@@ -46,15 +46,14 @@ function normalizePackageBin (pkg, changes) {

changes?.push(`removed invalid "bin[${binKey}]"`)

continue

}

const base = path.join('/', path.basename(binKey.replace(/\\|:/g, '/'))).slice(1)

const base = path.basename(secureAndUnixifyPath(binKey))

if (!base) {

delete pkg.bin[binKey]

changes?.push(`removed invalid "bin[${binKey}]"`)

continue

}

const binTarget = path.join('/', pkg.bin[binKey].replace(/\\/g, '/'))

.replace(/\\/g, '/').slice(1)

const binTarget = secureAndUnixifyPath(pkg.bin[binKey])

if (!binTarget) {

delete pkg.bin[binKey]

@@ -83,6 +82,27 @@ function normalizePackageBin (pkg, changes) {

delete pkg.bin

}

function normalizePackageMan (pkg, changes) {

if (pkg.man) {

const mans = []

for (const man of (Array.isArray(pkg.man) ? pkg.man : [pkg.man])) {

if (typeof man !== 'string') {

changes?.push(`removed invalid "man [${man}]"`)

} else {

mans.push(secureAndUnixifyPath(man))

}

}

if (!mans.length) {

changes?.push('empty "man" was removed')

} else {

pkg.man = mans

return pkg

}

}

delete pkg.man

}

function isCorrectlyEncodedName (spec) {

return !spec.match(/[/@\s+%:]/) &&

spec === encodeURIComponent(spec)

@@ -103,6 +123,19 @@ function isValidScopedPackageName (spec) {

rest[1] === encodeURIComponent(rest[1])

}

function unixifyPath (ref) {

return ref.replace(/\\|:/g, '/')

}

function securePath (ref) {

const secured = path.join('.', path.join('/', unixifyPath(ref)))

return secured.startsWith('.') ? '' : secured

}

function secureAndUnixifyPath (ref) {

return unixifyPath(securePath(ref))

}

// We don't want the `changes` array in here by default because this is a hot

// path for parsing packuments during install. So the calling method passes it

// in if it wants to track changes.

@@ -251,7 +284,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })

// strip "node_modules/.bin" from scripts entries

// remove invalid scripts entries (non-strings)

if (steps.includes('scripts') || steps.includes('scriptpath')) {

if ((steps.includes('scripts') || steps.includes('scriptpath')) && data.scripts !== undefined) {

const spre = /^(\.[/\\])?node_modules[/\\].bin[\\/]/

if (typeof data.scripts === 'object') {

for (const name in data.scripts) {

@@ -325,13 +358,16 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })

}

// expand directories.man

if (steps.includes('mans') && !data.man && data.directories?.man) {

const manDir = data.directories.man

const cwd = path.resolve(pkg.path, manDir)

const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })

data.man = files.map(man =>

path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')

)

if (steps.includes('mans')) {

if (data.directories?.man && !data.man) {

const manDir = secureAndUnixifyPath(data.directories.man)

const cwd = path.resolve(pkg.path, manDir)

const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })

data.man = files.map(man =>

path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')

)

}

normalizePackageMan(data, changes)

}

if (steps.includes('bin') || steps.includes('binDir') || steps.includes('binRefs')) {

@@ -340,7 +376,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })

// expand "directories.bin"

if (steps.includes('binDir') && data.directories?.bin && !data.bin) {

const binsDir = path.resolve(pkg.path, path.join('.', path.join('/', data.directories.bin)))

const binsDir = path.resolve(pkg.path, securePath(data.directories.bin))

const bins = await lazyLoadGlob()('**', { cwd: binsDir })

data.bin = bins.reduce((acc, binFile) => {

if (binFile && !binFile.startsWith('.')) {