create-sparkling-app 2.1.0-rc.2 → 2.1.0-rc.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/create-app/template-manager.js +12 -3
  2. package/package.json +1 -1
package/dist/create-app/template-manager.js CHANGED
@@ -23,6 +23,12 @@ const sanitizeCacheKey = (packageName, version) => {
23
23
  };
24
24
  exports.sanitizeCacheKey = sanitizeCacheKey;
25
25
  const NPM_TEMPLATE_PREFIX = 'npm:';
26
+ const SAFE_GIT_REF = /^[a-zA-Z0-9._\-/]+$/;
27
+ function validateGitRef(value, label) {
28
+ if (!SAFE_GIT_REF.test(value)) {
29
+ throw new Error(`Invalid characters in GitHub ${label}: ${value}`);
30
+ }
31
+ }
26
32
  async function resolveCustomTemplate(templateInput, version) {
27
33
  const trimmedInput = templateInput.trim();
28
34
  if (trimmedInput.startsWith(NPM_TEMPLATE_PREFIX)) {
@@ -38,13 +44,16 @@ async function resolveCustomTemplate(templateInput, version) {
38
44
  const githubMatch = trimmedInput.match(/^https?:\/\/github\.com\/([^\/]+)\/([^\/]+)(?:\/tree\/([^\/]+))?(?:\/(.*))?$/);
39
45
  if (githubMatch) {
40
46
  const [, owner, repo, branch = 'main', subPath = ''] = githubMatch;
47
+ validateGitRef(owner, 'owner');
48
+ validateGitRef(repo, 'repo');
49
+ validateGitRef(branch, 'branch');
41
50
  const templateDir = node_path_1.default.join(process.cwd(), '.temp-templates', `${owner}-${repo}-${branch}`);
42
51
  try {
43
52
  if (node_fs_1.default.existsSync(templateDir)) {
44
- (0, node_child_process_1.execSync)(`git -C "${templateDir}" pull`, { stdio: 'pipe' });
53
+ (0, node_child_process_1.execFileSync)('git', ['-C', templateDir, 'pull'], { stdio: 'pipe' });
45
54
  }
46
55
  else {
47
- (0, node_child_process_1.execSync)(`git clone --depth 1 --branch ${branch} https://github.com/${owner}/${repo}.git "${templateDir}"`, { stdio: 'pipe' });
56
+ (0, node_child_process_1.execFileSync)('git', ['clone', '--depth', '1', '--branch', branch, `https://github.com/${owner}/${repo}.git`, templateDir], { stdio: 'pipe' });
48
57
  }
49
58
  const fullPath = subPath ? node_path_1.default.join(templateDir, subPath) : templateDir;
50
59
  if (!node_fs_1.default.existsSync(fullPath)) {
@@ -157,7 +166,7 @@ async function resolveNpmTemplate(packageName, version, options) {
157
166
  // precise error output below if installation fails.
158
167
  if (!skipInstall) {
159
168
  try {
160
- (0, node_child_process_1.execSync)(`npm install ${normalizedName}@${versionSpecifier} --no-save --package-lock=false --no-audit --no-fund --silent`, {
169
+ (0, node_child_process_1.execFileSync)('npm', ['install', `${normalizedName}@${versionSpecifier}`, '--no-save', '--package-lock=false', '--no-audit', '--no-fund', '--silent'], {
161
170
  cwd: installRoot,
162
171
  stdio: 'pipe',
163
172
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-sparkling-app",
3
- "version": "2.1.0-rc.2",
3
+ "version": "2.1.0-rc.24",
4
4
  "homepage": "https://tiktok.github.io/sparkling/",
5
5
  "repository": {
6
6
  "type": "git",