From d396518b367ecbe296c0787cdedd50115663b337 Mon Sep 17 00:00:00 2001
From: Fernandez Ludovic <ldez@users.noreply.github.com>
Date: Thu, 28 May 2026 12:17:09 +0200
Subject: [PATCH] chore: generate

---
 dist/post_run/index.js | 25 ++++++++++++++++++++-----
 dist/run/index.js      | 25 ++++++++++++++++++++-----
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/dist/post_run/index.js b/dist/post_run/index.js
index 28547fb..6adc770 100644
--- a/dist/post_run/index.js
+++ b/dist/post_run/index.js
@@ -29642,6 +29642,19 @@ function _generateTmpName(opts) {
   return path.join(tmpDir, opts.dir, name);
 }
 
+/**
+ * Check the prefix and postfix options
+ *
+ * @private
+ */
+function _assertPath(path) {
+  if (path.includes("..")) {
+    throw new Error("Relative value not allowed");
+  }
+
+  return path;
+}
+
 /**
  * Asserts and sanitizes the basic options.
  *
@@ -29656,8 +29669,9 @@ function _assertOptionsBase(options) {
 
     // must not fail on valid .<name> or ..<name> or similar such constructs
     const basename = path.basename(name);
-    if (basename === '..' || basename === '.' || basename !== name)
+    if (basename === '..' || basename === '.' || basename !== name) {
       throw new Error(`name option must not contain a path, found "${name}".`);
+    }
   }
 
   /* istanbul ignore else */
@@ -29678,8 +29692,9 @@ function _assertOptionsBase(options) {
   options.unsafeCleanup = !!options.unsafeCleanup;
 
   // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
-  options.prefix = _isUndefined(options.prefix) ? '' : options.prefix;
-  options.postfix = _isUndefined(options.postfix) ? '' : options.postfix;
+  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
+  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
+  options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
 }
 
 /**
@@ -29695,7 +29710,7 @@ function _getRelativePath(option, name, tmpDir, cb) {
 
     const relativePath = path.relative(tmpDir, resolvedPath);
 
-    if (!resolvedPath.startsWith(tmpDir)) {
+    if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
       return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
     }
 
@@ -29714,7 +29729,7 @@ function _getRelativePathSync(option, name, tmpDir) {
   const resolvedPath = _resolvePathSync(name, tmpDir);
   const relativePath = path.relative(tmpDir, resolvedPath);
 
-  if (!resolvedPath.startsWith(tmpDir)) {
+  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
     throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
   }
 
diff --git a/dist/run/index.js b/dist/run/index.js
index cfaeba7..97ca668 100644
--- a/dist/run/index.js
+++ b/dist/run/index.js
@@ -29642,6 +29642,19 @@ function _generateTmpName(opts) {
   return path.join(tmpDir, opts.dir, name);
 }
 
+/**
+ * Check the prefix and postfix options
+ *
+ * @private
+ */
+function _assertPath(path) {
+  if (path.includes("..")) {
+    throw new Error("Relative value not allowed");
+  }
+
+  return path;
+}
+
 /**
  * Asserts and sanitizes the basic options.
  *
@@ -29656,8 +29669,9 @@ function _assertOptionsBase(options) {
 
     // must not fail on valid .<name> or ..<name> or similar such constructs
     const basename = path.basename(name);
-    if (basename === '..' || basename === '.' || basename !== name)
+    if (basename === '..' || basename === '.' || basename !== name) {
       throw new Error(`name option must not contain a path, found "${name}".`);
+    }
   }
 
   /* istanbul ignore else */
@@ -29678,8 +29692,9 @@ function _assertOptionsBase(options) {
   options.unsafeCleanup = !!options.unsafeCleanup;
 
   // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
-  options.prefix = _isUndefined(options.prefix) ? '' : options.prefix;
-  options.postfix = _isUndefined(options.postfix) ? '' : options.postfix;
+  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
+  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
+  options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
 }
 
 /**
@@ -29695,7 +29710,7 @@ function _getRelativePath(option, name, tmpDir, cb) {
 
     const relativePath = path.relative(tmpDir, resolvedPath);
 
-    if (!resolvedPath.startsWith(tmpDir)) {
+    if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
       return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
     }
 
@@ -29714,7 +29729,7 @@ function _getRelativePathSync(option, name, tmpDir) {
   const resolvedPath = _resolvePathSync(name, tmpDir);
   const relativePath = path.relative(tmpDir, resolvedPath);
 
-  if (!resolvedPath.startsWith(tmpDir)) {
+  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
     throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
   }