Updated the project.

my-app/node_modules/@npmcli/package-json/lib/index.js

@@ -1,11 +1,12 @@
-const { readFile, writeFile } = require('fs/promises')
-const { resolve } = require('path')
+const { readFile, writeFile } = require('node:fs/promises')
+const { resolve } = require('node:path')
+const parseJSON = require('json-parse-even-better-errors')
+
 const updateDeps = require('./update-dependencies.js')
 const updateScripts = require('./update-scripts.js')
 const updateWorkspaces = require('./update-workspaces.js')
 const normalize = require('./normalize.js')
-
-const parseJSON = require('json-parse-even-better-errors')
+const { read, parse } = require('./read-package.js')
 
 // a list of handy specialized helper functions that take
 // care of special cases that are handled by the npm cli
@@ -126,9 +127,8 @@ class PackageJson {
     this.#path = path
     let parseErr
     try {
-      this.#readFileContent = await readFile(this.filename, 'utf8')
+      this.#readFileContent = await read(this.filename)
     } catch (err) {
-      err.message = `Could not read package.json: ${err}`
       if (!parseIndex) {
         throw err
       }
@@ -158,12 +158,13 @@ class PackageJson {
 
   // Load data from a JSON string/buffer
   fromJSON (data) {
-    try {
-      this.#manifest = parseJSON(data)
-    } catch (err) {
-      err.message = `Invalid package.json: ${err}`
-      throw err
-    }
+    this.#manifest = parse(data)
+    return this
+  }
+
+  fromContent (data) {
+    this.#manifest = data
+    this.#canSave = false
     return this
   }
 

my-app/node_modules/@npmcli/package-json/lib/normalize.js

@@ -1,12 +1,30 @@
-const semver = require('semver')
-const fs = require('fs/promises')
-const { glob } = require('glob')
-const legacyFixer = require('normalize-package-data/lib/fixer.js')
-const legacyMakeWarning = require('normalize-package-data/lib/make_warning.js')
-const path = require('path')
-const log = require('proc-log')
-const git = require('@npmcli/git')
-const hostedGitInfo = require('hosted-git-info')
+const valid = require('semver/functions/valid')
+const clean = require('semver/functions/clean')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const { log } = require('proc-log')
+
+/**
+ * @type {import('hosted-git-info')}
+ */
+let _hostedGitInfo
+function lazyHostedGitInfo () {
+  if (!_hostedGitInfo) {
+    _hostedGitInfo = require('hosted-git-info')
+  }
+  return _hostedGitInfo
+}
+
+/**
+ * @type {import('glob').glob}
+ */
+let _glob
+function lazyLoadGlob () {
+  if (!_glob) {
+    _glob = require('glob').glob
+  }
+  return _glob
+}
 
 // used to be npm-normalize-package-bin
 function normalizePackageBin (pkg, changes) {
@@ -28,15 +46,14 @@ function normalizePackageBin (pkg, changes) {
           changes?.push(`removed invalid "bin[${binKey}]"`)
           continue
         }
-        const base = path.join('/', path.basename(binKey.replace(/\\|:/g, '/'))).slice(1)
+        const base = path.basename(secureAndUnixifyPath(binKey))
         if (!base) {
           delete pkg.bin[binKey]
           changes?.push(`removed invalid "bin[${binKey}]"`)
           continue
         }
 
-        const binTarget = path.join('/', pkg.bin[binKey].replace(/\\/g, '/'))
-          .replace(/\\/g, '/').slice(1)
+        const binTarget = secureAndUnixifyPath(pkg.bin[binKey])
 
         if (!binTarget) {
           delete pkg.bin[binKey]
@@ -65,6 +82,27 @@ function normalizePackageBin (pkg, changes) {
   delete pkg.bin
 }
 
+function normalizePackageMan (pkg, changes) {
+  if (pkg.man) {
+    const mans = []
+    for (const man of (Array.isArray(pkg.man) ? pkg.man : [pkg.man])) {
+      if (typeof man !== 'string') {
+        changes?.push(`removed invalid "man [${man}]"`)
+      } else {
+        mans.push(secureAndUnixifyPath(man))
+      }
+    }
+
+    if (!mans.length) {
+      changes?.push('empty "man" was removed')
+    } else {
+      pkg.man = mans
+      return pkg
+    }
+  }
+  delete pkg.man
+}
+
 function isCorrectlyEncodedName (spec) {
   return !spec.match(/[/@\s+%:]/) &&
     spec === encodeURIComponent(spec)
@@ -85,6 +123,19 @@ function isValidScopedPackageName (spec) {
     rest[1] === encodeURIComponent(rest[1])
 }
 
