shescape - npm Package Compare versions

Comparing version 2.0.1 to 2.0.2

CHANGELOG.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC0-1.0 -->

		# Changelog
		@@ -12,2 +14,6 @@

		## [2.0.2] - 2023-11-19

		- Harden against polluted prototypes. ([#1280], [#1285])

		## [2.0.1] - 2023-10-28
		@@ -322,4 +328,6 @@
		[#1149]: https://github.com/ericcornelissen/shescape/pull/1149
		[#1280]: https://github.com/ericcornelissen/shescape/pull/1280
		[#1285]: https://github.com/ericcornelissen/shescape/pull/1285
		[552e8ea]: https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
		[keep a changelog]: https://keepachangelog.com/en/1.0.0/
		[semantic versioning]: https://semver.org/spec/v2.0.0.html

docs/api.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->

		# Shescape API
		@@ -2,0 +4,0 @@

docs/recipes.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->

		# Shescape Recipes
		@@ -2,0 +4,0 @@

docs/testing.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->

		# Testing with Shescape
		@@ -2,0 +4,0 @@

docs/tips.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->

		# Tips
		@@ -2,0 +4,0 @@

index.js

		@@ -7,3 +7,3 @@ /**
		* @module shescape
		* @version 2.0.1
		* @version 2.0.2
		* @license MPL-2.0
		@@ -10,0 +10,0 @@ */

package.json

		{
		"name": "shescape",
		"version": "2.0.1",
		"version": "2.0.2",
		"description": "simple shell escape library",
		@@ -55,3 +55,3 @@ "homepage": "https://github.com/ericcornelissen/shescape#readme",
		"devDependencies": {
		"@arethetypeswrong/cli": "0.12.2",
		"@arethetypeswrong/cli": "0.13.0",
		"@ericcornelissen/eslint-plugin-top": "2.1.0",
		@@ -63,9 +63,8 @@ "@fast-check/ava": "1.1.6",
		"ava": "5.3.1",
		"benchmark": "2.1.4",
		"better-npm-audit": "3.7.3",
		"c8": "8.0.1",
		"dotenv": "16.3.1",
		"eslint": "8.52.0",
		"eslint": "8.53.0",
		"eslint-plugin-ava": "14.0.0",
		"eslint-plugin-jsdoc": "46.8.2",
		"eslint-plugin-jsdoc": "46.9.0",
		"eslint-plugin-jsonc": "2.10.0",
		@@ -77,11 +76,11 @@ "eslint-plugin-regexp": "2.1.1",
		"is-ci": "3.0.1",
		"knip": "2.38.1",
		"knip": "2.41.3",
		"licensee": "10.0.0",
		"markdownlint-cli": "0.37.0",
		"nve": "16.1.1",
		"prettier": "3.0.3",
		"nve": "17.0.0",
		"prettier": "3.1.0",
		"publint": "0.2.4",
		"rollup": "4.1.4",
		"shescape-previous": "npm:shescape@2.0.0",
		"sinon": "17.0.0"
		"rollup": "4.4.0",
		"shescape-previous": "npm:shescape@2.0.1",
		"sinon": "17.0.1"
		},
		@@ -99,18 +98,17 @@ "scripts": {
		"prevet:package.json": "npm run transpile",
		"_eslint": "eslint . --report-unused-disable-directives",
		"_eslint": "eslint . --config config/eslint.yml --report-unused-disable-directives",
		"_prettier": "prettier . --ignore-path .gitignore",
		"audit": "better-npm-audit audit",
		"audit:runtime": "better-npm-audit audit --production",
		"benchmark": "node bench/bench.js",
		"clean": "node script/clean.js",
		"coverage": "npm run coverage:unit && npm run coverage:integration && npm run coverage:e2e && npm run coverage:compat && npm run coverage:breakage",
		"coverage:breakage": "c8 --config .c8/breakage.json npm run test:breakage",
		"coverage:compat": "c8 --config .c8/compat.json npm run test:compat",
		"coverage:breakage": "c8 --config config/c8/breakage.json npm run test:breakage",
		"coverage:compat": "c8 --config config/c8/compat.json npm run test:compat",
		"coverage:e2e": "node script/run-platform-coverage.js e2e",
		"coverage:e2e:unix": "c8 --config .c8/e2e-unix.json npm run test:e2e",
		"coverage:e2e:win": "c8 --config .c8/e2e-win.json npm run test:e2e",
		"coverage:e2e:unix": "c8 --config config/c8/e2e-unix.json npm run test:e2e",
		"coverage:e2e:win": "c8 --config config/c8/e2e-win.json npm run test:e2e",
		"coverage:integration": "node script/run-platform-coverage.js integration",
		"coverage:integration:unix": "c8 --config .c8/integration-unix.json npm run test:integration",
		"coverage:integration:win": "c8 --config .c8/integration-win.json npm run test:integration",
		"coverage:unit": "c8 --config .c8/unit.json npm run test:unit",
		"coverage:integration:unix": "c8 --config config/c8/integration-unix.json npm run test:integration",
		"coverage:integration:win": "c8 --config config/c8/integration-win.json npm run test:integration",
		"coverage:unit": "c8 --config config/c8/unit.json npm run test:unit",
		"format": "npm run _prettier -- --write",
		@@ -124,8 +122,8 @@ "format:check": "npm run _prettier -- --check",
		"lint:json": "npm run _eslint -- --ext .json,.jsonc",
		"lint:md": "markdownlint --dot --ignore-path .gitignore .",
		"lint:md": "markdownlint --config config/markdownlint.yml --dot --ignore-path .gitignore .",
		"lint:sh": "node script/maybe-run.js shellcheck script/hooks/.sh script/hooks/pre-",
		"lint:yml": "npm run _eslint -- --ext .yml",
		"mutation": "npm run mutation:unit && npm run mutation:integration",
		"mutation:integration": "stryker run stryker.integration.config.js",
		"mutation:unit": "stryker run stryker.unit.config.js",
		"mutation:integration": "stryker run config/stryker/integration.js",
		"mutation:unit": "stryker run config/stryker/unit.js",
		"test": "npm run test:unit && npm run test:integration && npm run test:e2e && npm run test:compat && npm run test:breakage",
		@@ -138,8 +136,8 @@ "test:breakage": "ava test/breakage/*/.test.js",
		"test:unit": "ava test/unit/*/.test.js",
		"transpile": "rollup --config rollup.config.js && node script/create-d-cts.js",
		"transpile": "rollup --config config/rollup.js && node script/create-d-cts.js",
		"verify": "npm run format:check && npm run license-check && npm run lint && npm run coverage && npm run vet",
		"vet": "npm run vet:deps && npm run vet:package.json",
		"vet:deps": "knip --config .knip.jsonc",
		"vet:deps": "knip --config config/knip.jsonc",
		"vet:package.json": "publint --strict && attw --pack ."
		}
		}

