configorama 0.9.8 → 0.9.12

package/src/resolvers/valueFromEval.js

@@ -1,29 +1,86 @@
 // const evalRefSyntax = RegExp(/^eval\((~?[\{\}\:\${}a-zA=>+!-Z0-9._\-\/,'"\*\` ]+?)?\)/g)
 const evalRefSyntax = RegExp(/^eval\((.*)?\)/g)
+const { replaceOutsideQuotes } = require('../utils/strings/quoteAware')
+
+// Pattern for encoded objects/arrays: __OBJ:base64__ or __ARR:base64__
+const ENCODED_PATTERN = /__(?:OBJ|ARR):([A-Za-z0-9+/=]+)__/g
+
+// Encode object/array for embedding in eval expressions
+function encodeValue(value) {
+  const prefix = Array.isArray(value) ? 'ARR' : 'OBJ'
+  const encoded = Buffer.from(JSON.stringify(value)).toString('base64')
+  return `__${prefix}:${encoded}__`
+}
+
+// Decode encoded values and build context for subscript
+function decodeValues(expression) {
+  const context = {}
+  let idx = 0
+
+  const processed = expression.replace(ENCODED_PATTERN, (match, base64) => {
+    const decoded = JSON.parse(Buffer.from(base64, 'base64').toString('utf8'))
+    const placeholder = `__VAL${idx}__`
+    context[`__VAL${idx}__`] = decoded
+    idx++
+    return placeholder
+  })
+
+  return { processed, context }
+}
+
+// Wrap individual comparisons in parentheses for correct precedence with && / ||
+// Subscript has operator precedence issues without explicit parens
+function wrapComparisons(expr) {
+  if (!/&&|\|\|/.test(expr)) return expr
+
+  // Match comparisons: value op value (where op is ===, !==, ==, !=, >=, <=, >, <)
+  // Values can be: quoted strings, numbers, identifiers, or __VAL0__ placeholders
+  const compPattern = /((?:"[^"]*"|'[^']*'|__VAL\d+__|__NULL__|[a-zA-Z_][a-zA-Z0-9_]*|[\d.]+))\s*(===|!==|==|!=|>=|<=|>|<)\s*((?:"[^"]*"|'[^']*'|__VAL\d+__|__NULL__|[a-zA-Z_][a-zA-Z0-9_]*|[\d.]+))/g
+
+  return expr.replace(compPattern, '($1 $2 $3)')
+}
 
 async function getValueFromEval(variableString) {
-  // console.log('getValueFromEval variableString', variableString)
-  // console.log('getValueFromEval variableString', variableString)
   // Extract the expression inside eval()
   const match = variableString.match(/^eval\((.+)\)$/)
-  // console.log('match', match)
   if (!match) {
     throw new Error(`Invalid eval syntax: ${variableString}. Expected format: eval(expression)`)
   }
-  
+
   const expression = match[1].trim()
-  // console.log('expression', expression)
-  
+  if (process.env.DEBUG_EVAL) console.log('eval expression:', expression)
+
   // Use "justin" variant to support strict comparison (===, !==) and other JS-like operators
   try {
     const { default: subscript } = await import('subscript/justin')
-    
+
     // Handle string comparisons by ensuring both sides are quoted
-    const processedExpression = expression.replace(/([a-zA-Z0-9_]+)\s*([=!<>]=?)\s*['"]([^'"]+)['"]/g, '"$1"$2"$3"')
-    
-    // console.log('processedExpression', processedExpression)
+    let processedExpression = expression.replace(/([a-zA-Z0-9_]+)\s*([=!<>]=?)\s*['"]([^'"]+)['"]/g, '"$1"$2"$3"')
+
+    // Decode any encoded objects/arrays
+    const { processed: withDecodedValues, context: valueContext } = decodeValues(processedExpression)
+    processedExpression = withDecodedValues
+
+    // Workaround: subscript doesn't handle null keyword correctly
+    // Replace null with placeholder and inject via context (but not inside quoted strings)
+    const hasNull = /\bnull\b/.test(processedExpression)
+    if (hasNull) {
+      processedExpression = replaceOutsideQuotes(processedExpression, 'null', '__NULL__')
+    }
+
+    // Build context with null and any decoded values
+    /** @type {Record<string, unknown>} */
+    const context = { ...valueContext }
+    if (hasNull) {
+      context.__NULL__ = null
+    }
+
+    // Wrap comparisons in parens for correct precedence with && / ||
+    processedExpression = wrapComparisons(processedExpression)
+
+    if (process.env.DEBUG_EVAL) console.log('eval processed:', processedExpression)
     const fn = subscript(processedExpression)
-    const result = fn()
+    const result = fn(Object.keys(context).length > 0 ? context : undefined)
     return result
   } catch (error) {
     throw new Error(`Error evaluating expression "${expression}": ${error.message}`)
@@ -33,6 +90,7 @@ async function getValueFromEval(variableString) {
 module.exports = {
   type: 'eval',
   source: 'readonly',
+  encodeValue,
   description: '${eval(expression)} - Evaluates mathematical expressions',
   match: evalRefSyntax,
   resolver: getValueFromEval

