development/deno
development/deno
1
0
Fork 0
mirror of https://github.com/denoland/deno synced 2024-08-27 03:50:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(npm): warn when tarball contains hardlink or symlink (#19474)

Browse source 
This is to help us get some visibility into whether we need to support
this.
This commit is contained in:
David Sherret 2023-06-13 09:48:13 -04:00 committed by GitHub
parent 3191ffdaaf
commit 5348778666
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
cli/npm/tarball.rs
View file

@ -107,8 +107,26 @@ fn extract_tarball(data: &[u8], output_folder: &Path) -> Result<(), AnyError> {
)
}
}
if entry.header().entry_type() == EntryType::Regular {
entry.unpack(&absolute_path)?;
let entry_type = entry.header().entry_type();
match entry_type {
EntryType::Regular => {
entry.unpack(&absolute_path)?;
}
EntryType::Symlink | EntryType::Link => {
// At the moment, npm doesn't seem to support uploading hardlinks or
// symlinks to the npm registry. If ever adding symlink or hardlink
// support, we will need to validate that the hardlink and symlink
// target are within the package directory.
log::warn!(
"Ignoring npm tarball entry type {:?} for '{}'",
entry_type,
absolute_path.display()
)
}
_ => {
// ignore
}
}
}
Ok(())