zapier-platform-cli 18.0.1 → 18.0.5

package/oclif.manifest.json

@@ -2176,9 +2176,9 @@
         "unset.js"
       ]
     },
-    "users:add": {
+    "team:add": {
       "aliases": [
-        "users:invite"
+        "team:invite"
       ],
       "args": {
         "email": {
@@ -2186,24 +2186,28 @@
           "name": "email",
           "required": true
         },
-        "version": {
-          "description": "A version string (like 1.2.3). Optional, used only if you want to invite a user to a specific version instead of all versions.",
-          "name": "version"
+        "role": {
+          "description": "The level the invited team member should be at. Admins can edit everything and get email updates. Collaborators have read-access to the app and get email updates. Subscribers only get email updates.",
+          "name": "role",
+          "options": [
+            "admin",
+            "collaborator",
+            "subscriber"
+          ],
+          "required": true
+        },
+        "message": {
+          "description": "A message sent in the email to your team member, if you need to provide context. Wrap the message in quotes to ensure spaces get saved.",
+          "name": "message"
         }
       },
-      "description": "Add a user to some or all versions of your integration.\n\nWhen this command is run, we'll send an email to the user inviting them to try your integration. You can track the status of that invite using the `zapier users:get` command.\n\nInvited users will be able to see your integration's name, logo, and description. They'll also be able to create Zaps using any available triggers and actions.",
+      "description": "Add a team member to your integration.\n\nThese users come in three levels:\n\n  * `admin`, who can edit everything about the integration\n  * `collaborator`, who has read-only access for the app, and will receive periodic email updates. These updates include quarterly health scores and more.\n  * `subscriber`, who can't directly access the app, but will receive periodic email updates. These updates include quarterly health scores and more.\n\nTeam members can be freely added and removed.",
       "examples": [
-        "zapier users:add bruce@wayne.com",
-        "zapier users:add alfred@wayne.com 1.2.3"
+        "zapier team:add bruce@wayne.com admin",
+        "zapier team:add robin@wayne.com collaborator \"Hey Robin, check out this app.\"",
+        "zapier team:add alfred@wayne.com subscriber \"Hey Alfred, check out this app.\""
       ],
       "flags": {
-        "force": {
-          "char": "f",
-          "description": "Skip confirmation. Useful for running programatically.",
-          "name": "force",
-          "allowNo": false,
-          "type": "boolean"
-        },
         "debug": {
           "char": "d",
           "description": "Show extra debugging output.",
@@ -2220,7 +2224,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "users:add",
+      "id": "team:add",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2232,16 +2236,16 @@
         "src",
         "oclif",
         "commands",
-        "users",
+        "team",
         "add.js"
       ]
     },
-    "users:get": {
+    "team:get": {
       "aliases": [
-        "users:list"
+        "team:list"
       ],
       "args": {},
-      "description": "Get a list of users who have been invited to your integration.\n\nNote that this list of users is NOT a comprehensive list of everyone who is using your integration. It only includes users who were invited directly by email (using the `\u001b[36mzapier users:add\u001b[39m` command or the web UI). Users who joined by clicking links generated using the `\u001b[36mzapier user:links\u001b[39m` command won't show up here.",
+      "description": "Get team members involved with your integration.\n\nThese users come in three levels:\n\n  * `admin`, who can edit everything about the integration\n  * `collaborator`, who has read-only access for the app, and will receive periodic email updates. These updates include quarterly health scores and more.\n  * `subscriber`, who can't directly access the app, but will receive periodic email updates. These updates include quarterly health scores and more.\n\nUse the `zapier team:add` and `zapier team:remove` commands to modify your team.\n",
       "flags": {
         "debug": {
           "char": "d",
@@ -2275,7 +2279,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "users:get",
+      "id": "team:get",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2287,14 +2291,16 @@
         "src",
         "oclif",