package/src/resolvers/valueFromFile.js

@@ -258,7 +258,7 @@ ${JSON.stringify(options.context, null, 2)}`,
 
   /* handle case for referencing raw JS files to inline them */
   if (argsToPass.length
-    && (argsToPass && argsToPass[0] && argsToPass[0].toLowerCase() === 'raw')
+    && (argsToPass && argsToPass[0] && typeof argsToPass[0] === 'string' && argsToPass[0].toLowerCase() === 'raw')
     || opts.asRawText
   ) {
     // Encode foo() to foo__PH_PAREN_OPEN__) to avoid function collisions

package/src/resolvers/valueFromIf.js

@@ -0,0 +1,75 @@
+/* ${if(...)} syntax - alias for eval() with more intuitive name for conditionals */
+const { resolver: evalResolver } = require('./valueFromEval')
+const { findOutsideQuotes } = require('../utils/strings/quoteAware')
+
+// Match both:
+//   if(condition ? trueVal : falseVal)  - ternary inside
+//   if(condition) ? trueVal : falseVal  - ternary outside
+const ifRefSyntax = RegExp(/^if\s*\(.*\)(\s*\?.*)?/g)
+
+async function getValueFromIf(variableString) {
+  if (process.env.DEBUG_IF) console.log('if resolver input:', variableString)
+
+  // Validate: check for empty condition
+  const emptyConditionMatch = variableString.match(/^if\s*\(\s*\)/)
+  if (emptyConditionMatch) {
+    throw new Error('Empty condition in ${if()}. Expected: ${if(condition) ? trueVal : falseVal}')
+  }
+
+  // Check for external ternary: if(condition) ? trueVal : falseVal
+  // Must properly balance parentheses to find where if() ends
+  const match = variableString.match(/^if\s*\(/)
+  if (match) {
+    const afterIf = variableString.substring(match[0].length)
+    let depth = 1
+    let i = 0
+
+    // Find the matching closing paren
+    while (i < afterIf.length && depth > 0) {
+      if (afterIf[i] === '(') depth++
+      else if (afterIf[i] === ')') depth--
+      if (depth > 0) i++
+    }
+
+    if (depth === 0) {
+      // Check what comes after the if() block
+      const afterCondition = afterIf.substring(i + 1).trim()
+
+      if (afterCondition.startsWith('?')) {
+        // External ternary: if(condition) ? trueVal : falseVal
+        const condition = afterIf.substring(0, i)
+        const ternaryPart = afterCondition.substring(1).trim() // after ?
+
+        // Find the colon separating trueVal and falseVal (outside quotes and encoded patterns)
+        const colonIdx = findOutsideQuotes(ternaryPart, (str, idx) => {
+          if (str[idx] !== ':') return 0
+          // Skip colons inside encoded patterns __OBJ:...__ or __ARR:...__
+          const before = str.substring(0, idx)
+          if (/__(?:OBJ|ARR|VAL\d+)$/.test(before)) return 0
+          return 1
+        })
+
+        if (colonIdx !== -1) {
+          const trueVal = ternaryPart.substring(0, colonIdx).trim()
+          const falseVal = ternaryPart.substring(colonIdx + 1).trim()
+          const expression = `(${condition}) ? ${trueVal} : ${falseVal}`
+          if (process.env.DEBUG_IF) console.log('if resolver external ternary:', expression)
+          return evalResolver(`eval(${expression})`)
+        }
+      }
+    }
+  }
+
+  // Standard syntax: if(condition ? trueVal : falseVal) or if(boolExpr)
+  const converted = variableString.replace(/^if\s*\(/, 'eval(')
+  if (process.env.DEBUG_IF) console.log('if resolver standard syntax:', converted)
+  return evalResolver(converted)
+}
+
+module.exports = {
+  type: 'if',
+  source: 'readonly',
+  description: '${if(condition) ? "yes" : "no"} - Conditional expressions',
+  match: ifRefSyntax,
+  resolver: getValueFromIf
+}

