Merge branch 'master' into 14.6.x

Author: Lipata

.github/workflows/codeql-analysis.yml

@@ -23,6 +23,9 @@ on:
 jobs:
   analyze:
     name: Analyze
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
 
     strategy:

.github/workflows/nodejs.yml

@@ -1,4 +1,7 @@
 name: Node.js CI
+permissions:
+  contents: read
+  checks: write
 
 on:
   push:
@@ -35,6 +38,7 @@ jobs:
         run: yarn coverage
       - name: Publish to coveralls.io
         if: matrix.node-version == '20.x'
-        uses: coverallsapp/[email protected]
+        # coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 corresponds to v2.3.4
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8
         with:
             github-token: ${{ github.token }}

.github/workflows/npm-publish.yml

@@ -3,6 +3,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

package.json

@@ -59,7 +59,7 @@
 		"handlebars": "4.7.8"
 	},
 	"devDependencies": {
-		"@inquirer/prompts": "^5.4.0",
+		"@inquirer/prompts": "^7.9.0",
 		"@types/jasmine": "^5.1.4",
 		"@types/minimatch": "^5.1.2",
 		"@types/node": "^22.5.5",

packages/cli/lib/commands/start.ts

@@ -7,11 +7,16 @@ import { PositionalArgs, StartCommandType } from "./types";
 import { ArgumentsCamelCase } from "yargs";
 
 const execSyncNpmStart = (port: number, options: ExecSyncOptions): void => {
+	const args = ['start'];
 	if (port) {
-		Util.execSync(`npm start -- --port=${port}`, options);
-		return;
+		// Validate port is a number to prevent command injection
+		if (!Number.isInteger(port) || port < 0 || port > 65535) {
+			Util.error(`Invalid port number: ${port}`, "red");
+			return;
+		}
+		args.push('--', `--port=${port}`);
 	}
-	Util.execSync(`npm start`, options);
+	Util.spawnSync('npm', args, options);
 };
 
 const command: StartCommandType = {

packages/cli/lib/templates/ReactTemplate.ts

@@ -109,8 +109,9 @@ export class ReactTemplate implements Template {
 		const components = require("@igniteui/cli-core/packages/components");
 		const igResPath = path.join(projectPath, this.igniteResources);
 
-		if (fs.existsSync(igResPath)) {
-			let igniteuiResFile = fs.readFileSync(igResPath, "utf8");
+		try {
+			const fd = fs.openSync(igResPath, fs.constants.O_RDWR | fs.constants.O_CREAT);
+			let igniteuiResFile = fs.readFileSync(fd, "utf8");
 			const freeVersionPath = "ignite-ui/";
 			const fullVersionPath = "@infragistics/ignite-ui-full/en/";
 			const dvPath = "@infragistics/ignite-ui-full/en/js/infragistics.dv.js";
@@ -123,16 +124,19 @@ export class ReactTemplate implements Template {
 					igniteuiResFile = igniteuiResFile.replace(freeVersionPath, fullVersionPath);
 					igniteuiResFile = igniteuiResFile.replace("-lite", "");
 				}
-				fs.writeFileSync(igResPath, igniteuiResFile);
+				fs.ftruncateSync(fd, 0);
+				fs.writeSync(fd, igniteuiResFile, 0);
 			}
 
 			if (dvDep && !igniteuiResFile.includes(dvPath)) {
-				fs.appendFileSync(igResPath, `${'\r\n// Ignite UI Charts Required JavaScript File\r\nimport "'
-					+ dvPath + '";\r\n'}`);
+				const endPos = fs.fstatSync(fd).size;
+				fs.writeSync(fd, `\r\n// Ignite UI Charts Required JavaScript File\r\nimport "${dvPath}";\r\n`, endPos);
 			}
 
-		} else {
-			Util.log(`igniteuiResources.js file NOT found!`);
+			fs.closeSync(fd);
+		} catch (err) {
+			Util.error(`Error while updating igniteuiResources.js: ${err.message}`);
+			throw err;
 		}
 	}
 

packages/cli/package.json

@@ -78,7 +78,7 @@
   "dependencies": {
     "@igniteui/angular-templates": "~20.1.1466",
     "@igniteui/cli-core": "~14.6.6",
-    "@inquirer/prompts": "^5.4.0",
+    "@inquirer/prompts": "^7.9.0",
     "@types/yargs": "^17.0.33",
     "chalk": "^5.3.0",
     "glob": "^11.0.0",

