fix(arborist): add packageName getter to IsolatedNode for path-safe names

KevinZhao · KevinZhao · commit 70b3763a0afc · 2026-03-12T02:09:50.000Z
The IsolatedNode class now derives packageName from the filesystem path
via nameFromFolder, preventing path traversal when node.name contains
directory separators. The #assignCommonProperties fallback is changed
from node.name to nameFromFolder(node.path) for proxy objects that
don't use the getter.
diff --git a/workspaces/arborist/lib/arborist/isolated-reifier.js b/workspaces/arborist/lib/arborist/isolated-reifier.js
@@ -4,6 +4,7 @@ const { join } = require('node:path')
 const { depth } = require('treeverse')
 const crypto = require('node:crypto')
 const { IsolatedNode, IsolatedLink } = require('../isolated-classes.js')
+const nameFromFolder = require('@npmcli/name-from-folder')
 
 // generate short hash key based on the dependency tree starting at this node
 const getKey = (startNode) => {
@@ -191,7 +192,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.id = this.counter++
     /* istanbul ignore next - packageName is always set for real packages */
     result.name = result.isWorkspace ? (node.packageName || node.name) : node.name
-    result.packageName = node.packageName || node.name
+    result.packageName = node.packageName || nameFromFolder(node.path)
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
diff --git a/workspaces/arborist/lib/isolated-classes.js b/workspaces/arborist/lib/isolated-classes.js
@@ -1,6 +1,7 @@
 // Alternate versions of different classes that we use for isolated mode
 const CaseInsensitiveMap = require('./case-insensitive-map.js')
 const { resolve } = require('node:path')
+const nameFromFolder = require('@npmcli/name-from-folder')
 
 // fake lib/inventory.js
 class IsolatedInventory extends Map {
@@ -104,6 +105,10 @@ class IsolatedNode {
     return !!(hasInstallScript || install || preinstall || postinstall)
   }
 
+  get packageName () {
+    return nameFromFolder(this.path) || nameFromFolder(this.name) || this.name
+  }
+
   get version () {
     return this.package.version
   }
diff --git a/workspaces/arborist/test/isolated-classes.js b/workspaces/arborist/test/isolated-classes.js
@@ -0,0 +1,86 @@
+const t = require('tap')
+const path = require('node:path')
+const { IsolatedNode, IsolatedLink } = require('../lib/isolated-classes.js')
+
+t.test('IsolatedNode packageName getter', t => {
+  t.test('derives name from path', t => {
+    const node = new IsolatedNode({
+      path: path.join('/some', 'node_modules', 'my-package'),
+      name: 'my-package',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'my-package')
+    t.end()
+  })
+
+  t.test('path traversal in name is neutralized when path is set', t => {
+    const node = new IsolatedNode({
+      path: path.join('/some', 'node_modules', 'my-package'),
+      name: '../../my-package',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'my-package')
+    t.not(node.packageName, '../../my-package',
+      'must not return unsanitized name containing traversal')
+    t.end()
+  })
+
+  t.test('path traversal in name is neutralized even without path', t => {
+    const node = new IsolatedNode({
+      name: '../../evil',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'evil',
+      'nameFromFolder strips traversal from name as fallback')
+    t.not(node.packageName, '../../evil')
+    t.end()
+  })
+
+  t.test('handles scoped packages via path', t => {
+    const node = new IsolatedNode({
+      path: path.join('/some', 'node_modules', '@scope', 'pkg'),
+      name: '@scope/pkg',
+      package: { version: '2.0.0' },
+    })
+    t.equal(node.packageName, '@scope/pkg')
+    t.end()
+  })
+
+  t.test('handles scoped packages via name fallback', t => {
+    const node = new IsolatedNode({
+      name: '@scope/pkg',
+      package: { version: '2.0.0' },
+    })
+    t.equal(node.packageName, '@scope/pkg',
+      'nameFromFolder preserves scoped names when used as fallback')
+    t.end()
+  })
+
+  t.test('falls back to raw name as last resort', t => {
+    const node = new IsolatedNode({
+      name: 'simple-name',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'simple-name')
+    t.end()
+  })
+
+  t.end()
+})
+
+t.test('IsolatedLink inherits packageName getter', t => {
+  const target = new IsolatedNode({
+    path: path.join('/some', 'node_modules', 'pkg'),
+    name: 'pkg',
+    package: { version: '1.0.0' },
+  })
+  const link = new IsolatedLink({
+    path: path.join('/some', 'node_modules', '.store', 'pkg@1.0.0', 'node_modules', 'pkg'),
+    name: 'pkg',
+    package: { version: '1.0.0' },
+    realpath: target.path,
+    target,
+  })
+  t.equal(link.packageName, 'pkg')
+  t.end()
+})