package/src/resolvers/valueFromIf.test.js

@@ -0,0 +1,66 @@
+/* Tests for ${if(...)} syntax - alias for eval */
+const { test } = require('uvu')
+const assert = require('uvu/assert')
+const configorama = require('../../src')
+
+test('if() basic ternary', async () => {
+  const result = await configorama({
+    yes: '${if(5 > 3 ? "yes" : "no")}',
+    no: '${if(3 > 5 ? "yes" : "no")}'
+  })
+  assert.is(result.yes, 'yes')
+  assert.is(result.no, 'no')
+})
+
+test('if() with parentheses around condition', async () => {
+  const result = await configorama({
+    result: '${if((10 < 20) ? "smaller" : "bigger")}'
+  })
+  assert.is(result.result, 'smaller')
+})
+
+test('if() boolean result', async () => {
+  const result = await configorama({
+    isTrue: '${if(10 == 10)}',
+    isFalse: '${if(10 == 5)}'
+  })
+  assert.is(result.isTrue, true)
+  assert.is(result.isFalse, false)
+})
+
+test('if() with variables', async () => {
+  const result = await configorama({
+    threshold: 50,
+    value: 75,
+    status: '${if(${self:value} > ${self:threshold} ? "above" : "below")}'
+  })
+  assert.is(result.status, 'above')
+})
+
+test('if() nested ternary', async () => {
+  const result = await configorama({
+    score: 85,
+    grade: '${if(${self:score} >= 90 ? "A" : ${self:score} >= 80 ? "B" : "C")}'
+  })
+  assert.is(result.grade, 'B')
+})
+
+test('if() with logical operators', async () => {
+  const result = await configorama({
+    both: '${if(true && true)}',
+    either: '${if(false || true)}',
+    neither: '${if(false && false)}'
+  })
+  assert.is(result.both, true)
+  assert.is(result.either, true)
+  assert.is(result.neither, false)
+})
+
+test('if() arithmetic in condition', async () => {
+  const result = await configorama({
+    result: '${if((5 + 5) > 8 ? "big" : "small")}'
+  })
+  assert.is(result.result, 'big')
+})
+
+test.run()

package/src/resolvers/valueFromNumber.js

@@ -1,6 +1,9 @@
 const isNumber = require('lodash.isnumber')
 
 function isNumberVariable(variableString) {
+  if (!variableString || variableString.trim().length === 0) {
+    return false
+  }
   const num = Number(variableString)
   return !isNaN(num) && isNumber(num)
 }

package/src/utils/handleSignalEvents.js

@@ -24,10 +24,9 @@ Exit received. Waiting for current operation to finish...
     // Clean up readline interface when done
     process.once('exit', () => rl.close())
     
