zapier-platform-cli 18.0.1 → 18.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zapier-platform-cli",
-  "version": "18.0.1",
+  "version": "18.0.6",
   "description": "The CLI for managing integrations in Zapier Developer Platform.",
   "repository": "zapier/zapier-platform",
   "homepage": "https://platform.zapier.com/",
@@ -20,24 +20,6 @@
   "engines": {
     "node": ">=18.20"
   },
-  "scripts": {
-    "docs": "ZAPIER_BASE_ENDPOINT='' node scripts/docs.js",
-    "preversion": "git pull && yarn validate",
-    "prepack": "oclif manifest",
-    "postpack": "rimraf oclif.manifest.json",
-    "precommit": "yarn docs && git add docs",
-    "version": "yarn docs && git add docs/*",
-    "postversion": "git push && git push --tags",
-    "lint": "eslint src",
-    "lint:fix": "eslint --fix src",
-    "test": "cross-env NODE_ENV=test mocha -t 200s --recursive src/tests --exit",
-    "test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 200s --recursive src/tests --exit",
-    "smoke-test": "cross-env NODE_ENV=test mocha -t 6m --recursive src/smoke-tests --exit",
-    "smoke-test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 6m --recursive src/smoke-tests --exit",
-    "validate-templates": "./scripts/validate-app-templates.js",
-    "set-template-versions": "./scripts/set-app-template-versions.js",
-    "validate": "yarn test && yarn smoke-test && yarn lint"
-  },
   "dependencies": {
     "@oclif/core": "4.5.2",
     "@oclif/plugin-autocomplete": "3.2.34",
@@ -50,7 +32,7 @@
     "cli-table3": "0.6.5",
     "colors": "1.4.0",
     "debug": "4.4.1",
-    "decompress": "4.2.1",
+    "decompress-unzip": "4.0.1",
     "dotenv": "17.2.1",
     "esbuild": "0.25.8",
     "fs-extra": "11.3.1",
@@ -71,7 +53,7 @@
     "semver": "7.7.2",
     "string-length": "4.0.2",
     "through2": "4.0.2",
-    "tmp": "0.2.4",
+    "tmp": "0.2.5",
     "traverse": "0.6.11",
     "update-notifier": "7.3.1",
     "yeoman-environment": "4.4.3",
@@ -136,5 +118,21 @@
         "description": "Add, remove, or get invited users of your integration."
       }
     }
+  },
+  "scripts": {
+    "build-docs": "ZAPIER_BASE_ENDPOINT='' node scripts/docs.js",
+    "preversion": "git pull && pnpm validate",
+    "precommit": "pnpm build-docs && git add docs",
+    "version": "pnpm build-docs && git add docs/*",
+    "postversion": "git push && git push --tags",
+    "lint": "eslint src",
+    "lint:fix": "eslint --fix src",
+    "test": "cross-env NODE_ENV=test mocha -t 200s --recursive src/tests --exit",
+    "test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 200s --recursive src/tests --exit",
+    "smoke-test": "cross-env NODE_ENV=test mocha -t 6m --recursive src/smoke-tests --exit",
+    "smoke-test:debug": "cross-env NODE_ENV=test node inspect ../../node_modules/.bin/mocha -t 6m --recursive src/smoke-tests --exit",
+    "validate-templates": "./scripts/validate-app-templates.js",
+    "set-template-versions": "./scripts/set-app-template-versions.js",
+    "validate": "pnpm test && pnpm smoke-test && pnpm lint"
   }
-}
+}

package/src/generators/templates/README.template.md

@@ -6,7 +6,7 @@ These are what you normally do next:
 
 ```bash
 # Install dependencies
-npm install  # or you can use yarn
+npm install  # or you can use pnpm or yarn
 
 # Run tests
 zapier test

package/src/generators/templates/gitignore

@@ -4,6 +4,7 @@ logs
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+pnpm-debug.log*
 
 # Runtime data
 pids
@@ -61,3 +62,5 @@ typings/
 
 # next.js build output
 .next
+
+.pnpm-store/

package/src/oclif/commands/build.js

@@ -12,11 +12,11 @@ const colors = require('colors/safe');
 
 class BuildCommand extends BaseCommand {
   async perform() {
-    const skipNpmInstall = this.flags['skip-npm-install'];
+    const skipDepInstall = this.flags['skip-dep-install'];
     await buildAndOrUpload(
       { build: true },
       {
-        skipNpmInstall,
+        skipDepInstall,
         disableDependencyDetection: this.flags['disable-dependency-detection'],
         skipValidation: this.flags['skip-validation'],
       },
@@ -27,9 +27,9 @@ class BuildCommand extends BaseCommand {
         `Now you can upload them with the ${colors.bold.underline('zapier upload')} command.`,
     );
 
-    if (!skipNpmInstall) {
+    if (!skipDepInstall) {
       this.log(
-        `\nTip: Try ${colors.bold.underline('zapier build --skip-npm-install')} for faster builds.`,
+        `\nTip: Try ${colors.bold.underline('zapier build --skip-dep-install')} for faster builds.`,
       );
     }
   }
@@ -40,9 +40,10 @@ BuildCommand.flags = buildFlags({
     'disable-dependency-detection': Flags.boolean({
       description: `Disable "smart" file inclusion. By default, Zapier only includes files that are required by your entry point (\`index.js\` by default). If you (or your dependencies) require files dynamically (such as with \`require(someVar)\`), then you may see "Cannot find module" errors. Disabling this may make your \`build.zip\` too large. If that's the case, try using the \`includeInBuild\` option in your \`${CURRENT_APP_FILE}\`. See the docs about \`includeInBuild\` for more info.`,
     }),
-    'skip-npm-install': Flags.boolean({
+    'skip-dep-install': Flags.boolean({
+      aliases: ['skip-npm-install'],
       description:
-        'Skips installing a fresh copy of npm dependencies for shorter build time. Helpful for using yarn, pnpm, or local copies of dependencies.',
+        '[alias: --skip-npm-install]\nSkips installing a fresh copy of dependencies for shorter build time. Helpful for using yarn, pnpm, or local copies of dependencies.',
     }),
     'skip-validation': Flags.boolean({
       description:

package/src/oclif/commands/push.js

@@ -8,7 +8,7 @@ const BuildCommand = require('./build');
 const { buildAndOrUpload } = require('../../utils/build');
 class PushCommand extends ZapierBaseCommand {
   async perform() {
-    const skipNpmInstall = this.flags['skip-npm-install'];
+    const skipDepInstall = this.flags['skip-dep-install'];
 
     const snapshotLabel = this.flags.snapshot;
     if (snapshotLabel && snapshotLabel.length > 12) {
@@ -22,7 +22,7 @@ class PushCommand extends ZapierBaseCommand {
     await buildAndOrUpload(
       { build: true, upload: true },
       {
-        skipNpmInstall,
+        skipDepInstall,
         disableDependencyDetection: this.flags['disable-dependency-detection'],
         skipValidation: this.flags['skip-validation'],
         overwritePartnerChanges: this.flags['overwrite-partner-changes'],
@@ -33,9 +33,9 @@ class PushCommand extends ZapierBaseCommand {
       `\nPush complete! Built ${BUILD_PATH} and ${SOURCE_PATH} and uploaded them to Zapier.`,
     );
 
-    if (!skipNpmInstall) {
+    if (!skipDepInstall) {
       this.log(
-        `\nTip: Try ${colors.bold.underline('zapier push --skip-npm-install')} for faster builds.`,
+        `\nTip: Try ${colors.bold.underline('zapier push --skip-dep-install')} for faster builds.`,
       );
     }
   }

package/src/utils/build.js

@@ -12,7 +12,7 @@ const colors = require('colors/safe');
 const esbuild = require('esbuild');
 const fse = require('fs-extra');
 const { createUpdateNotifier } = require('./esm-wrapper');
-const decompress = require('decompress');
+const decompress = require('./decompress');
 
 const {
   BUILD_DIR,
@@ -46,6 +46,7 @@ const { findCorePackageDir, isWindows, runCommand } = require('./misc');
 const { isBlocklisted, respectGitIgnore } = require('./ignore');
 const { localAppCommand } = require('./local');
 const { throwForInvalidVersion } = require('./version');
+const { getPackageManager } = require('./package-manager');
 
 const debug = require('debug')('zapier:build');
 
@@ -592,7 +593,7 @@ const testBuildZip = async (zipPath) => {
 
 const _buildFunc = async (
   {
-    skipNpmInstall = false,
+    skipDepInstall = false,
     disableDependencyDetection = false,
     skipValidation = false,
     printProgress = true,
@@ -609,7 +610,7 @@ const _buildFunc = async (
   const appDir = process.cwd();
 
   let workingDir;