         "commands",
-        "users",
+        "team",
         "get.js"
       ]
     },
-    "users:links": {
-      "aliases": [],
+    "team:remove": {
+      "aliases": [
+        "team:delete"
+      ],
       "args": {},
-      "description": "Get a list of links that are used to invite users to your integration.",
+      "description": "Remove a team member from all versions of your integration.\n\nAdmins will immediately lose write access to the integration.\nCollaborators will immediately lose read access to the integration.\nSubscribers won't receive future email updates.",
       "flags": {
         "debug": {
           "char": "d",
@@ -2303,22 +2309,6 @@
           "allowNo": false,
           "type": "boolean"
         },
-        "format": {
-          "char": "f",
-          "description": "Change the way structured data is presented. If \"json\" or \"raw\", you can pipe the output of the command into other tools, such as jq.",
-          "name": "format",
-          "default": "table",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "options": [
-            "plain",
-            "json",
-            "raw",
-            "row",
-            "table"
-          ],
-          "type": "option"
-        },
         "invokedFromAnotherCommand": {
           "hidden": true,
           "name": "invokedFromAnotherCommand",
@@ -2328,7 +2318,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "users:links",
+      "id": "team:remove",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2340,26 +2330,34 @@
         "src",
         "oclif",
         "commands",
-        "users",
-        "links.js"
+        "team",
+        "remove.js"
       ]
     },
-    "users:remove": {
+    "users:add": {
       "aliases": [
-        "users:delete"
+        "users:invite"
       ],
       "args": {
         "email": {
-          "description": "The user to be removed.",
+          "description": "The user to be invited. If they don't have a Zapier account, they'll be prompted to create one.",
           "name": "email",
           "required": true
+        },
+        "version": {
+          "description": "A version string (like 1.2.3). Optional, used only if you want to invite a user to a specific version instead of all versions.",
+          "name": "version"
         }
       },
-      "description": "Remove a user from all versions of your integration.\n\nWhen this command is run, their Zaps will immediately turn off. They won't be able to use your app again until they're re-invited or it has gone public. In practice, this command isn't run often as it's very disruptive to users.",
+      "description": "Add a user to some or all versions of your integration.\n\nWhen this command is run, we'll send an email to the user inviting them to try your integration. You can track the status of that invite using the `zapier users:get` command.\n\nInvited users will be able to see your integration's name, logo, and description. They'll also be able to create Zaps using any available triggers and actions.",
+      "examples": [
+        "zapier users:add bruce@wayne.com",
+        "zapier users:add alfred@wayne.com 1.2.3"
+      ],
       "flags": {
         "force": {
           "char": "f",
-          "description": "Skips confirmation. Useful for running programatically.",
+          "description": "Skip confirmation. Useful for running programatically.",
           "name": "force",
           "allowNo": false,
           "type": "boolean"
@@ -2380,7 +2378,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "users:remove",
+      "id": "users:add",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2393,40 +2391,15 @@
         "oclif",
         "commands",
         "users",
-        "remove.js"
+        "add.js"
       ]
     },
-    "team:add": {
+    "users:get": {
       "aliases": [
-        "team:invite"
-      ],
-      "args": {
-        "email": {
-          "description": "The user to be invited. If they don't have a Zapier account, they'll be prompted to create one.",
-          "name": "email",
-          "required": true
-        },
-        "role": {
-          "description": "The level the invited team member should be at. Admins can edit everything and get email updates. Collaborators have read-access to the app and get email updates. Subscribers only get email updates.",
-          "name": "role",
-          "options": [
-            "admin",
-            "collaborator",
-            "subscriber"
-          ],
-          "required": true
-        },
-        "message": {