-    // Use once() instead of on()
-    rl.once('SIGINT', () => process.emit('SIGINT'))
-    rl.once('SIGTERM', () => process.emit('SIGTERM'))
-    rl.once('SIGBREAK', () => process.emit('SIGBREAK'))
+    rl.on('SIGINT', () => process.emit('SIGINT'))
+    rl.on('SIGTERM', () => process.emit('SIGTERM'))
+    rl.on('SIGBREAK', () => process.emit('SIGBREAK'))
   }
 
   // Remove any existing listeners before adding new ones

package/src/utils/lodash.js

@@ -47,26 +47,37 @@ function set(object, path, value) {
   return object;
 }
 
+// Cache for trim regex patterns (perf: avoid recompilation)
+const trimRegexCache = new Map()
+
 // Custom implementation of lodash.trim
 function trim(string, chars) {
   if (string === null || string === undefined) {
     return '';
   }
-  
+
   string = String(string);
-  
+
   if (!chars && String.prototype.trim) {
     return string.trim();
   }
-  
+
   if (!chars) {
     // Default characters to trim (whitespace)
     chars = ' \t\n\r\f\v\u00a0\u1680\u2000\u200a\u2028\u2029\u202f\u205f\u3000\ufeff';
   }
-  
-  // Create a regex pattern with the characters to trim
-  const pattern = new RegExp(`^[${chars.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, '\\$&')}]+|[${chars.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, '\\$&')}]+$`, 'g');
-  
+
+  // Check cache first
+  let pattern = trimRegexCache.get(chars)
+  if (!pattern) {
+    // Create and cache regex pattern with the characters to trim
+    const escaped = chars.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, '\\$&')
+    pattern = new RegExp(`^[${escaped}]+|[${escaped}]+$`, 'g')
+    trimRegexCache.set(chars, pattern)
+  }
+
+  // Reset lastIndex for global regex reuse
+  pattern.lastIndex = 0
   return string.replace(pattern, '');
 }
 

package/src/utils/parsing/cloudformationSchema.js

@@ -1,7 +1,6 @@
 const YAML = require('js-yaml');
 const includes = require('lodash.includes');
 const isString = require('lodash.isstring');
-const split = require('lodash.split');
 const flatten = require('lodash.flatten');
 const map = require('lodash.map');
 
@@ -67,7 +66,7 @@ const createSchema = () => {
       map(['mapping', 'scalar', 'sequence'], kind => yamlType(functionName, kind))
     )
   );
-  return YAML.Schema.create(types);
+  return YAML.Schema.create(YAML.DEFAULT_SAFE_SCHEMA, types);
 };
 
 module.exports = {

package/src/utils/parsing/cloudformationSchema.test.js

@@ -233,4 +233,18 @@ test('!EachMemberIn - member inclusion check', () => {
   assert.equal(parsed.Value['Fn::EachMemberIn'], [['a', 'b'], ['a', 'b', 'c']])
 })
 
+// ==========================================
+// Security - Unsafe YAML tags should be blocked
+// ==========================================
+
+test('security - !!js/function should be rejected', () => {
+  const maliciousYaml = `Handler: !!js/function 'function() { return "pwned"; }'`
+  assert.throws(() => parseCfYaml(maliciousYaml), /unknown tag/)
+})
+
+test('security - !!js/regexp should be rejected', () => {
+  const maliciousYaml = `Pattern: !!js/regexp /test/`
+  assert.throws(() => parseCfYaml(maliciousYaml), /unknown tag/)
+})
+
 test.run()

package/src/utils/parsing/preProcess.js

@@ -1,8 +1,10 @@
 /**
- * Preprocesses config to fix malformed fallback references
- * and escape variables inside help() filter arguments
+ * Preprocesses config to fix malformed fallback references,
+ * escape variables inside help() filter arguments,
+ * and convert bare references in if() expressions
  */
 const { splitByComma } = require('../strings/splitByComma')
+const { getQuoteRanges } = require('../strings/quoteAware')
 const { extractVariableWrapper } = require('../variables/variableUtils')
 
