deps: @npmcli/[email protected]

Author: nlf

node_modules/@npmcli/run-script/lib/escape.js

@@ -65,7 +65,13 @@ const sh = (input) => {
   return result
 }
 
+// disabling the no-control-regex rule for this line as we very specifically _do_ want to
+// replace those characters if they somehow exist at this point, which is highly unlikely
+// eslint-disable-next-line no-control-regex
+const filename = (input) => input.replace(/[<>:"/\\|?*\x00-\x31]/g, '')
+
 module.exports = {
   cmd,
   sh,
+  filename,
 }

node_modules/@npmcli/run-script/lib/make-spawn-args.js

@@ -30,6 +30,7 @@ const makeSpawnArgs = options => {
     npm_config_node_gyp,
   })
 
+  const fileName = escape.filename(`${event}-${Date.now()}`)
   let scriptFile
   let script = ''
 
@@ -61,7 +62,7 @@ const makeSpawnArgs = options => {
 
     const doubleEscape = pathToInitial.endsWith('.cmd') || pathToInitial.endsWith('.bat')
 
-    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.cmd`)
+    scriptFile = resolve(tmpdir(), `${fileName}.cmd`)
     script += '@echo off\n'
     script += cmd
     if (args.length) {
@@ -71,7 +72,7 @@ const makeSpawnArgs = options => {
     const shebang = isAbsolute(scriptShell)
       ? `#!${scriptShell}`
       : `#!/usr/bin/env ${scriptShell}`
-    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.sh`)
+    scriptFile = resolve(tmpdir(), `${fileName}.sh`)
     script += `${shebang}\n`
     script += cmd
     if (args.length) {

node_modules/@npmcli/run-script/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/run-script",
-  "version": "4.1.3",
+  "version": "4.1.4",
   "description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
   "author": "GitHub Inc.",
   "license": "ISC",
@@ -17,10 +17,6 @@
     "posttest": "npm run lint",
     "template-oss-apply": "template-oss-apply --force"
   },
-  "tap": {
-    "check-coverage": true,
-    "coverage-map": "map.js"
-  },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
     "@npmcli/template-oss": "3.5.0",

package-lock.json

@@ -93,7 +93,7 @@
         "@npmcli/fs": "^2.1.0",
         "@npmcli/map-workspaces": "^2.0.3",
         "@npmcli/package-json": "^2.0.0",
-        "@npmcli/run-script": "^4.1.3",
+        "@npmcli/run-script": "^4.1.4",
         "abbrev": "~1.1.1",
         "archy": "~1.0.0",
         "cacache": "^16.1.1",
@@ -1042,9 +1042,9 @@
       }
     },
     "node_modules/@npmcli/run-script": {
-      "version": "4.1.3",
-      "resolved": "https://registry.npmjs.org/@npmcli/run-script/-/run-script-4.1.3.tgz",
-      "integrity": "sha512-xb47c2KMkn6ERw2AwPPGKIITbWoXOT1yDV5rU3SYeC1vksYOodbgN0pnOptIVnRgS2e9G8R7BVDVm8lWp92unQ==",
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@npmcli/run-script/-/run-script-4.1.4.tgz",
+      "integrity": "sha512-1Qk/EsHBKc40XkN1dF79ztae+ua9jEjDupU0rQgO/k+94t7eFjXGN/baRvA00aEOJuTZ4VjwlC2u+XECImJi5w==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/node-gyp": "^2.0.0",

package.json

@@ -62,7 +62,7 @@
     "@npmcli/fs": "^2.1.0",
     "@npmcli/map-workspaces": "^2.0.3",
     "@npmcli/package-json": "^2.0.0",
-    "@npmcli/run-script": "^4.1.3",
+    "@npmcli/run-script": "^4.1.4",
     "abbrev": "~1.1.1",
     "archy": "~1.0.0",
     "cacache": "^16.1.1",