fix: apply correct fs restrictions for Yarn PnP when serving files from node_modules#15957
Conversation
|
|
|
I don't think we should allow every path from |
|
Yeah I agree with patak here. Maybe we can check if we're running in yarn pnp and allowlist the yarn directory to be served? I'm not sure if yarn exposes that via |
|
Hi @bluwy I have checked pnpapi and process.env.* however it seems it does not expose to us where the yarn cache directory is. |
|
Hi @patak-dev Even though the pnpapi does not give us the yarn cache directory, we can get it from the @yarnpkg/core API. Would you mind take another review? Thanks! |
|
|
|
The large @yarnpkg/core dependency is removed. |
|
Shall we consider add a |
|
I'm thinking we could always add the yarn cache folder to the allow list by default, that way we don't have to expose a new API for it. Similarly we have the |
|
I agree with @bluwy. If users want to disable it, |
|
Sounds good, the yarnCacheDir is now always added to the allow list. |
bluwy
left a comment
There was a problem hiding this comment.
LGTM. Thanks for fixing this up! I'll queue this up for the next minor (which we'll start merging tomorrow) as this feels like a substantial change for existing Yarn PnP users.
Description
fixes #15945
Additional context
What is the purpose of this pull request?
Before submitting the PR, please make sure you do the following
fixes #123).