chore(ci): remove package filter

fix(cli/node): add json5 resolution, fix audit ci (#5991 )
chore: run covector version
2026-04-11 10:43:31 +02:00 · 2023-01-18 21:45:06 -03:00 · 2023-01-18 21:33:34 -03:00 · 2023-01-18 21:29:40 -03:00 · 2023-01-18 21:29:00 -03:00 · 2022-12-22 10:57:18 -03:00
12 changed files with 191 additions and 50 deletions
--- a/.changes/config.json
+++ b/.changes/config.json
@@ -56,7 +56,6 @@
        }
      ],
      "postpublish": [
-        "git tag ${ pkg.pkg }-v${ pkgFile.versionMajor } -f",
        "git tag ${ pkg.pkg }-v${ pkgFile.versionMajor }.${ pkgFile.versionMinor } -f",
        "git push --tags -f"
      ],
@@ -116,7 +115,6 @@
        }
      ],
      "postpublish": [
-        "git tag ${ pkg.pkg }-v${ pkgFile.versionMajor } -f",
        "git tag ${ pkg.pkg }-v${ pkgFile.versionMajor }.${ pkgFile.versionMinor } -f",
        "git push --tags -f"
      ]
--- a/.github/workflows/publish-hotfix.yml
+++ b/.github/workflows/publish-hotfix.yml
@@ -0,0 +1,58 @@
+# Copyright 2019-2021 Tauri Programme within The Commons Conservancy
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: MIT
+
+name: version or publish
+
+on:
+  push:
+    branches:
+      - '1.*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    timeout-minutes: 65
+    outputs:
+      change: ${{ steps.covector.outputs.change }}
+      commandRan: ${{ steps.covector.outputs.commandRan }}
+      successfulPublish: ${{ steps.covector.outputs.successfulPublish }}
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 14
+          registry-url: 'https://registry.npmjs.org'
+          cache: yarn
+          cache-dependency-path: tooling/*/yarn.lock
+
+      - name: cargo login
+        run: cargo login ${{ secrets.ORG_CRATES_IO_TOKEN }}
+      - name: git config
+        run: |
+          git config --global user.name "${{ github.event.pusher.name }}"
+          git config --global user.email "${{ github.event.pusher.email }}"
+
+      - name: covector version or publish (publish when no change files present)
+        uses: jbolda/covector/packages/action@covector-v0
+        id: covector
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          CARGO_AUDIT_OPTIONS: ${{ secrets.CARGO_AUDIT_OPTIONS }}
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          command: 'version-or-publish'
+          createRelease: true
+
+      - name: Trigger cli.js publishing workflow
+        if: |
+          steps.covector.outputs.successfulPublish == 'true' &&
+          contains(steps.covector.outputs.packagesPublished, 'cli.rs')
+        uses: peter-evans/repository-dispatch@v1
+        with:
+          token: ${{ secrets.TAURI_BOT_PAT }}
+          repository: tauri-apps/tauri
+          event-type: publish-clijs
--- a/core/tauri/CHANGELOG.md
+++ b/core/tauri/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog

+## \[1.2.4]
+
+- Pin `ignore` to `=0.4.18`.
+  - [adcb082b](https://www.github.com/tauri-apps/tauri/commit/adcb082b1651ecb2a6208b093e12f4185aa3fc98) chore(deps): pin `ignore` to =0.4.18 on 2023-01-17
+
+## \[1.2.3]
+
+- Fix the filesystem scope allowing sub-directories of the directory picked by the dialog when `recursive` option was `false`.
+  - [f1b0ad6e](https://www.github.com/tauri-apps/tauri/commit/f1b0ad6e8b721cf1420a9a4b9be5b05c39941d16) Merge pull request from GHSA-6mv3-wm7j-h4w5 on 2022-12-22
+
 ## \[1.2.2]

 - Invoke event listener in windows safely to avoid causing uncaught errors in windows that have loaded external urls
--- a/core/tauri/Cargo.toml
+++ b/core/tauri/Cargo.toml
@@ -10,7 +10,7 @@ license = "Apache-2.0 OR MIT"
 name = "tauri"
 readme = "README.md"
 repository = "https://github.com/tauri-apps/tauri"
-version = "1.2.2"
+version = "1.2.4"