+function unixifyPath (ref) {
+  return ref.replace(/\\|:/g, '/')
+}
+
+function securePath (ref) {
+  const secured = path.join('.', path.join('/', unixifyPath(ref)))
+  return secured.startsWith('.') ? '' : secured
+}
+
+function secureAndUnixifyPath (ref) {
+  return unixifyPath(securePath(ref))
+}
+
 // We don't want the `changes` array in here by default because this is a hot
 // path for parsing packuments during install.  So the calling method passes it
 // in if it wants to track changes.
@@ -130,10 +181,10 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
     if (!data.version) {
       data.version = ''
     } else {
-      if (!semver.valid(data.version, loose)) {
+      if (!valid(data.version, loose)) {
         throw new Error(`Invalid version: "${data.version}"`)
       }
-      const version = semver.clean(data.version, loose)
+      const version = clean(data.version, loose)
       if (version !== data.version) {
         changes?.push(`"version" was cleaned and set to "${version}"`)
         data.version = version
@@ -208,7 +259,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
   // add "install" attribute if any "*.gyp" files exist
   if (steps.includes('gypfile')) {
     if (!scripts.install && !scripts.preinstall && data.gypfile !== false) {
-      const files = await glob('*.gyp', { cwd: pkg.path })
+      const files = await lazyLoadGlob()('*.gyp', { cwd: pkg.path })
       if (files.length) {
         scripts.install = 'node-gyp rebuild'
         data.scripts = scripts
@@ -233,7 +284,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
 
   // strip "node_modules/.bin" from scripts entries
   // remove invalid scripts entries (non-strings)
-  if (steps.includes('scripts') || steps.includes('scriptpath')) {
+  if ((steps.includes('scripts') || steps.includes('scriptpath')) && data.scripts !== undefined) {
     const spre = /^(\.[/\\])?node_modules[/\\].bin[\\/]/
     if (typeof data.scripts === 'object') {
       for (const name in data.scripts) {
@@ -275,7 +326,11 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
   // populate "readme" attribute
   if (steps.includes('readme') && !data.readme) {
     const mdre = /\.m?a?r?k?d?o?w?n?$/i
-    const files = await glob('{README,README.*}', { cwd: pkg.path, nocase: true, mark: true })
+    const files = await lazyLoadGlob()('{README,README.*}', {
+      cwd: pkg.path,
+      nocase: true,
+      mark: true,
+    })
     let readmeFile
     for (const file of files) {
       // don't accept directories.
@@ -303,13 +358,16 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
   }
 
   // expand directories.man
-  if (steps.includes('mans') && !data.man && data.directories?.man) {
-    const manDir = data.directories.man
-    const cwd = path.resolve(pkg.path, manDir)
-    const files = await glob('**/*.[0-9]', { cwd })
-    data.man = files.map(man =>
-      path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
-    )
+  if (steps.includes('mans')) {
+    if (data.directories?.man && !data.man) {
+      const manDir = secureAndUnixifyPath(data.directories.man)
+      const cwd = path.resolve(pkg.path, manDir)
+      const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
+      data.man = files.map(man =>
+        path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
+      )
+    }
+    normalizePackageMan(data, changes)
   }
 
   if (steps.includes('bin') || steps.includes('binDir') || steps.includes('binRefs')) {
@@ -318,8 +376,8 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
 
   // expand "directories.bin"
   if (steps.includes('binDir') && data.directories?.bin && !data.bin) {
-    const binsDir = path.resolve(pkg.path, path.join('.', path.join('/', data.directories.bin)))
-    const bins = await glob('**', { cwd: binsDir })
+    const binsDir = path.resolve(pkg.path, securePath(data.directories.bin))
+    const bins = await lazyLoadGlob()('**', { cwd: binsDir })
     data.bin = bins.reduce((acc, binFile) => {
       if (binFile && !binFile.startsWith('.')) {
         const binName = path.basename(binFile)
@@ -333,6 +391,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
 
   // populate "gitHead" attribute
   if (steps.includes('gitHead') && !data.gitHead) {
+    const git = require('@npmcli/git')
     const gitRoot = await git.find({ cwd: pkg.path, root })
     let head
     if (gitRoot) {
@@ -446,7 +505,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
         }
       }
       if (data.repository.url) {
-        const hosted = hostedGitInfo.fromUrl(data.repository.url)
+        const hosted = lazyHostedGitInfo().fromUrl(data.repository.url)
         let r
         if (hosted) {
           if (hosted.getDefaultRepresentation() === 'shortcut') {
@@ -506,7 +565,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
               changes?.push(`Removed invalid "${deps}.${d}"`)
               delete data[deps][d]
             }
-            const hosted = hostedGitInfo.fromUrl(data[deps][d])?.toString()
+            const hosted = lazyHostedGitInfo().fromUrl(data[deps][d])?.toString()
             if (hosted && hosted !== data[deps][d]) {
               changes?.push(`Normalized git reference to "${deps}.${d}"`)
               data[deps][d] = hosted.toString()
@@ -518,6 +577,8 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
   }
 
   if (steps.includes('normalizeData')) {
+    const legacyFixer = require('normalize-package-data/lib/fixer.js')
+    const legacyMakeWarning = require('normalize-package-data/lib/make_warning.js')
     legacyFixer.warn = function () {
       changes?.push(legacyMakeWarning.apply(null, arguments))
     }