fix: npm pack marks the wrong files as executable #409
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes an issue where
npm pack
incorrectly marks files as executable if their paths contain thebin
path as a substring. Specifically, the problem occurs when files located in directories likesrc/bin/
are erroneously marked as executable because their paths include thebin
directory name.Changes made:
Updated
lib/util/is-package-bin.js
:path
tofilePath
for clarity.'package/'
prefix fromfilePath
to get the relative path.filePath
andbinPath
usingpath.posix.normalize
.Ensured Cross-Platform Compatibility:
path.posix
to handle paths consistently across different operating systems, particularly important for paths within tarballs.The issue was caused by improper path manipulation and comparison in
is-package-bin.js
. The original code did not correctly handle nested directories or different path formats, leading to unintended files being marked as executable.By accurately processing and comparing paths, we ensure that only the exact files specified in the
bin
field ofpackage.json
are marked as executable. This aligns the behavior ofnpm pack
with the expected outcome and prevents potential security risks or execution of unintended scripts.References