Skip to content

fix(cli): init command reading package.json from two folders up #11789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pkuczynski merged 4 commits into from
Nov 25, 2025
Merged

fix(cli): init command reading package.json from two folders up #11789

pkuczynski merged 4 commits into from
Nov 25, 2025
+20 −23

Conversation

@pkuczynski
Copy link
Collaborator

@pkuczynski pkuczynski commented Nov 21, 2025
edited
Loading

User description

Description of change

When package is built or when we run tests, the package.json is one level closer to InitCommand...

It's a backport of part of the fix from #11787

Pull-Request Checklist

  • Code is up-to-date with the master branch
  • This pull request links relevant issues as Fixes #00000
  • There are new or updated unit tests validating the change
  • Documentation has been updated to reflect this change

PR Type

Bug fix, Enhancement

Description

  • Remove hardcoded package.json import, read dynamically at runtime

  • Make appendPackageJson async to support file reading operations

  • Update TypeScript compiler targets from ES2021 to ES2022/ES2023

  • Fix package.json path resolution for built and test environments

Diagram Walkthrough

flowchart LR
  A["Remove static import"] --> B["Read package.json dynamically"]
  B --> C["Make appendPackageJson async"]
  C --> D["Support built/test environments"]
  E["Update tsconfig targets"] --> F["ES2021 to ES2022/ES2023"]
Loading

File Walkthrough
Relevant files
Bug fix
InitCommand.ts
Dynamic package.json loading and TypeScript target updates

src/commands/InitCommand.ts

  • Removed hardcoded package.json import statement from top of file
  • Changed appendPackageJson method to async and added dynamic file
    reading using CommandUtils.readFile
  • Updated TypeScript compiler targets in getTsConfigTemplate from ES2021
    to ES2022/ES2023
  • Added await keyword when calling appendPackageJson to handle async
    operation
 +10/-9   

@pkuczynski pkuczynski self-assigned this Nov 21, 2025
@pkuczynski pkuczynski requested a review from alumni November 21, 2025 17:46
@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Nov 21, 2025
edited
Loading

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
Path traversal risk

Description: Path traversal vulnerability: __dirname combined with relative path '../package.json' can
be manipulated to access files outside intended directory, potentially exposing sensitive
system files or configuration data.
InitCommand.ts [682-682]

Referred Code 
    await CommandUtils.readFile(`${__dirname}/../package.json`),
)
Ticket Compliance
🎫 No ticket provided
  • Create ticket/issue
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

🔴
Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status:
Missing error handling: The dynamic file read operation at line 682 lacks error handling for cases where the
package.json file might not exist or be malformed.

Referred Code 
const ourPackageJson = JSON.parse(
    await CommandUtils.readFile(`${__dirname}/../package.json`),
)

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status:
Path traversal vulnerability: The file path constructed using __dirname at line 682 is not validated and could
potentially be manipulated to access files outside the intended directory.

Referred Code 
    await CommandUtils.readFile(`${__dirname}/../package.json`),
)

Learn more about managing compliance generic rules or creating your own custom rules

  • Update
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 21, 2025
edited
Loading

typeorm-sql-js-example

npm i https://pkg.pr.new/typeorm/typeorm@11789

commit: b17ecb8

@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Nov 21, 2025
edited
Loading

PR Code Suggestions ✨

Latest suggestions up to 182e9e9

CategorySuggestion                                                                                                                                    Impact
Possible issue
Fix incorrect package.json path resolution

Fix an incorrect path to package.json by adjusting the directory traversal from
the compiled file's location.

src/commands/InitCommand.ts [681-683]

 const ourPackageJson = JSON.parse(
-    await CommandUtils.readFile(`${__dirname}/../package.json`),
+    await CommandUtils.readFile(`${__dirname}/../../package.json`),
 )
  • Apply / Chat
Suggestion importance[1-10]: 9

__

Why: The suggestion correctly identifies a critical path resolution bug where __dirname in the compiled code would point to the wrong location, causing the command to fail at runtime.

High
  • More

Previous suggestions

Suggestions up to commit 62e0931
CategorySuggestion                                                                                                                                    Impact
Possible issue
Fix incorrect package.json file path

Correct the file path for package.json to account for the compiled output
directory structure, preventing a runtime error when the init command is
executed.

src/commands/InitCommand.ts [681-683]

 const ourPackageJson = JSON.parse(
-    await CommandUtils.readFile(`${__dirname}/../package.json`),
+    await CommandUtils.readFile(path.join(__dirname, "..", "..", "package.json")),
 )
Suggestion importance[1-10]: 10

__

Why: The suggestion correctly identifies a critical runtime bug where the path to package.json would be incorrect after compilation, causing the init command to fail.

High

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Nov 21, 2025
edited
Loading

Deploying typeorm with  Cloudflare Pages  Cloudflare Pages

Latest commit: 40de183
Status: ✅  Deploy successful!
Preview URL: https://dbef2d89.typeorm.pages.dev
Branch Preview URL: https://fix-initi-command.typeorm.pages.dev

View logs

gioboa
gioboa approved these changes Nov 21, 2025
View reviewed changes
Copy link
Collaborator

@gioboa gioboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👏

alumni
alumni reviewed Nov 24, 2025
View reviewed changes
@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Nov 25, 2025

PR Code Suggestions ✨

No code suggestions found for the PR.

@coveralls
Copy link

coveralls commented Nov 25, 2025
edited
Loading

Coverage Status

coverage: 80.77% (+0.002%) from 80.768%
when pulling b17ecb8 on fix/initi-command
into cb1284c on master.

@pkuczynski pkuczynski merged commit dd55218 into master Nov 25, 2025
64 checks passed
@pkuczynski pkuczynski deleted the fix/initi-command branch November 25, 2025 13:13
ThbltLmr pushed a commit to ThbltLmr/typeorm that referenced this pull request Dec 2, 2025
@pkuczynski @ThbltLmr
fix(cli): init command reading package.json from two folders up (type…
705d33a 
…orm#11789)
@Minishlink Minishlink mentioned this pull request Jan 12, 2026
Open
mgohin pushed a commit to mgohin/typeorm that referenced this pull request Jan 15, 2026
@pkuczynski
fix(cli): init command reading package.json from two folders up (type…
97c0238 
…orm#11789)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gioboa gioboa gioboa approved these changes

@alumni alumni alumni approved these changes

@naorpeled naorpeled naorpeled approved these changes

@mguida22 mguida22 Awaiting requested review from mguida22

Assignees

@pkuczynski pkuczynski

Labels

Review effort 2/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@pkuczynski @coveralls @alumni @naorpeled @gioboa