Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refine package name validations in esm resolver #28965

Closed
wants to merge 3 commits into from

Conversation

@guybedford
Copy link
Contributor

commented Aug 5, 2019

This ensures that the way package name parsing is done in the ESM resolver is consistent and well-defined based on the rules:

  1. Package name must start with @ and contain a separator, or not start with @ and contain no separator.
  2. Package names cannot contain percent encodings
  3. Package names cannot contain backslashes
  4. Package names cannot start with .

This also gives us consistency when dealing with package names between the CJS and ESM exports handling.

Effectively we can then think of import 'x/y' as having the package name only being allowed to exist as a valid package name, while the ./y component can in theory exist in URL space with percent encodings support.

If package names want to contain non-standard characters then they must be valid file paths, and not URL percent-encoded.

npm already restricts package names effectively to /^(@[-a-zA-Z\d][-_\.a-zA-Z\d]*\/)?[-a-zA-Z\d][-_\.a-zA-Z\d]*/$, so that this is still a pretty unrestricted validation, the main thing is to avoid odd edge cases with things like percent-encoded backtracking.

An alternative here could just be to disallow the percent encodings of / and \\ explicitly, instead of all percent encodings, which I'd be open to as well.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@guybedford guybedford requested a review from jkrems Aug 5, 2019

@addaleax addaleax added the ES Modules label Aug 5, 2019

lib/internal/modules/cjs/loader.js Outdated Show resolved Hide resolved
@@ -0,0 +1,18 @@
// Flags: --experimental-modules

This comment has been minimized.

Copy link
@jkrems

jkrems Aug 5, 2019

Contributor

Since this gets missed now, it may be good to add a test for exports that ensures that they aren't applied for exactly the case of ../hidden.js even if the parent directory happens to have a package.json file that doesn't export hidden.js.

This comment has been minimized.

Copy link
@guybedford

guybedford Aug 6, 2019

Author Contributor

I'm not sure I follow this point or how it relates to this PR, can you clarify which test file changes you are referring to?

This comment has been minimized.

Copy link
@jkrems

jkrems Aug 6, 2019

Contributor

Not necessary as part of this PR. More a "oops, guess we never had a regression test covering this".

This comment has been minimized.

Copy link
@guybedford

guybedford Aug 6, 2019

Author Contributor

I still don't understand the exact regression / issue?

This comment has been minimized.

Copy link
@jkrems

jkrems Aug 6, 2019

Contributor

We started treating ../ as a package name and would've loaded the export map etc. (I assume) but none of our tests broke. At least that's my current understanding. In other words: We don't have the following test right now:

// test/fixtures/node_modules/pkg-exports/lib/a.mjs
import '../hidden.js'; // should succeed but would be broken if ../package.json exports is applied

This comment has been minimized.

Copy link
@guybedford

guybedford Aug 6, 2019

Author Contributor

Oh I see. But we don't get this far here because plain specifier detection doesn't catch ./, ../, / or URLs.

This comment has been minimized.

Copy link
@jkrems

jkrems Aug 6, 2019

Contributor

Ah, may have lost track of that. Added a quick note to the exports project board just in case. This PR may not have broken it but I'd feel better if we had a test to ensure it in the future as well. :)

@guybedford guybedford force-pushed the guybedford:pkgname branch 2 times, most recently from 38fe5cc to acfad9d Aug 6, 2019

@guybedford guybedford requested a review from jkrems Aug 6, 2019

@guybedford guybedford force-pushed the guybedford:pkgname branch from acfad9d to 7bbe466 Aug 6, 2019

@jkrems
jkrems approved these changes Aug 6, 2019
Copy link
Contributor

left a comment

:shipit:

@jkrems jkrems added this to In progress in Support "exports" in package.json via automation Aug 6, 2019

@nodejs-github-bot

This comment has been minimized.

@jkrems jkrems added the author ready label Aug 6, 2019

@jkrems jkrems moved this from In progress to Review in progress in Support "exports" in package.json Aug 6, 2019

@jkrems jkrems moved this from Review in progress to Reviewer approved in Support "exports" in package.json Aug 6, 2019

@guybedford guybedford force-pushed the guybedford:pkgname branch from 2193e39 to b5aaeaf Aug 6, 2019

@Trott
Trott approved these changes Aug 6, 2019
@nodejs-github-bot

This comment has been minimized.

@Trott

This comment has been minimized.

Copy link
Member

commented Aug 8, 2019

Landed in 0e03c44

@Trott Trott closed this Aug 8, 2019

Support "exports" in package.json automation moved this from Reviewer approved to Done Aug 8, 2019

Trott added a commit to Trott/io.js that referenced this pull request Aug 8, 2019
module: refine package name validation
PR-URL: nodejs#28965
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

@guybedford guybedford deleted the guybedford:pkgname branch Aug 8, 2019

targos added a commit that referenced this pull request Aug 19, 2019
module: refine package name validation
PR-URL: #28965
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos added a commit that referenced this pull request Aug 19, 2019
module: refine package name validation
PR-URL: #28965
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@targos targos referenced this pull request Aug 19, 2019
JeniaBR added a commit to JeniaBR/node that referenced this pull request Sep 11, 2019
module: refine package name validation
PR-URL: nodejs#28965
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
JeniaBR added a commit to JeniaBR/node that referenced this pull request Sep 11, 2019
module: refine package name validation
PR-URL: nodejs#28965
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.