jsii-diff 1.130.0 → 1.132.0

package/lib/util.js

@@ -34,11 +34,16 @@ function showDownloadFailure(f) {
     }
 }
 async function downloadNpmPackage(pkg, block) {
+    validateValidPackageSpecifier(pkg);
     return inTempDir(async () => {
         LOG.info(`Fetching NPM package ${pkg}`);
         try {
             // Need to install package and dependencies in order for jsii-reflect
             // to not bork when it can find the dependencies.
+            //
+            // This executes the shell, which is necessary: on Windows, npm is a .cmd file,
+            // and only the shell and execute .bat/.cmd files. We have validated the package
+            // name already to make sure it contains only safe characters.
             await exec(`npm install --silent --prefix . ${pkg}`);
         }
         catch (e) {
@@ -68,6 +73,9 @@ function isSubprocesFailedError(e) {
 async function npmPackageExists(pkg) {
     try {
         LOG.info(`Checking existence of ${pkg}`);
+        // This executes the shell, which is necessary: on Windows, npm is a .cmd file,
+        // and only the shell and execute .bat/.cmd files. We have validated the package
+        // name already to make sure it contains only safe characters.
         await exec(`npm show --silent ${pkg}`);
         return true;
     }
@@ -86,6 +94,18 @@ function trimVersionString(pkg) {
     // string.
     return pkg.replace(/(.)@.*$/, '$1');
 }
+/**
+ * Validate a package name against a list of allowed characters
+ *
+ * If we are too strict here, that's not a biggy: script writers are always
+ * able to download their exotically-named NPM package themselves before running
+ * jsii-diff on it.
+ */
+function validateValidPackageSpecifier(pkg) {
+    if (pkg.match(/[^a-z0-9@/:._-]/i)) {
+        throw new Error(`Invalid package name, only 'a-z0-9@/:._-' are allowed: ${JSON.stringify(pkg)}`);
+    }
+}
 function flatMap(xs, fn) {
     const ret = new Array();
     for (const x of xs) {

package/lib/version.d.ts

@@ -1,3 +1,3 @@
 /** The qualified version number for this JSII compiler. */
-export declare const VERSION = "1.130.0 (build 048a5ee)";
+export declare const VERSION = "1.132.0 (build c736b3b)";
 //# sourceMappingURL=version.d.ts.map

package/lib/version.js

@@ -1,7 +1,7 @@
 "use strict";
-// Generated at 2026-05-14T18:29:11Z by generate.sh
+// Generated at 2026-05-22T09:28:12Z by generate.sh
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /** The qualified version number for this JSII compiler. */
-exports.VERSION = '1.130.0 (build 048a5ee)';
+exports.VERSION = '1.132.0 (build c736b3b)';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jsii-diff",
-  "version": "1.130.0",
+  "version": "1.132.0",
   "description": "Assembly comparison for jsii",
   "license": "Apache-2.0",
   "author": {
@@ -31,10 +31,10 @@
     "package": "package-js"
   },
   "dependencies": {
-    "@jsii/check-node": "1.130.0",
-    "@jsii/spec": "1.130.0",
+    "@jsii/check-node": "1.132.0",
+    "@jsii/spec": "1.132.0",
     "fs-extra": "^10.1.0",
-    "jsii-reflect": "^1.130.0",
+    "jsii-reflect": "^1.132.0",
     "log4js": "^6.9.1",
     "yargs": "^17.7.2"
   },
@@ -43,10 +43,10 @@
     "@types/tar-fs": "^2.0.4",
     "@types/yargs": "^17.0.33",
     "eslint": "^9.39.4",
-    "jest": "^30.3.0",
+    "jest": "^30.4.2",
     "jest-expect-message": "^1.1.3",
     "jsii": "^5.9.28",
-    "jsii-build-tools": "^1.130.0",
+    "jsii-build-tools": "^1.132.0",
     "typescript": "5.9.x"
   }
 }