-          "description": "A message sent in the email to your team member, if you need to provide context. Wrap the message in quotes to ensure spaces get saved.",
-          "name": "message"
-        }
-      },
-      "description": "Add a team member to your integration.\n\nThese users come in three levels:\n\n  * `admin`, who can edit everything about the integration\n  * `collaborator`, who has read-only access for the app, and will receive periodic email updates. These updates include quarterly health scores and more.\n  * `subscriber`, who can't directly access the app, but will receive periodic email updates. These updates include quarterly health scores and more.\n\nTeam members can be freely added and removed.",
-      "examples": [
-        "zapier team:add bruce@wayne.com admin",
-        "zapier team:add robin@wayne.com collaborator \"Hey Robin, check out this app.\"",
-        "zapier team:add alfred@wayne.com subscriber \"Hey Alfred, check out this app.\""
+        "users:list"
       ],
+      "args": {},
+      "description": "Get a list of users who have been invited to your integration.\n\nNote that this list of users is NOT a comprehensive list of everyone who is using your integration. It only includes users who were invited directly by email (using the `\u001b[36mzapier users:add\u001b[39m` command or the web UI). Users who joined by clicking links generated using the `\u001b[36mzapier user:links\u001b[39m` command won't show up here.",
       "flags": {
         "debug": {
           "char": "d",
@@ -2435,6 +2408,22 @@
           "allowNo": false,
           "type": "boolean"
         },
+        "format": {
+          "char": "f",
+          "description": "Change the way structured data is presented. If \"json\" or \"raw\", you can pipe the output of the command into other tools, such as jq.",
+          "name": "format",
+          "default": "table",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "options": [
+            "plain",
+            "json",
+            "raw",
+            "row",
+            "table"
+          ],
+          "type": "option"
+        },
         "invokedFromAnotherCommand": {
           "hidden": true,
           "name": "invokedFromAnotherCommand",
@@ -2444,7 +2433,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "team:add",
+      "id": "users:get",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2456,16 +2445,14 @@
         "src",
         "oclif",
         "commands",
-        "team",
-        "add.js"
+        "users",
+        "get.js"
       ]
     },
-    "team:get": {
-      "aliases": [
-        "team:list"
-      ],
+    "users:links": {
+      "aliases": [],
       "args": {},
-      "description": "Get team members involved with your integration.\n\nThese users come in three levels:\n\n  * `admin`, who can edit everything about the integration\n  * `collaborator`, who has read-only access for the app, and will receive periodic email updates. These updates include quarterly health scores and more.\n  * `subscriber`, who can't directly access the app, but will receive periodic email updates. These updates include quarterly health scores and more.\n\nUse the `zapier team:add` and `zapier team:remove` commands to modify your team.\n",
+      "description": "Get a list of links that are used to invite users to your integration.",
       "flags": {
         "debug": {
           "char": "d",
@@ -2499,7 +2486,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "team:get",
+      "id": "users:links",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2511,17 +2498,30 @@
         "src",
         "oclif",
         "commands",
-        "team",
-        "get.js"
+        "users",
+        "links.js"
       ]
     },
-    "team:remove": {
+    "users:remove": {
       "aliases": [
-        "team:delete"
+        "users:delete"
       ],
-      "args": {},
-      "description": "Remove a team member from all versions of your integration.\n\nAdmins will immediately lose write access to the integration.\nCollaborators will immediately lose read access to the integration.\nSubscribers won't receive future email updates.",
+      "args": {
+        "email": {
+          "description": "The user to be removed.",
+          "name": "email",
+          "required": true
+        }
+      },
+      "description": "Remove a user from all versions of your integration.\n\nWhen this command is run, their Zaps will immediately turn off. They won't be able to use your app again until they're re-invited or it has gone public. In practice, this command isn't run often as it's very disruptive to users.",
       "flags": {
+        "force": {
