npm-pkg-lint 5.1.1 → 5.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.js +23 -7
  2. package/dist/index.js.map +2 -2
  3. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -3452,16 +3452,31 @@ var require_tmp = __commonJS({
3452
3452
  ].join("");
3453
3453
  return path8.join(tmpDir, opts.dir, name);
3454
3454
  }
3455
+ function _assertPath(option, value) {
3456
+ if (typeof value !== "string") {
3457
+ throw new Error(`${option} option must be a string, got "${typeof value}".`);
3458
+ }
3459
+ if (value.includes("..")) {
3460
+ throw new Error("Relative value not allowed");
3461
+ }
3462
+ return value;
3463
+ }
3455
3464
  function _assertOptionsBase(options) {
3456
3465
  if (!_isUndefined(options.name)) {
3457
3466
  const name = options.name;
3458
3467
  if (path8.isAbsolute(name)) throw new Error(`name option must not contain an absolute path, found "${name}".`);
3459
3468
  const basename = path8.basename(name);
3460
- if (basename === ".." || basename === "." || basename !== name)
3469
+ if (basename === ".." || basename === "." || basename !== name) {
3461
3470
  throw new Error(`name option must not contain a path, found "${name}".`);
3471
+ }
3462
3472
  }
3463
- if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) {
3464
- throw new Error(`Invalid template, found "${options.template}".`);
3473
+ if (!_isUndefined(options.template)) {
3474
+ if (typeof options.template !== "string") {
3475
+ throw new Error(`template option must be a string, got "${typeof options.template}".`);
3476
+ }
3477
+ if (!options.template.match(TEMPLATE_PATTERN)) {
3478
+ throw new Error(`Invalid template, found "${options.template}".`);
3479
+ }
3465
3480
  }
3466
3481
  if (!_isUndefined(options.tries) && isNaN(options.tries) || options.tries < 0) {
3467
3482
  throw new Error(`Invalid tries, found "${options.tries}".`);
@@ -3471,15 +3486,16 @@ var require_tmp = __commonJS({
3471
3486
  options.detachDescriptor = !!options.detachDescriptor;
3472
3487
  options.discardDescriptor = !!options.discardDescriptor;
3473
3488
  options.unsafeCleanup = !!options.unsafeCleanup;
3474
- options.prefix = _isUndefined(options.prefix) ? "" : options.prefix;
3475
- options.postfix = _isUndefined(options.postfix) ? "" : options.postfix;
3489
+ options.prefix = _isUndefined(options.prefix) ? "" : _assertPath("prefix", options.prefix);
3490
+ options.postfix = _isUndefined(options.postfix) ? "" : _assertPath("postfix", options.postfix);
3491
+ options.template = _isUndefined(options.template) ? void 0 : _assertPath("template", options.template);
3476
3492
  }
3477
3493
  function _getRelativePath(option, name, tmpDir, cb) {
3478
3494
  if (_isUndefined(name)) return cb(null);
3479
3495
  _resolvePath(name, tmpDir, function(err, resolvedPath) {
3480
3496
  if (err) return cb(err);
3481
3497
  const relativePath = path8.relative(tmpDir, resolvedPath);
3482
- if (!resolvedPath.startsWith(tmpDir)) {
3498
+ if (relativePath.startsWith("..") || path8.isAbsolute(relativePath)) {
3483
3499
  return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
3484
3500
  }
3485
3501
  cb(null, relativePath);
@@ -3489,7 +3505,7 @@ var require_tmp = __commonJS({
3489
3505
  if (_isUndefined(name)) return;
3490
3506
  const resolvedPath = _resolvePathSync(name, tmpDir);
3491
3507
  const relativePath = path8.relative(tmpDir, resolvedPath);
3492
- if (!resolvedPath.startsWith(tmpDir)) {
3508
+ if (relativePath.startsWith("..") || path8.isAbsolute(relativePath)) {
3493
3509
  throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
3494
3510
  }
3495
3511
  return relativePath;