@travetto/pack 4.0.0-rc.0 → 4.0.0-rc.2

package/README.md

@@ -244,7 +244,7 @@ echo "FROM node:20-alpine" > $DIST/Dockerfile
 echo "RUN which useradd && (groupadd --gid 2000 app && useradd -u 2000 -g app app) || (addgroup -g 2000 app && adduser -D -G app -u 2000 app)" >> $DIST/Dockerfile
 echo "RUN mkdir /app && chown app:app /app" >> $DIST/Dockerfile
 echo "COPY --chown=\"app:app\" . /app" >> $DIST/Dockerfile
-echo "ENV NODE_OPTIONS=\"--disable-proto=delete\"" >> $DIST/Dockerfile
+echo "ENV NODE_OPTIONS=\"\"" >> $DIST/Dockerfile
 echo "USER app" >> $DIST/Dockerfile
 echo "WORKDIR /app" >> $DIST/Dockerfile
 echo "ENTRYPOINT [\"/app/todo-app.sh\"]" >> $DIST/Dockerfile

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@travetto/pack",
-  "version": "4.0.0-rc.0",
+  "version": "4.0.0-rc.2",
   "description": "Code packing utilities",
   "keywords": [
     "travetto",
@@ -25,15 +25,15 @@
   },
   "dependencies": {
     "@rollup/plugin-commonjs": "^25.0.7",
-    "@rollup/plugin-json": "^6.0.1",
+    "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^15.2.3",
     "@rollup/plugin-terser": "^0.4.4",
-    "@travetto/base": "^4.0.0-rc.0",
-    "@travetto/terminal": "^4.0.0-rc.0",
-    "rollup": "^4.6.1"
+    "@travetto/base": "^4.0.0-rc.2",
+    "@travetto/terminal": "^4.0.0-rc.2",
+    "rollup": "^4.9.6"
   },
   "peerDependencies": {
-    "@travetto/cli": "^4.0.0-rc.0"
+    "@travetto/cli": "^4.0.0-rc.2"
   },
   "peerDependenciesMeta": {
     "@travetto/cli": {

package/support/bin/config-util.ts

@@ -39,10 +39,7 @@ export class PackConfigUtil {
    */
   static dockerEnvVars(cfg: DockerPackConfig): string {
     return [
-      `ENV NODE_OPTIONS="${[
-        '--disable-proto=delete',  // Security enforcement
-        ...(cfg.sourcemap ? ['--enable-source-maps'] : []),
-      ].join(' ')}"`,
+      `ENV NODE_OPTIONS="${[...(cfg.sourcemap ? ['--enable-source-maps'] : [])].join(' ')}"`,
     ].join('\n');
   }
 

package/support/bin/config.ts

@@ -7,20 +7,31 @@ import { ManifestModule, ManifestModuleUtil, NodeModuleType, path, RuntimeIndex,
 import { EnvProp } from '@travetto/base';
 
 // eslint-disable-next-line @typescript-eslint/naming-convention
-function __envImport(mod: typeof fs, file: string): void {
-  if (process.env.TRV_MODULE) { return; }
-  try {
-    mod.readFileSync(file, 'utf8')
-      .split('\n')
-      .map(x => x.match(/\s*(?<key>[^ =]+)\s*=\s*(?<value>\S+)/)?.groups)
-      .filter((x): x is Exclude<typeof x, null | undefined> => !!x)
-      .forEach(x => process.env[x.key] = x.value);
-  } catch { }
+function __init(mod: typeof fs, file?: string, freezeProto?: boolean): void {
+  if (freezeProto !== false) {
+    // @ts-expect-error -- Lock to prevent __proto__ pollution in JSON
+    const objectProto = Object.prototype.__proto__;
+    Object.defineProperty(Object.prototype, '__proto__', {
+      get() { return objectProto; },
+      set(val) { Object.setPrototypeOf(this, val); }
+    });
+  }
+
+  if (file) {
+    if (process.env.TRV_MODULE) { return; }
+    try {
+      mod.readFileSync(file, 'utf8')
+        .split('\n')
+        .map(x => x.match(/\s*(?<key>[^ =]+)\s*=\s*(?<value>\S+)/)?.groups)
+        .filter((x): x is Exclude<typeof x, null | undefined> => !!x)
+        .forEach(x => process.env[x.key] = x.value);
+    } catch { }
+  }
 }
 
