Skip to content

Copilot/sub pr 8 another one#48

Merged
toolate28 merged 3 commits intomainfrom
copilot/sub-pr-8-another-one
Jan 18, 2026
Merged

Copilot/sub pr 8 another one#48
toolate28 merged 3 commits intomainfrom
copilot/sub-pr-8-another-one

Conversation

@toolate28
Copy link
Owner

@toolate28 toolate28 commented Jan 18, 2026

This pull request makes a small but important improvement to the dependency installation process in the scripts/setup.ts file. The main change enhances the safety check before removing the node_modules directory during a forced reinstall.

Safety improvements for dependency installation:

  • The path validation before removing node_modules now uses resolve() to ensure the directory being deleted is exactly the intended one, reducing the risk of accidental deletion of the wrong folder.
  • Added the resolve import from path to support the improved path validation.

Copilot AI and others added 2 commits January 16, 2026 11:11
Initial plan
cc744f5
@toolate28
Fix path traversal vulnerability in setup.ts
ae14e87 
Co-authored-by: toolate28 <105518313+toolate28@users.noreply.github.com>
Copilot AI review requested due to automatic review settings January 18, 2026 01:16
@toolate28
Merge branch 'main' into copilot/sub-pr-8-another-one
6976e7b 
Signed-off-by: toolated <toolated@toolated.online>
@toolate28 toolate28 merged commit 954076a into main Jan 18, 2026
1 of 4 checks passed
@toolate28 toolate28 deleted the copilot/sub-pr-8-another-one branch January 18, 2026 01:17
Copilot AI reviewed Jan 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request aims to enhance the safety of the dependency installation process by improving path validation before removing the node_modules directory during forced reinstallation. The change replaces a simple string suffix check with absolute path resolution and comparison.

Changes:

  • Added resolve import from the path module to support absolute path resolution
  • Replaced endsWith("node_modules") validation with absolute path comparison using resolve()

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

scripts/setup.ts
Comment on lines +105 to +106
// Validate path before removal for safety - ensure it resolves to expected location
const resolvedPath = resolve(nodeModulesPath);
Copy link

Copilot AI Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comparison between resolvedPath and expectedPath is redundant. Since nodeModulesPath is already defined as join(ROOT_DIR, "node_modules") on line 101, calling resolve(nodeModulesPath) and resolve(ROOT_DIR, "node_modules") will always produce identical results. Both expressions are computing the same absolute path from the same inputs.

A more meaningful safety check would validate that the resolved path is within the project directory or matches a specific pattern, rather than comparing two computations of the same value.

Copilot uses AI. Check for mistakes.
Copy link
Owner Author

@toolate28 toolate28 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@toolate28 toolate28

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@toolate28