fix(arborist): sanitize packageName through nameFromFolder in proxy objects

KevinZhao · KevinZhao · commit 144b060e8479 · 2026-03-13T15:36:44.000Z
The proxy objects used in .store path construction got packageName
directly from node.packageName (raw package.json name) without
sanitization. nameFromFolder was only used as a fallback when
packageName was null.

Now wraps the primary source through nameFromFolder so traversal
sequences like ../../evil in package.json name fields are stripped
before reaching path.join in store path construction.
diff --git a/workspaces/arborist/lib/arborist/isolated-reifier.js b/workspaces/arborist/lib/arborist/isolated-reifier.js
@@ -192,7 +192,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.id = this.counter++
     /* istanbul ignore next - packageName is always set for real packages */
     result.name = result.isWorkspace ? (node.packageName || node.name) : node.name
-    result.packageName = node.packageName || nameFromFolder(node.path)
+    result.packageName = nameFromFolder(node.packageName) || nameFromFolder(node.path)
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