 [package.metadata.docs.rs]
 no-default-features = true
@@ -60,7 +60,7 @@ state = "0.5"
 tar = "0.4.38"
 tempfile = "3"
 zip = { version = "0.6", default-features = false, optional = true }
-ignore = "0.4"
+ignore = "=0.4.18"
 flate2 = "1.0"
 http = "0.2"
 dirs-next = "2.0"
--- a/core/tauri/src/scope/fs.rs
+++ b/core/tauri/src/scope/fs.rs
@@ -141,7 +141,7 @@ impl Scope {
  /// Extend the allowed patterns with the given directory.
  ///
  /// After this function has been called, the frontend will be able to use the Tauri API to read
-  /// the directory and all of its files and subdirectories.
+  /// the directory and all of its files. If `recursive` is `true`, subdirectories will be accessible too.
  pub fn allow_directory<P: AsRef<Path>>(&self, path: P, recursive: bool) -> crate::Result<()> {
    let path = path.as_ref();
    {
@@ -216,13 +216,22 @@ impl Scope {

    if let Ok(path) = path {
      let path: PathBuf = path.components().collect();
+      let options = glob::MatchOptions {
+        // this is needed so `/dir/*` doesn't match files within subdirectories such as `/dir/subdir/file.txt`
+        // see: https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
+        require_literal_separator: true,
+        // dotfiles are not supposed to be exposed by default
+        #[cfg(unix)]
+        require_literal_leading_dot: true,
+        ..Default::default()
+      };

      let forbidden = self
        .forbidden_patterns
        .lock()
        .unwrap()
        .iter()
-        .any(|p| p.matches_path(&path));
+        .any(|p| p.matches_path_with(&path, options));

      if forbidden {
        false
@@ -232,7 +241,7 @@ impl Scope {
          .lock()
          .unwrap()
          .iter()
-          .any(|p| p.matches_path(&path));
+          .any(|p| p.matches_path_with(&path, options));
        allowed
      }
    } else {
@@ -269,32 +278,97 @@ mod tests {
  #[test]
  fn path_is_escaped() {
    let scope = new_scope();
-    scope.allow_directory("/home/tauri/**", false).unwrap();
-    assert!(scope.is_allowed("/home/tauri/**"));
-    assert!(scope.is_allowed("/home/tauri/**/file"));
-    assert!(!scope.is_allowed("/home/tauri/anyfile"));
+    #[cfg(unix)]
+    {
+      scope.allow_directory("/home/tauri/**", false).unwrap();
+      assert!(scope.is_allowed("/home/tauri/**"));
+      assert!(scope.is_allowed("/home/tauri/**/file"));
+      assert!(!scope.is_allowed("/home/tauri/anyfile"));
+    }
+    #[cfg(windows)]
+    {
+      scope.allow_directory("C:\\home\\tauri\\**", false).unwrap();
+      assert!(scope.is_allowed("C:\\home\\tauri\\**"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\**\\file"));
+      assert!(!scope.is_allowed("C:\\home\\tauri\\anyfile"));
+    }

    let scope = new_scope();
-    scope.allow_file("/home/tauri/**").unwrap();
-    assert!(scope.is_allowed("/home/tauri/**"));
-    assert!(!scope.is_allowed("/home/tauri/**/file"));
-    assert!(!scope.is_allowed("/home/tauri/anyfile"));
+    #[cfg(unix)]
+    {
+      scope.allow_file("/home/tauri/**").unwrap();
+      assert!(scope.is_allowed("/home/tauri/**"));
+      assert!(!scope.is_allowed("/home/tauri/**/file"));
+      assert!(!scope.is_allowed("/home/tauri/anyfile"));
+    }
+    #[cfg(windows)]
+    {
+      scope.allow_file("C:\\home\\tauri\\**").unwrap();
+      assert!(scope.is_allowed("C:\\home\\tauri\\**"));
+      assert!(!scope.is_allowed("C:\\home\\tauri\\**\\file"));
+      assert!(!scope.is_allowed("C:\\home\\tauri\\anyfile"));
+    }

