Skip to content

fix(cli): reject unsafe registry file paths#11035

Draft
mikerewak wants to merge 1 commit into
shadcn-ui:mainfrom
mikerewak:security/registry-file-path-traversal
Draft

fix(cli): reject unsafe registry file paths#11035
mikerewak wants to merge 1 commit into
shadcn-ui:mainfrom
mikerewak:security/registry-file-path-traversal

Conversation

@mikerewak

Copy link
Copy Markdown

This rejects unsafe registry file paths before the CLI writes component files into a project. Relative paths that stay under the intended target continue to work; absolute paths and parent-directory escapes are rejected.

Tested with:

git diff --check
npx --yes esbuild@0.27.1 packages/shadcn/src/utils/add-components.ts packages/shadcn/src/utils/add-components.test.ts --bundle --platform=node --format=esm --packages=external --outdir=/tmp/shadcn-add-components-check

The focused Vitest target could not be run in this checkout because pnpm/node_modules were unavailable.

@vercel

vercel Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

@mikerewak is attempting to deploy a commit to the shadcn-pro Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions

Copy link
Copy Markdown
Contributor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant