pacote icon indicating copy to clipboard operation
pacote copied to clipboard
verified publisher icon npm

fix: npm pack marks the wrong files as executable

Open kchindam-infy opened this issue 1 year ago • 0 comments

This PR fixes an issue where npm pack incorrectly marks files as executable if their paths contain the bin path as a substring. Specifically, the problem occurs when files located in directories like src/bin/ are erroneously marked as executable because their paths include the bin directory name.

Changes made:

  • Updated lib/util/is-package-bin.js:

    • Changed the parameter name from path to filePath for clarity.
    • Removed the unreliable regular expression used to manipulate the path.
    • Introduced proper path handling by:
      • Removing the 'package/' prefix from filePath to get the relative path.
      • Normalizing both filePath and binPath using path.posix.normalize.
      • Comparing the normalized paths for an exact match.

  • Ensured Cross-Platform Compatibility:

    • Used path.posix to handle paths consistently across different operating systems, particularly important for paths within tarballs.

    The issue was caused by improper path manipulation and comparison in is-package-bin.js. The original code did not correctly handle nested directories or different path formats, leading to unintended files being marked as executable.

By accurately processing and comparing paths, we ensure that only the exact files specified in the bin field of package.json are marked as executable. This aligns the behavior of npm pack with the expected outcome and prevents potential security risks or execution of unintended scripts.

References

kchindam-infy avatar Oct 16 '24 19:10 kchindam-infy