 /**
@@ -10,9 +12,12 @@ const { extractVariableWrapper } = require('../variables/variableUtils')
  * @param {Object} configObject - The parsed configuration object
  * @param {RegExp} variableSyntax - The variable syntax regex to use
  * @param {Array} [variableTypes] - Array of variable type definitions with type/prefix fields
+ * @param {Object} [options] - Options for preprocessing
+ * @param {boolean} [options.skipFallbackFix] - Skip fixing malformed fallbacks (for object configs)
  * @returns {Object} The preprocessed configuration object
  */
-function preProcess(configObject, variableSyntax, variableTypes) {
+function preProcess(configObject, variableSyntax, variableTypes, options = {}) {
+  const { skipFallbackFix = false } = options
   // Extract prefix/suffix from variable syntax for reconstructing variables
   const { prefix: varPrefix, suffix: varSuffix } = variableSyntax
     ? extractVariableWrapper(variableSyntax.source)
@@ -51,6 +56,214 @@ function preProcess(configObject, variableSyntax, variableTypes) {
     })
   }
 
+  /**
+   * Convert bare config references inside if() expressions to ${...} syntax
+   * Also wraps unquoted ${...} refs in quotes for proper string comparison
+   * e.g., ${if(provider.stage === "prod")} => ${if("${provider.stage}" === "prod")}
+   * e.g., ${if(${provider.stage} === "prod")} => ${if("${provider.stage}" === "prod")}
+   * @param {string} str - String potentially containing if() expressions
+   * @returns {string} String with bare refs converted
+   */
+  function convertBareRefsInIf(str) {
+    if (typeof str !== 'string') return str
+
+    const reserved = ['true', 'false', 'null', 'undefined', 'NaN', 'Infinity']
+    const prefixLen = varPrefix.length
+    const suffixLen = varSuffix.length
+
+    // Find if( blocks and process them
+    let result = str
+    let i = 0
+
+    while (i < result.length) {
+      // Look for ${if( or similar with custom prefix
+      const ifStart = result.indexOf(varPrefix + 'if(', i)
+      if (ifStart === -1) break
+
+      // Find the matching closing suffix by counting nested prefixes/suffixes
+      const contentStart = ifStart + prefixLen + 3 // after "${if("
+      let depth = 1
+      let j = contentStart
+
+      while (j < result.length && depth > 0) {
+        if (result.substring(j, j + prefixLen) === varPrefix) {
+          depth++
+          j += prefixLen
+        } else if (result.substring(j, j + suffixLen) === varSuffix) {
+          depth--
+          if (depth > 0) j += suffixLen
+        } else {
+          j++
+        }
+      }
+
+      if (depth === 0) {
+        // Extract the if content (everything between "if(" and the final ")")
+        const fullContent = result.substring(contentStart, j)
+
+        // Process the content: wrap bare refs and unquoted var refs in quotes
+        let processed = fullContent
+
+        // 1. First convert bare refs (word.word or word:word) to quoted var refs
+        // Must do this BEFORE handling ${...} to avoid double-wrapping
+        // Pattern excludes refs inside ${...} by using negative lookbehind for varPrefix
+        const escapedPrefix = varPrefix.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+        const bareRefPattern = new RegExp(
+          `(?<!${escapedPrefix}[^${varSuffix}]*)(?<!")(?<!')(?<=^|[^.\\w])([a-zA-Z_][a-zA-Z0-9_]*(?:[.:][a-zA-Z_][a-zA-Z0-9_]*)+)(?![.\\w])`,
+          'g'
+        )
+
+        // Simpler approach: find bare refs that are NOT inside ${...}
+        // Build list of ${...} ranges to exclude
+        const varRanges = []
+        let pos = 0
+        while (pos < processed.length) {
+          if (processed.substring(pos, pos + prefixLen) === varPrefix) {
+            const start = pos
+            let varDepth = 1
+            pos += prefixLen
+            while (pos < processed.length && varDepth > 0) {
+              if (processed.substring(pos, pos + prefixLen) === varPrefix) {
+                varDepth++
+                pos += prefixLen
+              } else if (processed.substring(pos, pos + suffixLen) === varSuffix) {
+                varDepth--
+                if (varDepth > 0) pos += suffixLen
+              } else {
+                pos++
+              }
+            }
+            pos += suffixLen
+            varRanges.push([start, pos])
+          } else {
+            pos++
+          }
+        }
+
+        // Build list of quoted string ranges to exclude
+        const quoteRanges = getQuoteRanges(fullContent)
+
+        // Comparison operators for detecting string comparison context
+        const comparisonOps = ['===', '!==', '==', '!=']
+
+        // Find and replace bare refs, skipping those inside ${...} or quoted strings
+        // Only quote bare refs that are in string comparison context
+        const simpleBarePat = /([a-zA-Z_][a-zA-Z0-9_]*(?:[.:][a-zA-Z_][a-zA-Z0-9_]*)+)/g
+        let offset = 0
+        let match
+        while ((match = simpleBarePat.exec(fullContent)) !== null) {
+          const bareRef = match[1]
+          const matchStart = match.index
+          const matchEnd = matchStart + bareRef.length
+
+          // Skip if inside a ${...} range
+          const insideVar = varRanges.some(([s, e]) => matchStart >= s && matchEnd <= e)
