libnpmexec 10.2.9 → 10.3.0

package/lib/index.js

@@ -4,6 +4,7 @@ const { dirname, join, resolve } = require('node:path')
 const crypto = require('node:crypto')
 const { mkdir } = require('node:fs/promises')
 const Arborist = require('@npmcli/arborist')
+const strictAllowScriptsPreflight = require('./strict-allow-scripts-preflight.js')
 const ciInfo = require('ci-info')
 const { log, input } = require('proc-log')
 const npa = require('npm-package-arg')
@@ -86,6 +87,9 @@ const missingFromTree = async ({ spec, tree, flatOptions, isNpxTree, shallow })
   }
 }
 
+// Strict-mode pre-flight for `npm exec` / `npx` lives in
+// ./strict-allow-scripts-preflight.js
+
 // see if the package.json at `path` has an entry that matches `cmd`
 // the path is a known-local directory, not a user-supplied dep, so
 // allow-directory must not gate this introspection
@@ -301,11 +305,16 @@ const exec = async (opts) => {
           }
         }
       }
-      await withLock(lockPath, () => npxArb.reify({
-        ...flatOptions,
-        save: true,
-        add,
-      }))
+      await withLock(lockPath, async () => {
+        // Hard-fail before reify if --strict-allow-scripts is set and
+        // any node has install scripts not covered by allowScripts.
+        await strictAllowScriptsPreflight(npxArb, { ...flatOptions, add })
+        await npxArb.reify({
+          ...flatOptions,
+          save: true,
+          add,
+        })
+      })
     }
     binPaths.push(resolve(installDir, 'node_modules/.bin'))
     const pkgJson = await PackageJson.load(installDir)

package/lib/run-script.js

@@ -19,7 +19,9 @@ const run = async ({
   // necessary for preventing bash/cmd keywords from overriding
   if (!isWindowsShell) {
     if (args.length > 0) {
-      args[0] = '"' + args[0] + '"'
+      // single-quote so shell metacharacters in the executable name are taken
+      // literally; double quotes still expand $(), backticks, $var and "
+      args[0] = `'${args[0].replace(/'/g, `'\\''`)}'`
     }
   }
 

package/lib/strict-allow-scripts-preflight.js

@@ -0,0 +1,40 @@
+const { collectUnreviewedScripts, strictAllowScriptsError } = require('@npmcli/arborist/lib/unreviewed-scripts.js')
+
+// Strict-mode pre-flight for `npm exec` / `npx`. When
+// `--strict-allow-scripts` is set, build the npx-cache ideal tree and
+// throw before reify if any node has install scripts not covered by
+// the resolved `allowScripts` policy. The arborist gate already
+// silently skips those scripts; this turns the silent skip into a
+// hard failure for CI. Bypassed by `--ignore-scripts` and
+// `--dangerously-allow-all-scripts`.
+const strictAllowScriptsPreflight = async (arb, opts) => {
+  if (!opts.strictAllowScripts) {
+    return
+  }
+  if (opts.ignoreScripts || opts.dangerouslyAllowAllScripts) {
+    return
+  }
+
+  if (!arb.idealTree) {
+    await arb.buildIdealTree(opts)
+  }
+
+  const unreviewed = await collectUnreviewedScripts({
+    tree: arb.idealTree,
+    policy: opts.allowScripts || null,
+    ignoreScripts: opts.ignoreScripts,
+    dangerouslyAllowAllScripts: opts.dangerouslyAllowAllScripts,
+  })
+
+  if (unreviewed.length === 0) {
+    return
+  }
+
+  throw strictAllowScriptsError(unreviewed, {
+    remediation:
+      'Pass --allow-scripts=<pkg> for one-off approval, or bypass this ' +
+      'check with --dangerously-allow-all-scripts.',
+  })
+}
+
+module.exports = strictAllowScriptsPreflight

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmexec",
-  "version": "10.2.9",
+  "version": "10.3.0",
   "files": [
     "bin/",
     "lib/"
@@ -61,7 +61,7 @@
   },
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",
-    "@npmcli/arborist": "^9.7.0",
+    "@npmcli/arborist": "^9.8.0",
     "@npmcli/package-json": "^7.0.0",
     "@npmcli/run-script": "^10.0.0",
     "ci-info": "^4.0.0",