-  if (skipNpmInstall) {
+  if (skipDepInstall) {
     workingDir = appDir;
     debug('Building in app directory: ', workingDir);
   } else {
@@ -628,16 +629,25 @@ const _buildFunc = async (
   const buildDir = path.join(appDir, BUILD_DIR);
   await fse.ensureDir(buildDir);
 
-  if (!skipNpmInstall) {
+  if (!skipDepInstall) {
     maybeStartSpinner('Copying project to temp directory');
     const copyFilter = (src) => !src.endsWith('.zip');
     await copyDir(appDir, workingDir, { filter: copyFilter });
 
     maybeEndSpinner();
-    maybeStartSpinner('Installing project dependencies');
-    const output = await runCommand('npm', ['install', '--production'], {
-      cwd: workingDir,
-    });
+    const packageManager = await getPackageManager();
+
+    maybeStartSpinner(
+      `Installing project dependencies using ${packageManager.executable}`,
+    );
+
+    const output = await runCommand(
+      packageManager.executable,
+      ['install', '--production'],
+      {
+        cwd: workingDir,
+      },
+    );
 
     // `npm install` may fail silently without returning a non-zero exit code,
     // need to check further here
@@ -744,7 +754,7 @@ const _buildFunc = async (
 
   maybeEndSpinner();
 
-  if (skipNpmInstall) {
+  if (skipDepInstall) {
     maybeStartSpinner('Cleaning up temp files');
     await deleteZapierWrapper(workingDir);
     fs.rmSync(path.join(workingDir, 'definition.json'));

package/src/utils/decompress.js

@@ -0,0 +1,121 @@
+// This is a modernized version of the decompress package.
+// Instead of letting decompress import many of its plugins, such as
+// decompress-unzip, decompress-tar, etc, we extracted only the unzip part,
+// so we only depend on decompress-unzip.
+// Original source: https://github.com/kevva/decompress/blob/84a8c104/index.js
+
+const fsP = require('node:fs/promises');
+const path = require('node:path');
+
+const decompressUnzip = require('decompress-unzip');
+
+const safeMakeDir = async (dir, realOutputPath) => {
+  let resolvedPathToCheck;
+
+  try {
+    resolvedPathToCheck = await fsP.realpath(dir);
+  } catch (error) {
+    const parent = path.dirname(dir);
+    resolvedPathToCheck = await safeMakeDir(parent, realOutputPath);
+  }
+
+  // Security check for zip slip vulnerability
+  if (!resolvedPathToCheck.startsWith(realOutputPath)) {
+    throw new Error('Refusing to create a directory outside the output path.');
+  }
+
+  await fsP.mkdir(dir, { recursive: true });
+  return await fsP.realpath(dir);
+};
+
+const preventWritingThroughSymlink = async (destination, realOutputPath) => {
+  let symlinkPointsTo;
+  try {
+    symlinkPointsTo = await fsP.readlink(destination);
+  } catch (error) {
+    // Either no file exists, or it's not a symlink. In either case, this is
+    // not an escape we need to worry about in this phase.
+  }
+
+  if (symlinkPointsTo) {
+    throw new Error('Refusing to write into a symlink');
+  }
+};
+
+const extractItem = async (item, realOutputPath) => {
+  const dest = path.join(realOutputPath, item.path);
+  const mode = item.mode & ~process.umask();
+  const now = new Date();
+
+  if (item.type === 'directory') {
+    await safeMakeDir(dest, realOutputPath);
+    await fsP.utimes(dest, now, item.mtime);
+    return item;
+  }
+
+  await safeMakeDir(path.dirname(dest), realOutputPath);
+
+  if (item.type === 'file') {
+    await preventWritingThroughSymlink(dest, realOutputPath);
+  }
+
+  const realDestinationDir = await fsP.realpath(path.dirname(dest));
+  if (!realDestinationDir.startsWith(realOutputPath)) {
+    throw new Error(
+      'Refusing to write outside output directory: ' + realDestinationDir,
+    );
+  }
+
+  if (item.type === 'symlink') {
+    // Security check to block symlinks pointing outside output directory,
+    // like evil_link -> ../../../../../etc/passwd. We don't throw an error
+    // here, just skip creating the symlink, because there are known zip files
+    // containing such symlinks (such as .editorconfig) that are not essential
+    // to the integration.
