create-ifc-lite 1.14.8 → 1.14.9

package/dist/index.js

@@ -71,6 +71,18 @@ async function main() {
             projectName = arg;
         }
     }
+    // Reject path separators, '..', and names that would yield an invalid npm
+    // `name`, so join(process.cwd(), projectName) stays under cwd and the
+    // generated package.json is valid. Mirrors config-fixers.ts VALID_PACKAGE_NAME.
+    const VALID_PROJECT_NAME = /^(?:@[\w.-]+\/)?[\w.-]+$/;
+    // A scoped name like `@scope/..` passes the char regex but its last segment
+    // is a dot-segment that `join(cwd, name)` resolves outside the intended dir,
+    // so reject any `.`/`..` segment (scoped or not), not just a bare projectName.
+    const hasDotSegment = projectName.split('/').some((seg) => seg === '.' || seg === '..');
+    if (!VALID_PROJECT_NAME.test(projectName) || hasDotSegment) {
+        console.error(`Invalid project name "${projectName}". Use letters, digits, '.', '-' or '_' (no path separators).`);
+        process.exit(1);
+    }
     const targetDir = join(process.cwd(), projectName);
     if (existsSync(targetDir)) {
         console.error(`Directory "${projectName}" already exists.`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ifc-lite",
-  "version": "1.14.8",
+  "version": "1.14.9",
   "description": "Create IFC-Lite projects with one command",
   "type": "module",
   "bin": {

package/dist/utils/download.d.ts

@@ -1,7 +0,0 @@
-/**
- * Download the viewer application from the ifc-lite GitHub repository.
- *
- * Tries `npx degit` first (fastest path).  Falls back to a git sparse
- * checkout when degit is unavailable or fails.
- */
-export declare function downloadViewer(targetDir: string, _projectName: string): Promise<boolean>;

package/dist/utils/download.js

@@ -1,63 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
-import { rmSync } from 'fs';
-import { join, dirname } from 'path';
-import { execSync } from 'child_process';
-const REPO_URL = 'https://github.com/LTplus-AG/ifc-lite';
-const VIEWER_PATH = 'apps/viewer';
-/**
- * Run a shell command silently.  Returns true on success, false on failure.
- */
-function runCommand(cmd, cwd) {
-    try {
-        execSync(cmd, { cwd, stdio: 'pipe' });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Download the viewer application from the ifc-lite GitHub repository.
- *
- * Tries `npx degit` first (fastest path).  Falls back to a git sparse
- * checkout when degit is unavailable or fails.
- */
-export async function downloadViewer(targetDir, _projectName) {
-    // Try degit first (fastest)
-    if (runCommand('npx --version')) {
-        console.log('  Downloading viewer template...');
-        try {
-            execSync(`npx degit ${REPO_URL}/${VIEWER_PATH} "${targetDir}"`, {
-                stdio: 'pipe',
-                timeout: 60000
-            });
-            return true;
-        }
-        catch {
-            // degit failed, try git sparse checkout
-        }
-    }
-    // Fallback: git sparse checkout
-    if (runCommand('git --version')) {
-        console.log('  Downloading via git...');
-        const tempDir = join(dirname(targetDir), `.temp-${Date.now()}`);
-        try {
-            execSync(`git clone --filter=blob:none --sparse "${REPO_URL}.git" "${tempDir}"`, {
-                stdio: 'pipe',
-                timeout: 120000
-            });
-            execSync(`git sparse-checkout set ${VIEWER_PATH}`, { cwd: tempDir, stdio: 'pipe' });
-            // Move viewer to target
-            const viewerSrc = join(tempDir, VIEWER_PATH);
-            execSync(`mv "${viewerSrc}" "${targetDir}"`, { stdio: 'pipe' });
-            rmSync(tempDir, { recursive: true, force: true });
-            return true;
-        }
-        catch {
-            rmSync(tempDir, { recursive: true, force: true });
-        }
-    }
-    return false;
-}