    let scope = new_scope();
-    scope.allow_directory("/home/tauri", true).unwrap();
-    scope.forbid_directory("/home/tauri/**", false).unwrap();
-    assert!(!scope.is_allowed("/home/tauri/**"));
-    assert!(!scope.is_allowed("/home/tauri/**/file"));
-    assert!(!scope.is_allowed("/home/tauri/**/inner/file"));
-    assert!(scope.is_allowed("/home/tauri/inner/folder/anyfile"));
-    assert!(scope.is_allowed("/home/tauri/anyfile"));
+    #[cfg(unix)]
+    {
+      scope.allow_directory("/home/tauri", true).unwrap();
+      scope.forbid_directory("/home/tauri/**", false).unwrap();
+      assert!(!scope.is_allowed("/home/tauri/**"));
+      assert!(!scope.is_allowed("/home/tauri/**/file"));
+      assert!(scope.is_allowed("/home/tauri/**/inner/file"));
+      assert!(scope.is_allowed("/home/tauri/inner/folder/anyfile"));
+      assert!(scope.is_allowed("/home/tauri/anyfile"));
+    }
+    #[cfg(windows)]
+    {
+      scope.allow_directory("C:\\home\\tauri", true).unwrap();
+      scope
+        .forbid_directory("C:\\home\\tauri\\**", false)
+        .unwrap();
+      assert!(!scope.is_allowed("C:\\home\\tauri\\**"));
+      assert!(!scope.is_allowed("C:\\home\\tauri\\**\\file"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\**\\inner\\file"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\inner\\folder\\anyfile"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\anyfile"));
+    }

    let scope = new_scope();
-    scope.allow_directory("/home/tauri", true).unwrap();
-    scope.forbid_file("/home/tauri/**").unwrap();
-    assert!(!scope.is_allowed("/home/tauri/**"));
-    assert!(scope.is_allowed("/home/tauri/**/file"));
-    assert!(scope.is_allowed("/home/tauri/**/inner/file"));
-    assert!(scope.is_allowed("/home/tauri/anyfile"));
+    #[cfg(unix)]
+    {
+      scope.allow_directory("/home/tauri", true).unwrap();
+      scope.forbid_file("/home/tauri/**").unwrap();
+      assert!(!scope.is_allowed("/home/tauri/**"));
+      assert!(scope.is_allowed("/home/tauri/**/file"));
+      assert!(scope.is_allowed("/home/tauri/**/inner/file"));
+      assert!(scope.is_allowed("/home/tauri/anyfile"));
+    }
+    #[cfg(windows)]
+    {
+      scope.allow_directory("C:\\home\\tauri", true).unwrap();
+      scope.forbid_file("C:\\home\\tauri\\**").unwrap();
+      assert!(!scope.is_allowed("C:\\home\\tauri\\**"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\**\\file"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\**\\inner\\file"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\anyfile"));
+    }
+
+    let scope = new_scope();
+    #[cfg(unix)]
+    {
+      scope.allow_directory("/home/tauri", false).unwrap();
+      assert!(scope.is_allowed("/home/tauri/**"));
+      assert!(!scope.is_allowed("/home/tauri/**/file"));
+      assert!(!scope.is_allowed("/home/tauri/**/inner/file"));
+      assert!(scope.is_allowed("/home/tauri/anyfile"));
+    }
+    #[cfg(windows)]
+    {
+      scope.allow_directory("C:\\home\\tauri", false).unwrap();
+      assert!(scope.is_allowed("C:\\home\\tauri\\**"));
+      assert!(!scope.is_allowed("C:\\home\\tauri\\**\\file"));
+      assert!(!scope.is_allowed("C:\\home\\tauri\\**\\inner\\file"));
+      assert!(scope.is_allowed("C:\\home\\tauri\\anyfile"));
+    }
  }
 }
--- a/tooling/cli/CHANGELOG.md
+++ b/tooling/cli/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog

+## \[1.2.3]
+
+- Pin `ignore` to `=0.4.18`.
+  - [adcb082b](https://www.github.com/tauri-apps/tauri/commit/adcb082b1651ecb2a6208b093e12f4185aa3fc98) chore(deps): pin `ignore` to =0.4.18 on 2023-01-17
+
 ## \[1.2.2]

 - Detect SvelteKit and Vite for the init and info commands.
--- a/tooling/cli/Cargo.lock
+++ b/tooling/cli/Cargo.lock
@@ -3121,7 +3121,7 @@ dependencies = [

 [[package]]
 name = "tauri-cli"
-version = "1.2.2"
+version = "1.2.3"
 dependencies = [
 "anyhow",
 "axum",
--- a/tooling/cli/Cargo.toml
+++ b/tooling/cli/Cargo.toml
@@ -3,7 +3,7 @@ members = [ "node" ]