+    const absTargetPath = path.resolve(realDestinationDir, item.linkname);
+    const relTargetPath = path.relative(realOutputPath, absTargetPath);
+    if (!relTargetPath.startsWith('..')) {
+      // Windows will have issues with the following line, since creating a
+      // symlink on Windows requires Administrator privilege. But that's fine
+      // because we only run decompress on Windows in CI tests, which do run
+      // with Administrator privilege.
+      await fsP.symlink(item.linkname, dest);
+    }
+  } else {
+    await fsP.writeFile(dest, item.data, { mode });
+    await fsP.utimes(dest, now, item.mtime);
+  }
+
+  return item;
+};
+
+const decompress = async (input, output) => {
+  if (typeof input !== 'string') {
+    throw new TypeError('input must be a file path (string)');
+  }
+
+  if (typeof output !== 'string') {
+    throw new TypeError('output must be a directory path (string)');
+  }
+
+  let fd, buf;
+  try {
+    fd = await fsP.open(input);
+    buf = await fd.readFile();
+  } finally {
+    await fd?.close();
+  }
+
+  // Ensure output directory exists
+  await fsP.mkdir(output, { recursive: true });
+  const realOutputPath = await fsP.realpath(output);
+
+  const items = await decompressUnzip()(buf);
+  return await Promise.all(
+    items.map(async (x) => {
+      return await extractItem(x, realOutputPath);
+    }),
+  );
+};
+
+module.exports = decompress;

package/src/utils/misc.js

@@ -151,7 +151,7 @@ const isValidAppInstall = () => {
 };
 
 const npmInstall = (appDir) => {
-  return runCommand('npm', ['install'], { cwd: appDir });
+  return runCommand('npm', ['install', '--ignore-scripts'], { cwd: appDir });
 };
 
 /*

package/src/utils/package-manager.js

@@ -1,39 +1,56 @@
-const { pathExists } = require('fs-extra');
+const { pathExists, readFile } = require('fs-extra');
 const path = require('path');
 
-const packageManagers = [
-  {
+const packageManagers = {
+  npm: {
     lockFile: 'package-lock.json',
     forceFlag: undefined,
     executable: 'npm',
     useDoubleHyphenBeforeArgs: true,
   },
-  {
+  yarn: {
     lockFile: 'yarn.lock',
     forceFlag: 'yarn',
     executable: 'yarn',
     useDoubleHyphenBeforeArgs: false, // yarn gives a warning if we include `--`
   },
-  {
+  pnpm: {
     lockFile: 'pnpm-lock.yaml',
     forceFlag: 'pnpm',
     executable: 'pnpm',
     useDoubleHyphenBeforeArgs: true,
   },
-];
+  bun: {
+    lockFile: 'bun.lock',
+    forceFlag: 'bun',
+    executable: 'bun',
+    useDoubleHyphenBeforeArgs: false,
+  },
+};
+
+const defaultPackageManager = packageManagers.npm;
+
+const getPackageManager = async (flags = {}) => {
+  for (const config of Object.values(packageManagers)) {
+    if (config.forceFlag && flags[config.forceFlag]) {
+      return config;
+    }
+  }
 
-const defaultPackageManager = packageManagers[0];
+  const packageJsonPath = path.join(process.cwd(), 'package.json');
+  if (await pathExists(packageJsonPath)) {
+    const packageJson = JSON.parse(await readFile(packageJsonPath, 'utf-8'));
 
-const getPackageManager = async (flags) => {
-  for (const man of packageManagers) {
-    if (flags[man.forceFlag]) {
-      return man;
+    for (const man of Object.keys(packageManagers)) {
+      if (packageJson.packageManager?.startsWith(man)) {
+        return packageManagers[man];
+      }
     }
   }
 
-  for (const man of packageManagers) {
-    if (await pathExists(path.join(process.cwd(), man.lockFile))) {
-      return man;
+  for (const config of Object.values(packageManagers)) {
+    if (await pathExists(path.join(process.cwd(), config.lockFile))) {
+      return config;
     }
   }