* Reject package names that contain characters which could cause injection * when used in git tags, markdown, URLs, or shell-quoted strings. * Intentionally permissive — we don't enforce npm naming rules because * bumpy may be used with other registries or non-JS packages.
(name: string)
| 15 | * bumpy may be used with other registries or non-JS packages. |
| 16 | */ |
| 17 | function validatePackageName(name: string): boolean { |
| 18 | if (!name || name.length > 214) return false; |
| 19 | // disallow control chars |
| 20 | // eslint-disable-next-line no-control-regex |
| 21 | if (/[\u0000-\u001f\u007f]/.test(name)) return false; |
| 22 | // disallow HTML/shell metacharacters and whitespace |
| 23 | if (/[<>"'`&;|$(){}[\]\\!#%\s]/.test(name)) return false; |
| 24 | // must not start with - (could be interpreted as a CLI flag) |
| 25 | if (name.startsWith('-')) return false; |
| 26 | return true; |
| 27 | } |
| 28 | |
| 29 | export interface ReadBumpFilesResult { |
| 30 | bumpFiles: BumpFile[]; |
no outgoing calls
no test coverage detected
searching dependent graphs…