 [package]
 name = "tauri-cli"
-version = "1.2.2"
+version = "1.2.3"
 authors = [ "Tauri Programme within The Commons Conservancy" ]
 edition = "2021"
 rust-version = "1.59"
@@ -68,7 +68,7 @@ heck = "0.4"
 dialoguer = "0.10"
 url = { version = "2.3", features = [ "serde" ] }
 os_pipe = "1"
-ignore = "0.4"
+ignore = "=0.4.18"
 ctrlc = "3.2"
 log = { version = "0.4.17", features = [ "kv_unstable", "kv_unstable_std" ] }
 env_logger = "0.9.1"
--- a/tooling/cli/metadata.json
+++ b/tooling/cli/metadata.json
@@ -1,8 +1,8 @@
 {
  "cli.js": {
-    "version": "1.2.2",
+    "version": "1.2.3",
    "node": ">= 10.0.0"
  },
-  "tauri": "1.2.2",
+  "tauri": "1.2.4",
  "tauri-build": "1.2.1"
 }
--- a/tooling/cli/node/CHANGELOG.md
+++ b/tooling/cli/node/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog

+## \[1.2.3]
+
+- Pin `ignore` to `=0.4.18`.
+  - [adcb082b](https://www.github.com/tauri-apps/tauri/commit/adcb082b1651ecb2a6208b093e12f4185aa3fc98) chore(deps): pin `ignore` to =0.4.18 on 2023-01-17
+
 ## \[1.2.2]

 - Detect SvelteKit and Vite for the init and info commands.
--- a/tooling/cli/node/package.json
+++ b/tooling/cli/node/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@tauri-apps/cli",
-  "version": "1.2.2",
+  "version": "1.2.3",
  "description": "Command line interface for building Tauri apps",
  "funding": {
    "type": "opencollective",
@@ -45,6 +45,9 @@
    "jest-transform-toml": "1.0.0",
    "prettier": "2.8.1"
  },
+  "resolutions": {
+    "json5": "2.2.3"
+  },
  "engines": {
    "node": ">= 10"
  },
--- a/tooling/cli/node/yarn.lock
+++ b/tooling/cli/node/yarn.lock
@@ -1822,17 +1822,10 @@ json-parse-even-better-errors@^2.3.0:
  resolved "https://registry.yarnpkg.com/json-parse-even-better-errors/-/json-parse-even-better-errors-2.3.1.tgz#7c47805a94319928e05777405dc12e1f7a4ee02d"
  integrity sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==

-json5@^2.1.2:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.0.tgz#2dfefe720c6ba525d9ebd909950f0515316c89a3"
-  integrity sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==
-  dependencies:
-    minimist "^1.2.5"
-
-json5@^2.2.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.1.tgz#655d50ed1e6f95ad1a3caababd2b0efda10b395c"
-  integrity sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==
+json5@2.2.3, json5@^2.1.2, json5@^2.2.1:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
+  integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==

 jsonfile@^6.0.1:
  version "6.1.0"
@@ -1911,11 +1904,6 @@ minimatch@^3.0.4:
  dependencies:
    brace-expansion "^1.1.7"

-minimist@^1.2.5:
-  version "1.2.6"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
-  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==
-
 ms@2.1.2:
  version "2.1.2"
  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
Author	SHA1	Message	Date
Lucas Nogueira	318802e700	chore(ci): remove package filter	2023-01-18 21:45:06 -03:00
Lucas Nogueira	19019e4eb6	fix(cli/node): add json5 resolution, fix audit ci (#5991 )	2023-01-18 21:33:34 -03:00
Lucas Nogueira	a6910c84b6	chore: run covector version	2023-01-18 21:29:40 -03:00
Lucas Nogueira	adcb082b16	chore(deps): pin `ignore` to =0.4.18	2023-01-18 21:29:00 -03:00
Lucas Nogueira	f9710402a8	run covector version	2022-12-22 10:57:18 -03:00
Amr Bashir	f1b0ad6e8b	Merge pull request from GHSA-6mv3-wm7j-h4w5 * fix(core): use `require_literal_separator` when matching paths * document the need for `require_literal_separator` * use `require_literal_leading_dot`	2022-12-22 10:56:35 -03:00
Lucas Nogueira	3cb7666a6a	prepare CI for hotfix publishes	2022-12-22 10:56:21 -03:00