Follow-up to #169 and PR #241.
PR #241 makes the workspace-boundary check fail closed: a symlink whose target resolves outside the workspace (or whose resolution errors, e.g. EACCES) is treated as outside the workspace and blocked. That is the safe default, but symlinks that intentionally point outside the workspace are a legitimate workflow for some users.
This tracks adding an opt-in setting (e.g. "Include symlinks resolving outside of workspace") so users can allow those symlinks deliberately. Per the discussion on #241, the intent is to ship this setting together with #241 in the same release.
Scope
cc @edelauna — tracking sub-issue as discussed on #241.
Follow-up to #169 and PR #241.
PR #241 makes the workspace-boundary check fail closed: a symlink whose target resolves outside the workspace (or whose resolution errors, e.g.
EACCES) is treated as outside the workspace and blocked. That is the safe default, but symlinks that intentionally point outside the workspace are a legitimate workflow for some users.This tracks adding an opt-in setting (e.g. "Include symlinks resolving outside of workspace") so users can allow those symlinks deliberately. Per the discussion on #241, the intent is to ship this setting together with #241 in the same release.
Scope
cc @edelauna — tracking sub-issue as discussed on #241.