module: add getRootPackageJSON

Author: marco-ippolito

lib/internal/modules/package_json_reader.js

@@ -186,6 +186,40 @@ function getNearestParentPackageJSON(checkPath) {
   return packageConfig;
 }
 
+const moduleToRootPackageJSONCache = new SafeMap();
+
+/**
+ * This is stricter than {@link getNearestParentPackageJSON}: nested
+ * `package.json` files inside a package are ignored, and a non-private package
+ * anywhere in the `node_modules` chain (for example a publishable package that
+ * bundles a private dependency) disqualifies the path. A directory under
+ * `node_modules` with no `package.json` (such as pnpm's `.pnpm` store) is not
+ * a package and is skipped.
+ *
+ * Returns the package.json data and the path to the package.json file, or undefined.
+ * @param {string} checkPath The path to start searching from.
+ * @returns {undefined | DeserializedPackageConfig}
+ */
+function getRootPackageJSON(checkPath) {
+  const packageJSONPath = moduleToRootPackageJSONCache.get(checkPath);
+  if (packageJSONPath !== undefined) {
+    return deserializedPackageJSONCache.get(packageJSONPath);
+  }
+
+  const result = modulesBinding.getRootPackageJSON(checkPath);
+  const packageConfig = deserializePackageJSON(checkPath, result);
+
+  moduleToRootPackageJSONCache.set(checkPath, packageConfig.path);
+
+  const maybeCachedPackageConfig = deserializedPackageJSONCache.get(packageConfig.path);
+  if (maybeCachedPackageConfig !== undefined) {
+    return maybeCachedPackageConfig;
+  }
+
+  deserializedPackageJSONCache.set(packageConfig.path, packageConfig);
+  return packageConfig;
+}
+
 /**
  * Returns the package configuration for the given resolved URL.
  * @param {URL | string} resolved - The resolved URL.
@@ -358,6 +392,7 @@ function findPackageJSON(specifier, base = 'data:') {
 module.exports = {
   read,
   getNearestParentPackageJSON,
+  getRootPackageJSON,
   getPackageScopeConfig,
   getPackageType,
   getPackageJSONURL,

lib/internal/modules/typescript.js

@@ -152,15 +152,22 @@ const isStripPrivateModulesEnabled = getLazy(
 );
 
 /**
- * Checks if the nearest parent package.json of a file marks its package
- * as private.
+ * Checks whether a file under node_modules is owned by a private package, in
+ * which case type stripping is allowed under `--experimental-strip-private-modules`.
+ *
+ * Every package enclosing the file inside `node_modules` must be marked
+ * `"private": true`. npm refuses to publish a private package, so requiring
+ * the package root (not a nested package.json, which is published verbatim)
+ * and rejecting any non-private enclosing package (e.g. a publishable package
+ * bundling a private dependency) prevents published packages from shipping
+ * strippable TypeScript. See {@link getRootPackageJSON}.
  * @param {string} filename The filename (path or file URL) of the source code.
  * @returns {boolean} Whether the file belongs to a package with `"private": true`.
  */
 function isInsidePrivatePackage(filename) {
-  const { getNearestParentPackageJSON } = require('internal/modules/package_json_reader');
+  const { getRootPackageJSON } = require('internal/modules/package_json_reader');
   const { urlToFilename } = require('internal/modules/helpers');
-  const packageJSON = getNearestParentPackageJSON(urlToFilename(filename));
+  const packageJSON = getRootPackageJSON(urlToFilename(filename));
   return packageJSON?.data.private === true;
 }
 

src/node_modules.cc

@@ -342,6 +342,72 @@ const BindingData::PackageConfig* BindingData::TraverseParent(
   return nullptr;
 }
 
