npm · fritzy · Jun 22, 2022 · Jun 21, 2022 · Jun 21, 2022 · Jun 21, 2022
@@ -0,0 +1,67 @@
+'use strict'
+
+// eslint-disable-next-line max-len
+// this code adapted from: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
+const cmd = (input) => {
+  if (!input.length) {
+    return '""'
+  }
+
+  let result
+  if (!/[ \t\n\v"]/.test(input)) {
+    result = input
+  } else {
+    result = '"'
+    for (let i = 0; i <= input.length; ++i) {
+      let slashCount = 0
+      while (input[i] === '\\') {
+        ++i
+        ++slashCount
+      }
+
+      if (i === input.length) {
+        result += '\\'.repeat(slashCount * 2)
+        break
+      }
+
+      if (input[i] === '"') {
+        result += '\\'.repeat(slashCount * 2 + 1)
+        result += input[i]
+      } else {
+        result += '\\'.repeat(slashCount)
+        result += input[i]
+      }
+    }
+    result += '"'
+  }
+
+  // and finally, prefix shell meta chars with a ^
+  result = result.replace(/[!^&()<>|"]/g, '^$&')
+  // except for % which is escaped with another %
+  result = result.replace(/%/g, '%%')
+
+  return result
+}
+
+const sh = (input) => {
+  if (!input.length) {
+    return `''`
+  }
+
+  if (!/[\t\n\r "#$&'()*;<>?\\`|~]/.test(input)) {
+    return input
+  }
+
+  // replace single quotes with '\'' and wrap the whole result in a fresh set of quotes
+  const result = `'${input.replace(/'/g, `'\\''`)}'`
+    // if the input string already had single quotes around it, clean those up
+    .replace(/^(?:'')+(?!$)/, '')
+    .replace(/\\'''/g, `\\'`)
+
+  return result
+}
+
+module.exports = {
+  cmd,
+  sh,
+}
@@ -1,8 +1,12 @@
 /* eslint camelcase: "off" */
 const isWindows = require('./is-windows.js')
 const setPATH = require('./set-path.js')
+const { chmodSync: chmod, unlinkSync: unlink, writeFileSync: writeFile } = require('fs')
+const { tmpdir } = require('os')
 const { resolve } = require('path')
+const which = require('which')
 const npm_config_node_gyp = require.resolve('node-gyp/bin/node-gyp.js')
+const escape = require('./escape.js')
 
 const makeSpawnArgs = options => {
   const {
@@ -12,11 +16,28 @@ const makeSpawnArgs = options => {
     env = {},
     stdio,
     cmd,
+    args = [],
     stdioString = false,
   } = options
 
+  let scriptFile
+  let script = ''
   const isCmd = /(?:^|\\)cmd(?:\.exe)?$/i.test(scriptShell)
-  const args = isCmd ? ['/d', '/s', '/c', cmd] : ['-c', cmd]
+  if (isCmd) {
+    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.cmd`)
+    script += '@echo off\n'
+    script += `${cmd} ${args.map((arg) => escape.cmd(arg)).join(' ')}`
+  } else {
+    const shellPath = which.sync(scriptShell)
+    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.sh`)
+    script += `#!${shellPath}\n`
+    script += `${cmd} ${args.map((arg) => escape.sh(arg)).join(' ')}`
+  }
+  writeFile(scriptFile, script)
+  if (!isCmd) {
+    chmod(scriptFile, '0775')
+  }
+  const spawnArgs = isCmd ? ['/d', '/s', '/c', scriptFile] : ['-c', scriptFile]
 
   const spawnOpts = {
     env: setPATH(path, {
@@ -34,7 +55,14 @@ const makeSpawnArgs = options => {
     ...(isCmd ? { windowsVerbatimArguments: true } : {}),
   }
 
-  return [scriptShell, args, spawnOpts]
+  const cleanup = () => {
+    // delete the script, this is just a best effort
+    try {
+      unlink(scriptFile)
+    } catch (err) {}
+  }
+
+  return [scriptShell, spawnArgs, spawnOpts, cleanup]
 }
 
 module.exports = makeSpawnArgs
@@ -31,7 +31,7 @@ const runScriptPkg = async options => {
   if (options.cmd) {
     cmd = options.cmd
   } else if (pkg.scripts && pkg.scripts[event]) {
-    cmd = pkg.scripts[event] + args.map(a => ` ${JSON.stringify(a)}`).join('')
+    cmd = pkg.scripts[event]
   } else if (
     // If there is no preinstall or install script, default to rebuilding node-gyp packages.
     event === 'install' &&
@@ -42,7 +42,7 @@ const runScriptPkg = async options => {
   ) {
     cmd = defaultGypInstallScript
   } else if (event === 'start' && await isServerPackage(path)) {
-    cmd = 'node server.js' + args.map(a => ` ${JSON.stringify(a)}`).join('')
+    cmd = 'node server.js'
   }
 
   if (!cmd) {
@@ -54,15 +54,18 @@ const runScriptPkg = async options => {
     console.log(bruce(pkg._id, event, cmd))
   }
 
-  const p = promiseSpawn(...makeSpawnArgs({
+  const [spawnShell, spawnArgs, spawnOpts, cleanup] = makeSpawnArgs({
     event,
     path,
     scriptShell,
     env: packageEnvs(env, pkg),
     stdio,
     cmd,
+    args,
     stdioString,
-  }), {
+  })
+
+  const p = promiseSpawn(spawnShell, spawnArgs, spawnOpts, {
     event,
     script: cmd,
     pkgid: pkg._id,
@@ -88,7 +91,7 @@ const runScriptPkg = async options => {
     } else {
       throw er
     }
-  })
+  }).finally(cleanup)
 }
 
 module.exports = runScriptPkg
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/run-script",
-  "version": "3.0.2",
+  "version": "4.1.0",
   "description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
   "author": "GitHub Inc.",
   "license": "ISC",
@@ -23,7 +23,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.2.2",
+    "@npmcli/template-oss": "3.5.0",
     "minipass": "^3.1.6",
     "require-inject": "^1.4.4",
     "tap": "^16.0.1"
@@ -48,6 +48,6 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.2.2"
+    "version": "3.5.0"
   }
 }
@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "13.6.0",
+  "version": "13.6.1",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -45,7 +45,7 @@
     "@npmcli/git": "^3.0.0",
     "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/promise-spawn": "^3.0.0",
-    "@npmcli/run-script": "^3.0.1",
+    "@npmcli/run-script": "^4.1.0",
     "cacache": "^16.0.0",
     "chownr": "^2.0.0",
     "fs-minipass": "^2.1.0",