arborist: move packageName sanitization into IsolatedNode getter

Per maintainer feedback, add a packageName getter to IsolatedNode that
derives the name from the filesystem path via @npmcli/name-from-folder,
preventing path-like node.name values from introducing traversal.
Simplify #assignCommonProperties to defer to node.packageName.
Add tests for path traversal, scoped packages, and fallback behavior.

Author: KevinZhao

workspaces/arborist/lib/arborist/isolated-reifier.js

@@ -178,7 +178,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.id = this.counter++
     /* istanbul ignore next - packageName is always set for real packages */
     result.name = result.isWorkspace ? (node.packageName || node.name) : node.name
-    result.packageName = nameFromFolder(node.path) || node.packageName || node.name
+    result.packageName = node.packageName || nameFromFolder(node.path)
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 

workspaces/arborist/lib/isolated-classes.js

@@ -1,6 +1,7 @@
 // Alternate versions of different classes that we use for isolated mode
 const CaseInsensitiveMap = require('./case-insensitive-map.js')
 const { resolve } = require('node:path')
+const nameFromFolder = require('@npmcli/name-from-folder')
 
 // fake lib/inventory.js
 class IsolatedInventory extends Map {
@@ -104,6 +105,10 @@ class IsolatedNode {
     return !!(hasInstallScript || install || preinstall || postinstall)
   }
 
+  get packageName () {
+    return nameFromFolder(this.path) || this.name
+  }
+
   get version () {
     return this.package.version
   }

workspaces/arborist/test/isolated-classes.js

@@ -0,0 +1,65 @@
+const t = require('tap')
+const path = require('node:path')
+const { IsolatedNode, IsolatedLink } = require('../lib/isolated-classes.js')
+
+t.test('IsolatedNode packageName getter', t => {
+  t.test('returns name extracted from path', t => {
+    const node = new IsolatedNode({
+      path: path.join('/some', 'node_modules', 'my-package'),
+      name: 'my-package',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'my-package')
+    t.end()
+  })
+
+  t.test('sanitizes path-like node name — path traversal via name', t => {
+    // Simulates a pretend node where node.name is a relative/path-like value.
+    // packageName must return only the package name, not the traversal path.
+    const node = new IsolatedNode({
+      path: path.join('/some', 'node_modules', 'my-package'),
+      name: '../my-package',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'my-package', 'extracts name from path, ignores path-like node.name')
+    t.end()
+  })
+
+  t.test('handles scoped packages', t => {
+    const node = new IsolatedNode({
+      path: path.join('/some', 'node_modules', '@scope', 'pkg'),
+      name: '@scope/pkg',
+      package: { version: '2.0.0' },
+    })
+    t.equal(node.packageName, '@scope/pkg')
+    t.end()
+  })
+
+  t.test('falls back to name when path is not set', t => {
+    const node = new IsolatedNode({
+      name: 'fallback-name',
+      package: { version: '1.0.0' },
+    })
+    t.equal(node.packageName, 'fallback-name', 'falls back to this.name when path is absent')
+    t.end()
+  })
+
+  t.end()
+})
+
+t.test('IsolatedLink inherits packageName getter from IsolatedNode', t => {
+  const target = new IsolatedNode({
+    path: path.join('/some', 'node_modules', 'pkg'),
+    name: 'pkg',
+    package: { version: '1.0.0' },
+  })
+  const link = new IsolatedLink({
+    path: path.join('/some', 'node_modules', '.store', 'pkg@1.0.0', 'node_modules', 'pkg'),
+    name: 'pkg',
+    package: { version: '1.0.0' },
+    realpath: target.path,
+    target,
+  })
+  t.equal(link.packageName, 'pkg')
+  t.end()
+})