+const BindingData::PackageConfig* BindingData::FindNodeModulesPackage(
+    Realm* realm, const std::filesystem::path& check_path) {
+  std::filesystem::path current_path = check_path;
+  std::filesystem::path child;
+  std::filesystem::path grandchild;
+  const PackageConfig* innermost = nullptr;
+  auto env = realm->env();
+  const bool is_permissions_enabled = env->permission()->enabled();
+
+  while (true) {
+    auto parent_path = current_path.parent_path();
+    if (parent_path == current_path) {
+      // Reached the filesystem root.
+      break;
+    }
+
+    if (current_path.filename() == "node_modules") {
+      // `child` is the directory directly under node_modules. For scoped
+      // packages the package root is one level further down.
+      const std::string child_name = child.filename().generic_string();
+      const std::filesystem::path& package_root =
+          (!child_name.empty() && child_name[0] == '@') ? grandchild : child;
+      if (package_root.empty()) {
+        // The path points at a node_modules or bare scope directory rather
+        // than into a package.
+        return nullptr;
+      }
+
+      auto package_json_path = package_root / "package.json";
+
+      // GetPackageJSON()'s ReadFileSync() reads the file directly without
+      // consulting the permission model, so check read access here as
+      // TraverseParent() does. Without permission to confirm the package is
+      // private, fail closed and deny stripping.
+      if (is_permissions_enabled) [[unlikely]] {
+        if (!env->permission()->is_granted(
+                env,
+                permission::PermissionScope::kFileSystemRead,
+                ConvertGenericPathToUTF8(package_json_path))) {
+          return nullptr;
+        }
+      }
+
+      auto package_json =
+          GetPackageJSON(realm, ConvertPathToUTF8(package_json_path), nullptr);
+      if (package_json != nullptr) {
+        if (!package_json->is_private.value_or(false)) {
+          // A publishable (non-private) package encloses the file.
+          return nullptr;
+        }
+        if (innermost == nullptr) {
+          innermost = package_json;
+        }
+      }
+      // A directory under node_modules with no package.json is not a package
+      // (e.g. pnpm's `.pnpm` store); skip it and keep walking upwards.
+    }
+
+    grandchild = child;
+    child = current_path;
+    current_path = parent_path;
+  }
+
+  return innermost;
+}
+
 const std::filesystem::path BindingData::NormalizePath(
     Realm* realm, BufferValue* path_value) {
   // Check if the path has a trailing slash. If so, add it after
@@ -376,6 +442,22 @@ void BindingData::GetNearestParentPackageJSON(
   }
 }
 
+void BindingData::GetRootPackageJSON(const FunctionCallbackInfo<Value>& args) {
+  CHECK_GE(args.Length(), 1);
+  CHECK(args[0]->IsString());
+
+  Realm* realm = Realm::GetCurrent(args);
+  BufferValue path_value(realm->isolate(), args[0]);
+
+  auto path = NormalizePath(realm, &path_value);
+
+  auto package_json = FindNodeModulesPackage(realm, path);
+
+  if (package_json != nullptr) {
+    args.GetReturnValue().Set(package_json->Serialize(realm));
+  }
+}
+
 void BindingData::GetNearestParentPackageJSONType(
     const FunctionCallbackInfo<Value>& args) {
   CHECK_GE(args.Length(), 1);
@@ -629,6 +711,7 @@ void BindingData::CreatePerIsolateProperties(IsolateData* isolate_data,
             target,
             "getNearestParentPackageJSON",
             GetNearestParentPackageJSON);
+  SetMethod(isolate, target, "getRootPackageJSON", GetRootPackageJSON);
   SetMethod(
       isolate, target, "getPackageScopeConfig", GetPackageScopeConfig<false>);
   SetMethod(isolate, target, "getPackageType", GetPackageScopeConfig<true>);
@@ -701,6 +784,7 @@ void BindingData::RegisterExternalReferences(
   registry->Register(ReadPackageJSON);
   registry->Register(GetNearestParentPackageJSONType);
   registry->Register(GetNearestParentPackageJSON);
+  registry->Register(GetRootPackageJSON);
   registry->Register(GetPackageScopeConfig<false>);
   registry->Register(GetPackageScopeConfig<true>);
   registry->Register(EnableCompileCache);

src/node_modules.h

@@ -58,6 +58,8 @@ class BindingData : public SnapshotableObject {
   static void ReadPackageJSON(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetNearestParentPackageJSON(
       const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetRootPackageJSON(
+      const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetNearestParentPackageJSONType(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   template <bool return_only_type>
@@ -93,6 +95,11 @@ class BindingData : public SnapshotableObject {
       ErrorContext* error_context = nullptr);
   static const PackageConfig* TraverseParent(
       Realm* realm, const std::filesystem::path& check_path);
+  // Returns the package.json of the package that owns check_path inside the
+  // innermost node_modules directory, or null when check_path is not inside
+  // node_modules or the package root has no package.json.
+  static const PackageConfig* FindNodeModulesPackage(
+      Realm* realm, const std::filesystem::path& check_path);
 };
 
 }  // namespace modules

test/es-module/test-typescript.mjs

@@ -109,22 +109,60 @@ test('expect failure for a private package in node_modules without --experimenta
        assert.strictEqual(result.code, 1);
      });
 
-// TODO(marco-ippolito): a nested package.json must not be able to enable type
-// stripping: npm only refuses to publish packages whose root package.json has
-// "private": true, so a published package can freely ship a nested
-// package.json with "private": true and bypass the restriction. Only the
-// package.json at the package root should be consulted.
-test('nested package.json faking "private": true in node_modules enables type stripping',
+// A nested package.json must not be able to enable type stripping: npm only
+// refuses to publish packages whose root package.json has "private": true, so
+// a published package can freely ship a nested package.json with
+// "private": true. Only the package.json at the package root is consulted.
+test('expect failure for a nested package.json faking "private": true in node_modules',
      async () => {
        const result = await spawnPromisified(process.execPath, [
          '--experimental-strip-private-modules',
          '--no-warnings',
          fixtures.path('typescript/ts/test-typescript-fake-private-node-modules.ts'),
        ]);
 
-       assert.strictEqual(result.stderr, '');
-       assert.match(result.stdout, /Hello, TypeScript!/);
-       assert.strictEqual(result.code, 0);
+       assert.match(result.stderr, /ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING/);
+       assert.strictEqual(result.stdout, '');
+       assert.strictEqual(result.code, 1);
+     });
+
+test('expect failure for a private package bundled inside a non-private package',
+     async () => {
+       const result = await spawnPromisified(process.execPath, [
+         '--experimental-strip-private-modules',
+         '--no-warnings',
+         fixtures.path('typescript/ts/test-typescript-bundled-private-node-modules.ts'),
+       ]);
+
+       assert.match(result.stderr, /ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING/);
+       assert.strictEqual(result.stdout, '');
+       assert.strictEqual(result.code, 1);
+     });
+
+test('expect failure for a relative import into a non-private node_modules package',
+     async () => {
+       const result = await spawnPromisified(process.execPath, [
+         '--experimental-strip-private-modules',
+         '--no-warnings',
+         fixtures.path('typescript/ts/test-typescript-relative-node-modules.ts'),
+       ]);
+
+       assert.match(result.stderr, /ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING/);
+       assert.strictEqual(result.stdout, '');
+       assert.strictEqual(result.code, 1);
+     });
+
+test('expect failure for a ".." path resolving to a non-private node_modules package',
+     async () => {
+       const result = await spawnPromisified(process.execPath, [
+         '--experimental-strip-private-modules',
+         '--no-warnings',
+         fixtures.path('typescript/ts/test-typescript-dotdot-node-modules.ts'),
+       ]);
+
+       assert.match(result.stderr, /ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING/);
+       assert.strictEqual(result.stdout, '');
+       assert.strictEqual(result.code, 1);
      });
 
 test('expect failure for a non-private package in node_modules with --experimental-strip-private-modules',

test/fixtures/typescript/ts/node_modules/bundler-pkg/index.js

@@ -0,0 +1,3 @@
+import { baz } from 'bundler-pkg';
+
+console.log(baz);