fix: Resolve panic for long pathnames in npm tarballs #32
Conversation
|
|
|
This is ready for review now. The patch fixes the problem, but is not ideal. What we really need is a way to propagate publish errors from deep inside the code base. Ideally there is a system to collect these and even return more than one at a time. For now, it seems best to handle almost all cases by changing the limit to 100 characters - even tho that's not exactly true - still need room for "package/" and appending ".d" to file names. That accounts for 90 characters, but there might be other situations. Therefore let's just tell people it's 100 improve the error messages and revisit this later. People with paths between ~90 and 100 bytes will get an error with the path in it, but it won't be the right error code. |
|
@ry So I didn't mean to change 160 -> 100. There are two limits at play here coming from
You can see the code for this here: https://docs.rs/tar/latest/src/tar/header.rs.html#975-1026 So instead of checking that total length <= 160 (very restrictive), check that the total length is < 100, and that the final component of the path is less than 95. |
ry
changed the title
This fix addresses a panic during npm tarball creation caused by not accounting for path length limits. Specifically, we already required the total path length must be under 160 characters to be compatible with Windows, but we need to limit it further to 155 to accommodate tarball constraints. Additionally, the final path component is restricted to under 100 characters, which we've reduced to 95 to permit extension modifications (e.g., adding '.d.ts').