+          if (insideVar) continue
+
+          // Skip if inside a quoted string
+          const insideQuote = quoteRanges.some(([s, e]) => matchStart >= s && matchEnd <= e)
+          if (insideQuote) continue
+
+          // Skip reserved words
+          if (reserved.includes(bareRef)) continue
+
+          // Check if this ref is in a string comparison context
+          const afterRef = fullContent.substring(matchEnd).trimStart()
+          const beforeRef = fullContent.substring(0, matchStart).trimEnd()
+
+          const isComparedToString = comparisonOps.some(op => {
+            // Check if followed by: op "string"
+            if (afterRef.startsWith(op)) {
+              const afterOp = afterRef.substring(op.length).trimStart()
+              return afterOp.startsWith('"') || afterOp.startsWith("'")
+            }
+            // Check if preceded by: "string" op
+            for (const o of comparisonOps) {
+              const pattern = new RegExp(`["'][^"']*["']\\s*${o.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\s*$`)
+              if (pattern.test(beforeRef)) return true
+            }
+            return false
+          })
+
+          // Replace with var ref - quoted if string comparison, unquoted otherwise
+          const replacement = isComparedToString
+            ? `"${varPrefix}${bareRef}${varSuffix}"`
+            : `${varPrefix}${bareRef}${varSuffix}`
+          processed = processed.substring(0, matchStart + offset) + replacement + processed.substring(matchEnd + offset)
+          offset += replacement.length - bareRef.length
+        }
+
+        // 2. Quote unquoted ${...} refs that are used in string comparisons
+        // Pattern: ref followed by comparison operator and string, or string followed by operator and ref
+        // e.g., ${foo} === "bar" or "bar" === ${foo}
+        // Find ${...} refs that are in comparison context
+        pos = 0
+        let newProcessed = ''
+        while (pos < processed.length) {
+          if (processed.substring(pos, pos + prefixLen) === varPrefix) {
+            const precededByQuote = pos > 0 && processed[pos - 1] === '"'
+
+            // Find matching suffix
+            let varDepth = 1
+            let endPos = pos + prefixLen
+            while (endPos < processed.length && varDepth > 0) {
+              if (processed.substring(endPos, endPos + prefixLen) === varPrefix) {
+                varDepth++
+                endPos += prefixLen
+              } else if (processed.substring(endPos, endPos + suffixLen) === varSuffix) {
+                varDepth--
+                if (varDepth > 0) endPos += suffixLen
+              } else {
+                endPos++
+              }
+            }
+            endPos += suffixLen
+
+            const varRef = processed.substring(pos, endPos)
+            const followedByQuote = endPos < processed.length && processed[endPos] === '"'
+
+            // Check if this ref is in a string comparison context
+            const afterRef = processed.substring(endPos).trimStart()
+            const beforeRef = processed.substring(0, pos).trimEnd()
+
+            const isComparedToString = comparisonOps.some(op => {
+              // Check if followed by: op "string"
+              if (afterRef.startsWith(op)) {
+                const afterOp = afterRef.substring(op.length).trimStart()
+                return afterOp.startsWith('"') || afterOp.startsWith("'")
+              }
+              // Check if preceded by: "string" op
+              for (const o of comparisonOps) {
+                const pattern = new RegExp(`["'][^"']*["']\\s*${o.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\s*$`)
+                if (pattern.test(beforeRef)) return true
+              }
+              return false
+            })
+
+            if (!precededByQuote && !followedByQuote && isComparedToString) {
+              newProcessed += '"' + varRef + '"'
+            } else {
+              newProcessed += varRef
+            }
+            pos = endPos
+          } else {
+            newProcessed += processed[pos]
+            pos++
+          }
+        }
+        processed = newProcessed
+
+        // Reconstruct
+        result = result.substring(0, contentStart) + processed + result.substring(j)
+        i = contentStart + processed.length + suffixLen
+      } else {
+        i = ifStart + prefixLen
+      }
+    }
+
+    return result
+  }
+
   /**
    * Fix malformed fallback references in a string
    * @param {string} str - String potentially containing variables
@@ -154,9 +367,11 @@ function preProcess(configObject, variableSyntax, variableTypes) {
    */
   function traverseAndFix(obj) {
     if (typeof obj === 'string') {
-      // First escape help() variables, then fix fallbacks
+      // First escape help() variables, convert bare refs in if(), then fix fallbacks
       const withHelpEscaped = escapeHelpVariables(obj)
-      return fixFallbacksInString(withHelpEscaped)
+      const withBareRefsConverted = convertBareRefsInIf(withHelpEscaped)
+      // Skip fallback fixing for object configs (they handle bare refs differently)
+      return skipFallbackFix ? withBareRefsConverted : fixFallbacksInString(withBareRefsConverted)
     }
 