-const INTRO = (envFile: string | undefined): Record<NodeModuleType, string[]> => ({
-  commonjs: !envFile ? [] : [`(${__envImport.toString()})(require('node:fs'), '${envFile}')`],
-  module: !envFile ? [] : [`(${__envImport.toString()})(await import('node:fs'), '${envFile}')`]
+const INTRO = (envFile: string | undefined, sourceMap?: boolean): Record<NodeModuleType, string> => ({
+  commonjs: `(${__init.toString()})(require('node:fs'), '${envFile}', ${!!sourceMap})`,
+  module: `(${__init.toString()})(await import('node:fs'), '${envFile}', ${!!sourceMap})`
 });
 
 function getFilesFromModule(m: ManifestModule): string[] {
@@ -44,7 +55,7 @@ export function getOutput(): OutputOptions {
   return {
     format,
     interop: format === 'commonjs' ? 'auto' : undefined,
-    intro: INTRO(new EnvProp('BUNDLE_ENV_FILE').val)[format].join(';\n'),
+    intro: INTRO(new EnvProp('BUNDLE_ENV_FILE').val)[format],
     sourcemapPathTransform: (src, map): string =>
       path.resolve(path.dirname(map), src).replace(`${RuntimeContext.workspace.path}/`, ''),
     sourcemap: new EnvProp('BUNDLE_SOURCEMAP').bool ?? false,

package/support/bin/operation.ts

@@ -88,7 +88,7 @@ export class PackOperation {
       yield bundleCommand;
       yield ActiveShellCommand.chdir(path.cwd());
     } else {
-      await PackUtil.runCommand(bundleCommand, { cwd, env });
+      await PackUtil.runCommand(bundleCommand, { cwd, env: { ...process.env, ...env } });
       const stat = await fs.stat(path.resolve(cfg.workspace, cfg.mainFile));
       yield [cliTpl`${{ title: 'Bundled Output ' }} ${{ identifier: 'sizeKb' }}=${{ param: Math.trunc(stat.size / 2 ** 10) }}`];
     }
@@ -214,7 +214,7 @@ export class PackOperation {
     if (cfg.ejectFile) {
       yield [...Object.entries(env).map(([k, v]) => `${k}=${v}`), ...cmd];
     } else {
-      await PackUtil.runCommand(cmd, { env });
+      await PackUtil.runCommand(cmd, { env: { ...process.env, ...env } });
     }
   }
 

package/support/bin/util.ts

@@ -1,7 +1,8 @@
 import fs from 'node:fs/promises';
+import { spawn, SpawnOptions } from 'node:child_process';
 
 import { path, RuntimeIndex } from '@travetto/manifest';
-import { AppError, ExecUtil, ExecutionOptions } from '@travetto/base';
+import { AppError, ExecUtil } from '@travetto/base';
 
 import { ActiveShellCommand } from './shell';
 
@@ -23,7 +24,7 @@ export class PackUtil {
    */
   static async copyRecursive(src: string, dest: string, ignore = false): Promise<void> {
     const [cmd, ...args] = ActiveShellCommand.copyRecursive(src, dest);
-    const res = await ExecUtil.spawn(cmd, args, { catchAsResult: true }).result;
+    const res = await ExecUtil.getResult(spawn(cmd, args, { shell: false }), { catch: true });
     if (res.code && !ignore) {
       throw new Error(`Failed to copy ${src} to ${dest}`);
     }
@@ -65,12 +66,13 @@ export class PackUtil {
   /**
    * Track result response
    */
-  static async runCommand(cmd: string[], opts: ExecutionOptions = {}): Promise<string> {
-    const { valid, code, stderr, message, stdout } = await ExecUtil.spawn(cmd[0], cmd.slice(1), {
-      stdio: [0, 'pipe', 'pipe', 'ipc'],
+  static async runCommand(cmd: string[], opts: SpawnOptions = {}): Promise<string> {
+    const { valid, code, stderr, message, stdout } = await ExecUtil.getResult(spawn(cmd[0], cmd.slice(1), {
+      stdio: [0, 'pipe', 'pipe'],
+      shell: false,
       ...opts,
-      catchAsResult: true
-    }).result;
+    }), { catch: true });
+
     if (!valid) {
       process.exitCode = code;
       throw new AppError(stderr || message || 'An unexpected error has occurred');