README.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->

		# Shescape
		@@ -81,2 +83,9 @@

		Supporting code, such a scripts and tests, is generally licensed under the `MIT`
		license. However, individual files may be licensed differently depending on the
		intend or origin.

		The license under which a given file is available can always be found in the
		file's banner comment.

		[ci-url]: https://github.com/ericcornelissen/shescape/actions/workflows/checks.yml
		@@ -83,0 +92,0 @@ [ci-image]: https://github.com/ericcornelissen/shescape/actions/workflows/checks.yml/badge.svg

SECURITY.md

		@@ -0,1 +1,3 @@
		<!-- SPDX-License-Identifier: CC0-1.0 -->

		# Security Policy
		@@ -40,17 +42,27 @@

		### What to Report (Threat Model)
		### What to Report

		Consider if the issue you found really is a security concern. Below you can find
		guidelines for what is and isn't considered a security issue. Any issue that
		does not fall into one of the listed categories should be reported based on your
		own judgement. If in doubt, report the issue privately.

		Any issue that is out of scope should still be reported, but can be reported
		publicly because it is not considered sensitive.

		#### In Scope

		- Insecure suggestions or snippets in the documentation.
		- Insufficient escaping for any supported shell.
		- Logic bugs with a security implication (e.g. unexpected throw) that can be
		triggered through the public API.
		- Logic bugs with a security implication that can be triggered through the
		public API.
		- Security misconfigurations in the continuous integration pipeline or software
		supply chain.
		- Insecure suggestions or snippets in the documentation.