     if (Array.isArray(obj)) {

package/src/utils/paths/getFullFilePath.js

@@ -19,8 +19,12 @@ function resolveFilePath(pathToResolve, basePath) {
     fullFilePath = fs.realpathSync(fullFilePath)
   // Only use findUp for relative paths (not absolute paths)
   } else if (!path.isAbsolute(pathToResolve)) {
-    const cleanName = path.basename(pathToResolve)
-    const findUpResult = findUp.sync(cleanName, { cwd: basePath })
+    // Strip ./ and ../ prefixes for findUp, but preserve directory structure like utils/
+    let searchPath = pathToResolve
+    while (searchPath.startsWith('./') || searchPath.startsWith('../')) {
+      searchPath = searchPath.replace(/^\.\.?\//, '')
+    }
+    const findUpResult = findUp.sync(searchPath, { cwd: basePath })
     if (findUpResult) {
       fullFilePath = findUpResult
     }

package/src/utils/paths/getFullFilePath.test.js

@@ -109,6 +109,24 @@ test('resolveFilePath - relative path without ./ prefix triggers findUp', () =>
   assert.is(result, expected)
 })
 
+test('resolveFilePath - preserves directory structure when using findUp', () => {
+  // Create additional structure for this test:
+  // _test-getFullFilePath/
+  //   config.yml           <- WRONG file
+  //   utils/
+  //     config.yml         <- CORRECT file
+  //   subdir/deepdir/      <- searching from here
+  const utilsDir = path.join(testDir, 'utils')
+  fs.mkdirSync(utilsDir, { recursive: true })
+  fs.writeFileSync(path.join(utilsDir, 'config.yml'), 'correct: true')
+
+  // From deepDir, request "utils/config.yml" - should find testDir/utils/config.yml
+  const result = resolveFilePath('utils/config.yml', deepDir)
+  const expected = path.join(utilsDir, 'config.yml')
+  assert.is(result, expected,
+    `Should preserve 'utils/' directory and find utils/config.yml, not root config.yml. Got ${result}`)
+})
+
 // ==========================================
 // getFullPath - wrapper function
 // ==========================================