kentosugama
commented
2 years ago Curious about your reasoning for using option 1 instead of option 2 from #55
Closed rvanasa closed 2 years ago
kentosugama
commented
2 years ago Curious about your reasoning for using option 1 instead of option 2 from #55
rvanasa
commented
2 years ago Adding a flag to the existing install command seems like an elegant solution, especially since this is already a well-established feature in NPM and Cargo.
We could also add something like a release property in the future if this would be useful as well.
rvanasa
commented
2 years ago Would someone mind merging this while @kentosugama and I are waiting to get review permissions for this repository? Thanks!
Resolves #55 by adding an optional
--force/-fflag tovessel install.Since this feature requires behavior equivalent to
rm -rf, this PR also fixes a potentially major vulnerability in the form of using unsanitized package names or versions containing..,/, or~, making it possible to modify (or delete) any directory on a user's machine. I fixed this by adding basic package name/version validation with the following rules:[A-Za-z0-9.-_]+(i.e. the Portable Filename Character Set).character-characterThis validation could break backwards-compatibility with some unusually-named packages, but this seems to be worth it for security reasons.