+
/^\/home\/[^/]+\/\.fnm\/node-versions\/[^/]+\/installation\/bin$/,
|
|
5484
|
+
// pnpm global
|
|
5485
|
+
/^\/Users\/[^/]+\/Library\/pnpm$/,
|
|
5486
|
+
/^\/home\/[^/]+\/\.local\/share\/pnpm$/,
|
|
5487
|
+
// mise
|
|
5488
|
+
/^\/Users\/[^/]+\/\.local\/share\/mise\/installs\/[^/]+\/[^/]+\/bin$/,
|
|
5489
|
+
/^\/Users\/[^/]+\/\.local\/share\/mise\/shims$/,
|
|
5490
|
+
/^\/home\/[^/]+\/\.local\/share\/mise\/installs\/[^/]+\/[^/]+\/bin$/,
|
|
5491
|
+
/^\/home\/[^/]+\/\.local\/share\/mise\/shims$/,
|
|
5492
|
+
// volta
|
|
5493
|
+
/^\/Users\/[^/]+\/\.volta\/bin$/,
|
|
5494
|
+
/^\/home\/[^/]+\/\.volta\/bin$/,
|
|
5495
|
+
// asdf
|
|
5496
|
+
/^\/Users\/[^/]+\/\.asdf\/shims$/,
|
|
5497
|
+
/^\/Users\/[^/]+\/\.asdf\/installs\/[^/]+\/[^/]+\/bin$/,
|
|
5498
|
+
/^\/home\/[^/]+\/\.asdf\/shims$/,
|
|
5499
|
+
/^\/home\/[^/]+\/\.asdf\/installs\/[^/]+\/[^/]+\/bin$/,
|
|
5500
|
+
// proto
|
|
5501
|
+
/^\/Users\/[^/]+\/\.proto\/shims$/,
|
|
5502
|
+
/^\/Users\/[^/]+\/\.proto\/tools\/[^/]+\/[^/]+\/bin$/,
|
|
5503
|
+
/^\/home\/[^/]+\/\.proto\/shims$/,
|
|
5504
|
+
/^\/home\/[^/]+\/\.proto\/tools\/[^/]+\/[^/]+\/bin$/
|
|
5505
|
+
];
|
|
5474
5506
|
function isTrustedDirectory(dir) {
|
|
5475
5507
|
const normalizedDir = normalize(dir).replace(/[/\\]$/, "");
|
|
5476
5508
|
if (process.platform === "win32") {
|
|
@@ -5482,16 +5514,7 @@ function isTrustedDirectory(dir) {
|
|
|
5482
5514
|
return true;
|
|
5483
5515
|
}
|
|
5484
5516
|
}
|
|
5485
|
-
|
|
5486
|
-
return true;
|
|
5487
|
-
}
|
|
5488
|
-
if (normalizedDir.match(/^\/Users\/[^/]+\/\.nvm\/versions\/node\/[^/]+\/bin$/) || normalizedDir.match(/^\/Users\/[^/]+\/\.fnm\/node-versions\/[^/]+\/installation\/bin$/) || normalizedDir.match(/^\/home\/[^/]+\/\.nvm\/versions\/node\/[^/]+\/bin$/) || normalizedDir.match(/^\/home\/[^/]+\/\.fnm\/node-versions\/[^/]+\/installation\/bin$/)) {
|
|
5489
|
-
return true;
|
|
5490
|
-
}
|
|
5491
|
-
if (normalizedDir.match(/^\/Users\/[^/]+\/Library\/pnpm$/) || normalizedDir.match(/^\/home\/[^/]+\/\.local\/share\/pnpm$/)) {
|
|
5492
|
-
return true;
|
|
5493
|
-
}
|
|
5494
|
-
return false;
|
|
5517
|
+
return TRUSTED_VERSION_MANAGER_PATTERNS_UNIX.some((pattern) => pattern.test(normalizedDir));
|
|
5495
5518
|
}
|
|
5496
5519
|
function searchPathForBinary(binaryName) {
|
|
5497
5520
|
const pathEnv = process.env.PATH || "";
|
|
@@ -5505,7 +5528,10 @@ function searchPathForBinary(binaryName) {
|
|
|
5505
5528
|
for (const ext of extensions) {
|
|
5506
5529
|
const fullPath = join(dir, binaryName + ext);
|
|
5507
5530
|
if (isExecutable(fullPath)) {
|
|
5508
|
-
|
|
5531
|
+
const validatedPath = resolveAndValidateSymlink(fullPath);
|
|
5532
|
+
if (validatedPath) {
|
|
5533
|
+
return { originalPath: fullPath, validatedPath };
|
|
5534
|
+
}
|
|
5509
5535
|
}
|
|
5510
5536
|
}
|
|
5511
5537
|
}
|
|
@@ -5524,36 +5550,31 @@ function resolveBinaryPath(binaryName) {
|
|
|
5524
5550
|
const isExpired = now - cached.resolvedAt >= CACHE_TTL_MS;
|
|
5525
5551
|
const pathChanged = cached.pathFingerprint !== currentPathFingerprint;
|
|
5526
5552
|
if (!isExpired && !pathChanged) {
|
|
5527
|
-
const
|
|
5528
|
-
if (
|
|
5529
|
-
return
|
|
5553
|
+
const validatedPath2 = resolveAndValidateSymlink(cached.path);
|
|
5554
|
+
if (validatedPath2 && isExecutable(validatedPath2)) {
|
|
5555
|
+
return validatedPath2;
|
|
5530
5556
|
}
|
|
5531
5557
|
binaryPathCache.delete(binaryName);
|
|
5532
5558
|
} else {
|
|
5533
5559
|
binaryPathCache.delete(binaryName);
|
|
5534
5560
|
}
|
|
5535
5561
|
}
|
|
5536
|
-
const
|
|
5537
|
-
if (!