+          "char": "f",
+          "description": "Skips confirmation. Useful for running programatically.",
+          "name": "force",
+          "allowNo": false,
+          "type": "boolean"
+        },
         "debug": {
           "char": "d",
           "description": "Show extra debugging output.",
@@ -2538,7 +2538,7 @@
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "team:remove",
+      "id": "users:remove",
       "pluginAlias": "zapier-platform-cli",
       "pluginName": "zapier-platform-cli",
       "pluginType": "core",
@@ -2550,10 +2550,10 @@
         "src",
         "oclif",
         "commands",
-        "team",
+        "users",
         "remove.js"
       ]
     }
   },
-  "version": "18.0.1"
+  "version": "18.0.5"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zapier-platform-cli",
-  "version": "18.0.1",
+  "version": "18.0.5",
   "description": "The CLI for managing integrations in Zapier Developer Platform.",
   "repository": "zapier/zapier-platform",
   "homepage": "https://platform.zapier.com/",
@@ -20,24 +20,6 @@
   "engines": {
     "node": ">=18.20"
   },
-  "scripts": {
-    "docs": "ZAPIER_BASE_ENDPOINT='' node scripts/docs.js",
-    "preversion": "git pull && yarn validate",
-    "prepack": "oclif manifest",
-    "postpack": "rimraf oclif.manifest.json",
-    "precommit": "yarn docs && git add docs",
-    "version": "yarn docs && git add docs/*",
-    "postversion": "git push && git push --tags",
-    "lint": "eslint src",
-    "lint:fix": "eslint --fix src",
-    "test": "cross-env NODE_ENV=test mocha -t 200s --recursive src/tests --exit",
-    "test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 200s --recursive src/tests --exit",
-    "smoke-test": "cross-env NODE_ENV=test mocha -t 6m --recursive src/smoke-tests --exit",
-    "smoke-test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 6m --recursive src/smoke-tests --exit",
-    "validate-templates": "./scripts/validate-app-templates.js",
-    "set-template-versions": "./scripts/set-app-template-versions.js",
-    "validate": "yarn test && yarn smoke-test && yarn lint"
-  },
   "dependencies": {
     "@oclif/core": "4.5.2",
     "@oclif/plugin-autocomplete": "3.2.34",
@@ -50,7 +32,7 @@
     "cli-table3": "0.6.5",
     "colors": "1.4.0",
     "debug": "4.4.1",
-    "decompress": "4.2.1",
+    "decompress-unzip": "4.0.1",
     "dotenv": "17.2.1",
     "esbuild": "0.25.8",
     "fs-extra": "11.3.1",
@@ -136,5 +118,21 @@
         "description": "Add, remove, or get invited users of your integration."
       }
     }
+  },
+  "scripts": {
+    "build-docs": "ZAPIER_BASE_ENDPOINT='' node scripts/docs.js",
+    "preversion": "git pull && pnpm validate",
+    "precommit": "pnpm build-docs && git add docs",
+    "version": "pnpm build-docs && git add docs/*",
+    "postversion": "git push && git push --tags",
+    "lint": "eslint src",
+    "lint:fix": "eslint --fix src",
+    "test": "cross-env NODE_ENV=test mocha -t 200s --recursive src/tests --exit",
+    "test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 200s --recursive src/tests --exit",
+    "smoke-test": "cross-env NODE_ENV=test mocha -t 6m --recursive src/smoke-tests --exit",
+    "smoke-test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 6m --recursive src/smoke-tests --exit",
+    "validate-templates": "./scripts/validate-app-templates.js",
+    "set-template-versions": "./scripts/set-app-template-versions.js",
+    "validate": "pnpm test && pnpm smoke-test && pnpm lint"
   }
-}
+}

package/src/generators/templates/README.template.md

@@ -6,7 +6,7 @@ These are what you normally do next:
 
 ```bash
 # Install dependencies
-npm install  # or you can use yarn
+npm install  # or you can use pnpm or yarn
 
 # Run tests
 zapier test

package/src/generators/templates/gitignore

@@ -4,6 +4,7 @@ logs
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+pnpm-debug.log*
 
 # Runtime data
 pids
@@ -61,3 +62,5 @@ typings/
 
 # next.js build output
 .next
+
+.pnpm-store/

package/src/utils/build.js

@@ -12,7 +12,7 @@ const colors = require('colors/safe');
 const esbuild = require('esbuild');
 const fse = require('fs-extra');
 const { createUpdateNotifier } = require('./esm-wrapper');
-const decompress = require('decompress');
+const decompress = require('./decompress');
 
 const {
   BUILD_DIR,

package/src/utils/decompress.js

@@ -0,0 +1,121 @@
+// This is a modernized version of the decompress package.
+// Instead of letting decompress import many of its plugins, such as
+// decompress-unzip, decompress-tar, etc, we extracted only the unzip part,
+// so we only depend on decompress-unzip.
