Update CI configuration and harden Jest resolver

niemyjski · niemyjski · commit a67bf5d53df4 · 2026-03-24T09:00:39.000-05:00
- Upgrade GitHub Action versions (checkout v6, setup-node v6, cache v5)
- Add .NET 8 SDK to CI for MinVer versioning support
- Define explicit GHA permissions (contents: read, packages: write)
- Add path traversal validation to jest-resolver.cjs to ensure imports remain within the package root
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,6 +1,10 @@
 name: Build
 on: [push, pull_request]
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
@@ -15,21 +19,25 @@ jobs:
     name: Node ${{ matrix.node_version }} on ${{ matrix.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Build Reason
         run: "echo ref: ${{github.ref}} event: ${{github.event_name}}"
       - name: Setup Node.js environment
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node_version }}
           registry-url: "https://registry.npmjs.org"
       - name: Cache node_modules
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: node_modules
           key: ${{ matrix.node_version }}-${{ runner.os }}-node-modules-${{ hashFiles('package-lock.json') }}
+      - name: Setup .NET SDK for MinVer
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: "8.0.x"
       - name: Set Min Version
         uses: Stelzi79/action-minver@3.0.1
         id: version
@@ -55,7 +63,7 @@ jobs:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
       - name: Setup GitHub CI Node.js environment
         if: github.event_name != 'pull_request' && matrix.os == 'ubuntu-latest'
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node_version }}
           registry-url: "https://npm.pkg.github.com"
diff --git a/jest-resolver.cjs b/jest-resolver.cjs
@@ -21,7 +21,14 @@ module.exports = (request, options) => {
           if (base) {
             const prefix = base.replace("*", "");
             const suffix = request.slice(2);
-            const resolved = path.join(packageRoot, prefix, suffix);
+            if (suffix.includes("..") || path.isAbsolute(suffix)) {
+              throw new Error(`Unsafe import path: ${request}`);
+            }
+            const resolved = path.resolve(packageRoot, prefix, suffix);
+            const normalizedRoot = path.resolve(packageRoot) + path.sep;
+            if (!resolved.startsWith(normalizedRoot)) {
+              throw new Error(`Import escapes package root: ${request}`);
+            }
             return resolveWithExtensions(resolved);
           }
         }