		#### Out of Scope

		- Bugs only affecting the `shescape/testing` module.
		- Insecure defaults or confusing API design.
		- Insufficient escaping for any unsupported shell.
		- Known vulnerabilities in third-party `dependencies` or `devDependencies`.
		- Bugs only affecting the `shescape/testing` module.

		@@ -57,0 +69,0 @@ ### What to Include in a Report

src/executables.js

		@@ -6,2 +6,4 @@ /**

		import { hasOwn } from "./reflection.js";

		/**
		@@ -41,3 +43,8 @@ * Build error messages for when executables cannot be found.
		try {
		resolved = which(resolved, { path: env.PATH \|\| env.Path });
		const path = hasOwn(env, "PATH")
		? env.PATH
		: hasOwn(env, "Path")
		? env.Path
		: undefined;
		resolved = which(resolved, { path });
		} catch (_) {
		@@ -44,0 +51,0 @@ throw new Error(notFoundError(executable));

src/options.js

		@@ -7,3 +7,3 @@ /**
		import { resolveExecutable } from "./executables.js";
		import { isString } from "./reflection.js";
		import { hasOwn, isString } from "./reflection.js";

		@@ -34,4 +34,2 @@ /**
		* @param {object} args.options The options for escaping.
		* @param {boolean} [args.options.flagProtection] Is flag protection enabled.
		* @param {boolean \| string} [args.options.shell=true] The shell to escape for.
		* @param {object} deps The dependencies for this function.
		@@ -45,5 +43,10 @@ * @param {Function} deps.getDefaultShell Function to get the default shell.
		export function parseOptions(
		{ env, options: { flagProtection, shell } },
		{ env, options },
		{ getDefaultShell, getShellName, isShellSupported },
		) {
		let flagProtection = hasOwn(options, "flagProtection")
		? options.flagProtection
		: undefined;
		let shell = hasOwn(options, "shell") ? options.shell : undefined;

		flagProtection =
		@@ -50,0 +53,0 @@ flagProtection === undefined ? true : flagProtection ? true : false;

src/platforms.js

		@@ -7,2 +7,3 @@ /**

		import { hasOwn } from "./reflection.js";
		import * as unix from "./unix.js";
		@@ -44,3 +45,4 @@ import * as win from "./win.js";
		function isWindow({ env, platform }) {
		return env.OSTYPE === cygwin \|\| env.OSTYPE === msys \|\| platform === win32;
		const osType = hasOwn(env, "OSTYPE") ? env.OSTYPE : undefined;
		return osType === cygwin \|\| osType === msys \|\| platform === win32;
		}
		@@ -47,0 +49,0 @@

src/reflection.js

		@@ -32,2 +32,16 @@ /**
		/**
		* Check if the given object has the given property as an own property.
		*
		* This custom function is used over `Object.hasOwn` because that isn't
		* available in all supported Node.js versions.
		*
		* @param {object} object The object of interest.
		* @param {string} property The property of interest.
		* @returns {boolean} `true` if property is an own-property, `false` otherwise.
		*/
		export function hasOwn(object, property) {
		return Object.prototype.hasOwnProperty.call(object, property);
		}

		/**
		* Checks if a value can be converted into a string and converts it if possible.
		@@ -34,0 +48,0 @@ *

src/win.js

		@@ -15,2 +15,3 @@ /**
		import { noShell } from "./options.js";
		import { hasOwn } from "./reflection.js";

		@@ -41,6 +42,6 @@ /**
		* @param {Object<string, string>} args.env The environment variables.
		* @param {string} [args.env.ComSpec] The %COMSPEC% value.
		* @returns {string} The default shell.
		*/
		export function getDefaultShell({ env: { ComSpec } }) {
		export function getDefaultShell({ env }) {
		const ComSpec = hasOwn(env, "ComSpec") ? env.ComSpec : undefined;
		if (ComSpec !== undefined) {
		@@ -47,0 +48,0 @@ return ComSpec;

testing.d.ts

		@@ -0,1 +1,6 @@
		/**
		* @overview Contains TypeScript type definitions for shescape/testing.
		* @license MPL-2.0
		*/

		import type { Shescape as ShescapeType } from "shescape";
		@@ -2,0 +7,0 @@

index.cjs

Sorry, the diff of this file is not supported yet

testing.d.cts

Sorry, the diff of this file is not supported yet

shescape - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics