Skip to content

Astro experiment#3503

Draft
DanielRosenwasser wants to merge 8 commits intov2from
astro
Draft

Astro experiment#3503
DanielRosenwasser wants to merge 8 commits intov2from
astro

Conversation

@DanielRosenwasser
Copy link
Member

@DanielRosenwasser DanielRosenwasser commented Feb 13, 2026

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2026
View reviewed changes
packages/playground-examples/scripts/copyFiles.js
const outDir = join(__dirname, "..", "..", "typescriptlang-org", "public", "js", "examples");

if (!existsSync(outDir)) execSync(`mkdir ${outDir}`);
if (!existsSync(outDir)) execSync(`mkdir -p ${outDir}`);

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix

AI about 24 hours ago

In general, the fix is to avoid passing dynamically constructed command strings through a shell. Instead, call the underlying program directly and pass any dynamic values (like paths) as separate arguments, or better, use Node’s own filesystem operations when possible.

For this specific case, the best fix without changing observable functionality is to replace the execSync("mkdir -p ...") invocation with code that creates the directory using Node APIs. Since mkdir -p’s behavior is “create this directory and any missing parents, and don’t error if it already exists,” the direct analogue is fs.mkdirSync(outDir, { recursive: true }), or, since fs-extra is already imported as fse, fse.ensureDirSync(outDir). Using fs-extra keeps the code consistent with the rest of the file.

Concretely:

  • In packages/playground-examples/scripts/copyFiles.js, on line 12, replace if (!existsSync(outDir)) execSync(\mkdir -p ${outDir}`);with a call tofse.ensureDirSync(outDir);`.
  • This removes the shell call entirely, so there is no longer any shell command built from environment values.
  • No new imports are needed; fse is already required from fs-extra.
Suggested changeset 1
packages/playground-examples/scripts/copyFiles.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/playground-examples/scripts/copyFiles.js b/packages/playground-examples/scripts/copyFiles.js
--- a/packages/playground-examples/scripts/copyFiles.js
+++ b/packages/playground-examples/scripts/copyFiles.js
@@ -9,7 +9,7 @@
 const jsonDir = join(__dirname, "..", "generated");
 const outDir = join(__dirname, "..", "..", "typescriptlang-org", "public", "js", "examples");
 
-if (!existsSync(outDir)) execSync(`mkdir -p ${outDir}`);
+if (!existsSync(outDir)) fse.ensureDirSync(outDir);
 
 // Move samples
 fse.copySync(copyDir, outDir);
EOF
@@ -9,7 +9,7 @@
const jsonDir = join(__dirname, "..", "generated");
const outDir = join(__dirname, "..", "..", "typescriptlang-org", "public", "js", "examples");

if (!existsSync(outDir)) execSync(`mkdir -p ${outDir}`);
if (!existsSync(outDir)) fse.ensureDirSync(outDir);

// Move samples
fse.copySync(copyDir, outDir);
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DanielRosenwasser