|
|
5562
|
+
const result = searchPathForBinary(binaryName);
|
|
5563
|
+
if (!result) {
|
|
5538
5564
|
throw new Error(
|
|
5539
5565
|
`Binary '${binaryName}' not found in trusted PATH directories. Ensure ${binaryName} is installed in a system directory.`
|
|
5540
5566
|
);
|
|
5541
5567
|
}
|
|
5542
|
-
const
|
|
5543
|
-
if (!
|
|
5544
|
-
throw new Error(
|
|
5545
|
-
`Security: Binary '${binaryName}' at '${resolvedPath}' is a symlink pointing outside trusted directories. This is not allowed for security reasons.`
|
|
5546
|
-
);
|
|
5547
|
-
}
|
|
5548
|
-
if (!isExecutable(realPath)) {
|
|
5549
|
-
throw new Error(`Binary '${binaryName}' at '${realPath}' is not executable.`);
|
|
5568
|
+
const { validatedPath } = result;
|
|
5569
|
+
if (!isExecutable(validatedPath)) {
|
|
5570
|
+
throw new Error(`Binary '${binaryName}' at '${validatedPath}' is not executable.`);
|
|
5550
5571
|
}
|
|
5551
5572
|
binaryPathCache.set(binaryName, {
|
|
5552
|
-
path:
|
|
5573
|
+
path: validatedPath,
|
|
5553
5574
|
resolvedAt: now,
|
|
5554
5575
|
pathFingerprint: currentPathFingerprint
|
|
5555
5576
|
});
|
|
5556
|
-
return
|
|
5577
|
+
return validatedPath;
|
|
5557
5578
|
}
|
|
5558
5579
|
function secureExeca(binaryName, args = [], options) {
|
|
5559
5580
|
const resolvedPath = resolveBinaryPath(binaryName);
|
|
@@ -14936,7 +14957,7 @@ var ciMachine = setup({
|
|
|
14936
14957
|
allTestsPassed: ({ context }) => allTestsPassed(context)
|
|
14937
14958
|
}
|
|
14938
14959
|
}).createMachine({
|
|
14939
|
-
id: "
|
|
14960
|
+
id: "ci",
|
|
14940
14961
|
initial: "idle",
|
|
14941
14962
|
context: ({ input: input3 }) => createInitialContext(input3),
|
|
14942
14963
|
states: {
|
|
@@ -15000,7 +15021,7 @@ var ciMachine = setup({
|
|
|
15000
15021
|
})
|
|
15001
15022
|
},
|
|
15002
15023
|
onError: {
|
|
15003
|
-
target: "#
|
|
15024
|
+
target: "#ci.failed",
|
|
15004
15025
|
actions: assign({
|
|
15005
15026
|
error: ({ event }) => extractErrorMessage2(event, "Local setup failed")
|
|
15006
15027
|
})
|
|
@@ -15044,7 +15065,7 @@ var ciMachine = setup({
|
|
|
15044
15065
|
})
|
|
15045
15066
|
},
|
|
15046
15067
|
onError: {
|
|
15047
|
-
target: "#
|
|
15068
|
+
target: "#ci.failed",
|
|
15048
15069
|
actions: assign({
|
|
15049
15070
|
error: ({ event }) => extractErrorMessage2(event, "PR local setup failed")
|
|
15050
15071
|
})
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secure-exec.d.ts","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,OAAO,EAAE,KAAK,OAAO,IAAI,YAAY,EAAE,KAAK,aAAa,EAAS,MAAM,OAAO,CAAC;AAMhF;;;GAGG;AACH,eAAO,MAAM,gBAAgB,gIAenB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"secure-exec.d.ts","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,OAAO,EAAE,KAAK,OAAO,IAAI,YAAY,EAAE,KAAK,aAAa,EAAS,MAAM,OAAO,CAAC;AAMhF;;;GAGG;AACH,eAAO,MAAM,gBAAgB,gIAenB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AA+D9D;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA2KD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CA6D5D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAO7D;AAMD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,WAAW,CACzB,UAAU,EAAE,aAAa,EACzB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAef;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GAAG;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,aAAa,CAwDf;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE7F;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE5F;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAEf;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F"}
|