+// Original source: https://github.com/kevva/decompress/blob/84a8c104/index.js
+
+const fsP = require('node:fs/promises');
+const path = require('node:path');
+
+const decompressUnzip = require('decompress-unzip');
+
+const safeMakeDir = async (dir, realOutputPath) => {
+  let resolvedPathToCheck;
+
+  try {
+    resolvedPathToCheck = await fsP.realpath(dir);
+  } catch (error) {
+    const parent = path.dirname(dir);
+    resolvedPathToCheck = await safeMakeDir(parent, realOutputPath);
+  }
+
+  // Security check for zip slip vulnerability
+  if (!resolvedPathToCheck.startsWith(realOutputPath)) {
+    throw new Error('Refusing to create a directory outside the output path.');
+  }
+
+  await fsP.mkdir(dir, { recursive: true });
+  return await fsP.realpath(dir);
+};
+
+const preventWritingThroughSymlink = async (destination, realOutputPath) => {
+  let symlinkPointsTo;
+  try {
+    symlinkPointsTo = await fsP.readlink(destination);
+  } catch (error) {
+    // Either no file exists, or it's not a symlink. In either case, this is
+    // not an escape we need to worry about in this phase.
+  }
+
+  if (symlinkPointsTo) {
+    throw new Error('Refusing to write into a symlink');
+  }
+};
+
+const extractItem = async (item, realOutputPath) => {
+  const dest = path.join(realOutputPath, item.path);
+  const mode = item.mode & ~process.umask();
+  const now = new Date();
+
+  if (item.type === 'directory') {
+    await safeMakeDir(dest, realOutputPath);
+    await fsP.utimes(dest, now, item.mtime);
+    return item;
+  }
+
+  await safeMakeDir(path.dirname(dest), realOutputPath);
+
+  if (item.type === 'file') {
+    await preventWritingThroughSymlink(dest, realOutputPath);
+  }
+
+  const realDestinationDir = await fsP.realpath(path.dirname(dest));
+  if (!realDestinationDir.startsWith(realOutputPath)) {
+    throw new Error(
+      'Refusing to write outside output directory: ' + realDestinationDir,
+    );
+  }
+
+  if (item.type === 'symlink') {
+    // Security check to block symlinks pointing outside output directory,
+    // like evil_link -> ../../../../../etc/passwd. We don't throw an error
+    // here, just skip creating the symlink, because there are known zip files
+    // containing such symlinks (such as .editorconfig) that are not essential
+    // to the integration.
+    const absTargetPath = path.resolve(realDestinationDir, item.linkname);
+    const relTargetPath = path.relative(realOutputPath, absTargetPath);
+    if (!relTargetPath.startsWith('..')) {
+      // Windows will have issues with the following line, since creating a
+      // symlink on Windows requires Administrator privilege. But that's fine
+      // because we only run decompress on Windows in CI tests, which do run
+      // with Administrator privilege.
+      await fsP.symlink(item.linkname, dest);
+    }
+  } else {
+    await fsP.writeFile(dest, item.data, { mode });
+    await fsP.utimes(dest, now, item.mtime);
+  }
+
+  return item;
+};
+
+const decompress = async (input, output) => {
+  if (typeof input !== 'string') {
+    throw new TypeError('input must be a file path (string)');
+  }
+
+  if (typeof output !== 'string') {
+    throw new TypeError('output must be a directory path (string)');
+  }
+
+  let fd, buf;
+  try {
+    fd = await fsP.open(input);
+    buf = await fd.readFile();
+  } finally {
+    await fd?.close();
+  }
+
+  // Ensure output directory exists
+  await fsP.mkdir(output, { recursive: true });
+  const realOutputPath = await fsP.realpath(output);
+
+  const items = await decompressUnzip()(buf);
+  return await Promise.all(
+    items.map(async (x) => {
+      return await extractItem(x, realOutputPath);
+    }),
+  );
+};
+
+module.exports = decompress;

package/src/generators/templates/search-or-create/.gitignore

@@ -1,6 +0,0 @@
-build
-docs
-node_modules
-*.log
-.environment
-lib.env