packages/core/package.json

@@ -12,14 +12,14 @@
   "author": "Infragistics",
   "license": "MIT",
   "dependencies": {
-    "@inquirer/prompts": "~5.4.0",
+    "@inquirer/prompts": "^7.9.0",
     "chalk": "^2.3.2",
     "glob": "^11.0.0",
     "through2": "^2.0.3",
     "typescript": "~5.5.4"
   },
   "devDependencies": {
     "@angular-devkit/schematics": "^19.0.0",
-    "@inquirer/type": "^1.5.3"
+    "@inquirer/type": "^3.0.0"
   }
 }

packages/core/packages/PackageManager.ts

@@ -1,4 +1,4 @@
-import { exec } from "child_process";
+import { spawn } from "child_process";
 import * as path from "path";
 import { TemplateManager } from "../../cli/lib/TemplateManager";
 import { Config, FS_TOKEN, IFileSystem, ProjectTemplate } from "../types";
@@ -149,10 +149,10 @@ export class PackageManager {
 
 	public static addPackage(packageName: string, verbose: boolean = false): boolean {
 		const managerCommand = this.getManager();
-		const command = this.getInstallCommand(managerCommand, packageName);
+		const args = this.getInstallArgs(packageName);
 		try {
 			// tslint:disable-next-line:object-literal-sort-keys
-			Util.execSync(command, { stdio: "pipe", encoding: "utf8" });
+			Util.spawnSync(managerCommand, args, { stdio: "pipe", encoding: "utf8" });
 		} catch (error) {
 			Util.log(`Error installing package ${packageName} with ${managerCommand}`);
 			if (verbose) {
@@ -165,7 +165,7 @@ export class PackageManager {
 	}
 
 	public static async queuePackage(packageName: string, verbose = false) {
-		const command = this.getInstallCommand(this.getManager(), packageName).replace("--save", "--no-save");
+		const args = this.getInstallArgs(packageName).map(arg => arg === '--save' ? '--no-save' : arg);
 		const [packName, version] = packageName.split(/@(?=[^\/]+$)/);
 		const packageJSON = this.getPackageJSON();
 		if (!packageJSON.dependencies) {
@@ -190,13 +190,24 @@ export class PackageManager {
 		// D.P. Concurrent install runs should be supported
 		// https://github.com/npm/npm/issues/5948
 		// https://github.com/npm/npm/issues/2500
+		const managerCommand = this.getManager();
 		const task = new Promise<{ packageName, error, stdout, stderr }>((resolve, reject) => {
-			const child = exec(
-				command, {},
-				(error, stdout, stderr) => {
-					resolve({ packageName, error, stdout, stderr });
-				}
-			);
+			const child = spawn(managerCommand, args);
+			let stdout = '';
+			let stderr = '';
+			child.stdout?.on('data', (data) => {
+				stdout += data.toString();
+			});
+			child.stderr?.on('data', (data) => {
+				stderr += data.toString();
+			});
+			child.on('close', (code) => {
+				const error = code !== 0 ? new Error(`Process exited with code ${code}`) : null;
+				resolve({ packageName, error, stdout, stderr });
+			});
+			child.on('error', (err) => {
+				resolve({ packageName, error: err, stdout, stderr });
+			});
 		});
 		task["packageName"] = packName;
 		this.installQueue.push(task);
@@ -281,6 +292,10 @@ export class PackageManager {
 		}
 	}
 
+	private static getInstallArgs(packageName: string): string[] {
+		return ['install', packageName, '--quiet', '--save'];
+	}
+
 	private static getManager(/*config:Config*/): string {
 		//stub to potentially swap out managers
 		return "npm";

packages/core/util/GoogleAnalytics.ts

@@ -69,16 +69,16 @@ class GoogleAnalytics {
 	protected static getUUID(): string {
 		const absolutePath = path.join(this.userDataFolder, this.appFolder, this.userSettings);
 		let UUID = "";
-		if (fs.existsSync(absolutePath)) {
-			UUID = require(absolutePath).UUID;
-		} else {
-			const dirName = path.dirname(absolutePath);
-			if (!fs.existsSync(dirName)) {
-				fs.mkdirSync(dirName);
-			}
+		const dirName = path.dirname(absolutePath);
+		fs.mkdirSync(dirName, { recursive: true });
 
+		try {
+			const fd = fs.openSync(absolutePath, fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_RDWR, 0o600);
 			UUID = this.getUserID();
-			fs.writeFileSync(absolutePath, JSON.stringify({ UUID }));
+			fs.writeFileSync(fd, JSON.stringify({ UUID }));
+			fs.closeSync(fd);
+		} catch {
+			UUID = JSON.parse(fs.readFileSync(absolutePath, "utf8")).UUID;
 		}
 
 		return UUID;