package.json local path traversal working with Node 19, not with Node < 19

[tkrotoff]

Version

18.13.0 and below

Platform

Ubuntu 22.04.1

What steps will reproduce the bug?

Demo: https://github.com/tkrotoff/node18-local-path-traversal-issue
CI: https://github.com/tkrotoff/node18-local-path-traversal-issue/actions

package.json local path traversal working with Node 19, not with Node < 19

Node.js 19 copies the local path to node_modules (correct), Node.js < 19 does not (incorrect) and references directly the parent folder.

Demo structure:

• index.js
• subfolder
  • index.js
  • package.json references parent folder package (local path) with "node18-local-path-traversal-issue": "file:.."
  • webpack.config.js

With Node.js 19, webpack + @babel/preset-env useBuiltIns: 'usage' browses the parent folder correctly

With Node.js < 19, webpack + @babel/preset-env useBuiltIns: 'usage' fails to browse parent folder correctly

Output with Node.js 19.4.0 (OK), references /subfolder/node_modules/node18-local-path-traversal-issue/index.js:

Run cd subfolder && npm install && npm run build

...

Using polyfills with `usage-global` method:

[/home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue/subfolder/index.js]
Based on your code and targets, the corejs3 polyfill did not add any polyfill.

[/home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue/subfolder/node_modules/node18-local-path-traversal-issue/index.js]
The corejs3 polyfill added the following polyfills:
  es.error.cause { "ios":"14.5" }
asset main.js 178 KiB [emitted] (name: main)
runtime modules 221 bytes 1 module
modules by path ./node_modules/core-js/internals/*.js 43.7 KiB
  ./node_modules/core-js/internals/export.js 2.61 KiB [built] [code generated]
  ./node_modules/core-js/internals/global.js 590 bytes [built] [code generated]
  ./node_modules/core-js/internals/function-apply.js 387 bytes [built] [code generated]
  ./node_modules/core-js/internals/wrap-error-constructor-with-cause.js 2.9 KiB [built] [code generated]
  ./node_modules/core-js/internals/object-get-own-property-descriptor.js 1.1 KiB [built] [code generated]
  ./node_modules/core-js/internals/descriptors.js 308 bytes [built] [code generated]
  ./node_modules/core-js/internals/function-bind-native.js 337 bytes [built] [code generated]
  ./node_modules/core-js/internals/get-built-in.js 358 bytes [built] [code generated]
  ./node_modules/core-js/internals/object-is-prototype-of.js 114 bytes [built] [code generated]
  + 71 modules
./index.js 83 bytes [built] [code generated]
./node_modules/node18-local-path-traversal-issue/index.js 179 bytes [built] [code generated]
./node_modules/core-js/modules/es.error.cause.js 2.51 KiB [built] [code generated]
webpack 5.75.0 compiled successfully in 779 ms

Output with Node.js 18.13.0 (KO), references /index.js instead of /subfolder/node_modules/node18-local-path-traversal-issue/index.js:

Run cd subfolder && npm install && npm run build

...

Using polyfills with `usage-global` method:

[/home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue/subfolder/index.js]
Based on your code and targets, the corejs3 polyfill did not add any polyfill.

[/home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue/index.js]
The corejs3 polyfill added the following polyfills:
  es.error.cause { "ios":"14.5" }
asset main.js 4.06 KiB [emitted] (name: main)
./index.js 83 bytes [built] [code generated]
../index.js 179 bytes [built] [code generated]

ERROR in ../index.js 1:0-44
Module not found: Error: Can't resolve 'core-js/modules/es.error.cause.js' in '/home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue'
resolve 'core-js/modules/es.error.cause.js' in '/home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue'
  Parsed request is a module
  using description file: /home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue/package.json (relative path: .)
    Field 'browser' doesn't contain a valid alias configuration
    resolve as module
      /home/runner/work/node18-local-path-traversal-issue/node18-local-path-traversal-issue/node_modules doesn't exist or is not a directory
      /home/runner/work/node18-local-path-traversal-issue/node_modules doesn't exist or is not a directory
      /home/runner/work/node_modules doesn't exist or is not a directory
      /home/runner/node_modules doesn't exist or is not a directory
      /home/node_modules doesn't exist or is not a directory
      /node_modules doesn't exist or is not a directory
 @ ./index.js 1:16-60

webpack 5.75.0 compiled with 1 error in 660 ms
Error: Process completed with exit code 1.

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior?

Node.js < 19 should work like Node.js 19

What do you see instead?

Node.js < 19 references /index.js instead of /subfolder/node_modules/node18-local-path-traversal-issue/index.js

Additional information

No response

[bnoordhuis]

For my understanding, the crux of your issue is this stanza in subfolder/package.json?

  "dependencies": {
    "node18-local-path-traversal-issue": "file:..",

This must have been a change in npm (which node bundles but doesn't maintain) because node itself doesn't look at the dependencies field. You should file this against npm.

[tkrotoff]

@bnoordhuis yes

[tkrotoff]

Found the solution for npm < 9: npm install --install-links npm/cli#6033 (comment)

npm < 9 uses symlinks by default: https://docs.npmjs.com/cli/v8/commands/npm-install#install-links
while npm >= 9 does not (which is good): https://docs.npmjs.com/cli/v9/commands/npm-install#install-links

protocol dependencies will be packed and installed as regular dependencies instead of creating a symlink

npm < 8 (Node.js 14) does not support option --install-links