Skip to content

Replaces OS-specific unzip with cross-platform JS solution #4665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 7, 2025
Merged

Replaces OS-specific unzip with cross-platform JS solution #4665

merged 1 commit into from
Oct 7, 2025
+127 −35

Conversation

eamodio
Copy link
Member

@eamodio eamodio commented Oct 6, 2025
edited
Loading

Closes #4666

Overview

Replaces platform-specific shell commands for zip extraction with a JavaScript-based solution using the fflate library, improving reliability and security across different operating systems.

Key Improvements

  • Cross-platform compatibility: Eliminates dependency on PowerShell (Windows) and unzip command (Unix) by using a pure JavaScript solution
  • Enhanced security: Adds path traversal protection to prevent malicious zip files from extracting files outside the intended directory
  • Selective extraction: Filters files during extraction to only extract needed binaries, reducing I/O operations
  • Automatic permissions: Sets executable permissions on Unix systems without requiring additional shell commands
  • Better error handling: Provides more consistent error reporting across platforms

Technical Changes

  • Adds fflate dependency for cross-platform zip extraction
  • Implements custom extraction function with security safeguards
  • Updates third-party notices to include fflate license information
  • Removes reliance on external system commands for file extraction

This change improves the reliability of CLI installation across different environments while enhancing security through built-in protections against zip-based attacks.

@eamodio eamodio requested review from Copilot and sergeibbb October 6, 2025 20:29
@eamodio eamodio self-assigned this Oct 6, 2025
Copilot
Copilot AI reviewed Oct 6, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces platform-specific shell commands for zip extraction with a cross-platform JavaScript solution using the fflate library, improving reliability and security across different operating systems.

  • Introduces a new extractZipFile function with path traversal protection and selective extraction capabilities
  • Replaces PowerShell and unzip command usage with the fflate library for cross-platform compatibility
  • Adds the fflate dependency and updates third-party notices accordingly

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

File Description
src/env/node/gk/cli/utils.ts Adds new extractZipFile function with security safeguards and cross-platform support
src/env/node/gk/cli/integration.ts Replaces platform-specific shell commands with the new extractZipFile function
package.json Adds fflate dependency for zip extraction functionality
ThirdPartyNotices.txt Updates license information to include fflate library notice
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@eamodio eamodio added this to the 17.6-patch milestone Oct 6, 2025
sergeibbb
sergeibbb reviewed Oct 7, 2025
View reviewed changes
Copy link
Member

@sergeibbb sergeibbb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @eamodio !

I've reviewed. There are 2 minor notes

@eamodio
Replaces OS-specific unzip with js solution
bc99fca 
- Filters files during extraction to only extract needed binaries
- Adds path traversal protection for security
- Automatically sets executable permissions on Unix systems
@eamodio eamodio merged commit b221e58 into main Oct 7, 2025
3 checks passed
@sergeibbb sergeibbb deleted the debt/cli-unzip branch October 8, 2025 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergeibbb sergeibbb sergeibbb left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@eamodio eamodio

Labels

None yet

Projects

None yet

Milestone

17.6-patch

Development

Successfully merging this pull request may close these issues.

OS-specific unzip causes high failure rates

2 participants

@eamodio @sergeibbb