init 3

node_modules/resolve/.github/THREAT_MODEL.md

@@ -0,0 +1,74 @@
+## Threat Model for resolve (module path resolution library)
+
+### 1. Library Overview
+
+- **Library Name:** resolve
+- **Brief Description:** Implements Node.js `require.resolve()` algorithm for synchronous and asynchronous file path resolution. Used to locate modules and files in Node.js projects.
+- **Key Public APIs/Functions:** `resolve.sync()` / `resolve/sync`, `resolve()` / `resolve/async`
+
+### 2. Define Scope
+
+This threat model focuses on the core path resolution algorithm, including filesystem interaction, option handling, and cache management.
+
+### 3. Conceptual System Diagram
+
+```
+Caller Application → resolve(id, options) → Resolution Algorithm → File System
+                           │
+                           └→ Options Handling
+                           └→ Cache System
+```
+
+**Trust Boundaries:**
+- **Input module IDs:** May come from untrusted sources (user input, configuration)
+- **Filesystem access:** The library interacts with the filesystem to resolve paths
+- **Options:** Provided by the caller
+- **Cache:** Used to improve performance, but could be a vector for tampering or information disclosure if not handled securely
+
+### 4. Identify Assets
+
+- **Integrity of resolution output:** Ensure correct and safe file path matching.
+- **Confidentiality of configuration:** Prevent sensitive path information from being leaked.
+- **Availability/performance for host application:** Prevent crashes or resource exhaustion.
+- **Security of host application:** Prevent path traversal or unintended filesystem access.
+- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1][3][4].
+
+### 5. Identify Threats
+
+| Component / API / Interaction                       | S  | T  | R  | I  | D  | E  |
+|-----------------------------------------------------|----|----|----|----|----|----|
+| Public API Call (`resolve/async`, `resolve/sync`)   | ✓  | ✓  | –  | ✓  | –  | –  |
+| Filesystem Access                                   | –  | ✓  | –  | ✓  | ✓  | –  |
+| Options Handling                                    | ✓  | ✓  | –  | ✓  | –  | –  |
+| Cache System                                        | –  | ✓  | –  | ✓  | –  | –  |
+
+**Key Threats:**
+- **Spoofing:** Malicious module IDs mimicking legitimate packages, or spoofing configuration options[1].
+- **Tampering:** Caller-provided paths altering resolution order, or cache tampering leading to incorrect results[1][4].
+- **Information Disclosure:** Error messages revealing filesystem structure or sensitive paths[1].
+- **Denial of Service:** Recursive or excessive resolution exhausting filesystem handles or causing application crashes[1].
+- **Path Traversal:** Malicious input allowing access to files outside the intended directory[4].
+
+### 6. Mitigation/Countermeasures
+
+| Threat Identified                          | Proposed Mitigation |
+|--------------------------------------------|---------------------|
+| Spoofing (malicious module IDs/config)     | Sanitize input IDs; validate against known patterns; restrict `basedir` to app-controlled paths[1][4]. |
+| Tampering (path traversal, cache)          | Validate input IDs for directory escapes; secure cache reads/writes; restrict cache to trusted sources[1][4]. |
+| Information Disclosure (error messages)    | Generic "not found" errors without internal paths; avoid exposing sensitive configuration in errors[1]. |
+| Denial of Service (resource exhaustion)    | Limit recursive resolution depth; implement timeout; monitor for excessive filesystem operations[1]. |
+
+### 7. Risk Ranking
+
+- **High:** Path traversal via malicious IDs (if not properly mitigated)
+- **Medium:** Cache tampering or spoofing (if cache is not secured)
+- **Low:** Information disclosure in errors (if error handling is generic)
+
+### 8. Next Steps & Review
+
+1. **Implement input sanitization for module IDs and configuration.**
+2. **Add resolution depth limiting and timeout.**
+3. **Audit cache handling for race conditions and tampering.**
+4. **Regularly review dependencies for vulnerabilities.**
+5. **Keep documentation and threat model up to date.**
+6. **Monitor for new threats as the ecosystem and library evolve[1][3].**

node_modules/resolve/lib/core.js

@@ -0,0 +1,12 @@
+'use strict';
+
+var isCoreModule = require('is-core-module');
+var data = require('./core.json');
+
+var core = {};
+for (var mod in data) { // eslint-disable-line no-restricted-syntax
+    if (Object.prototype.hasOwnProperty.call(data, mod)) {
+        core[mod] = isCoreModule(mod);
+    }
+}
+module.exports = core;

node_modules/resolve/test/dotdot.js

@@ -0,0 +1,29 @@
+var path = require('path');
+var test = require('tape');
+var resolve = require('../');
+
+test('dotdot', function (t) {
+    t.plan(4);
+    var dir = path.join(__dirname, '/dotdot/abc');
+
+    resolve('..', { basedir: dir }, function (err, res, pkg) {
+        t.ifError(err);
+        t.equal(res, path.join(__dirname, 'dotdot/index.js'));
+    });
+
+    resolve('.', { basedir: dir }, function (err, res, pkg) {
+        t.ifError(err);
+        t.equal(res, path.join(dir, 'index.js'));
+    });
+});
+
+test('dotdot sync', function (t) {
+    t.plan(2);
+    var dir = path.join(__dirname, '/dotdot/abc');
+
+    var a = resolve.sync('..', { basedir: dir });
+    t.equal(a, path.join(__dirname, 'dotdot/index.js'));
+
+    var b = resolve.sync('.', { basedir: dir });
+    t.equal(b, path.join(dir, 'index.js'));
+});

node_modules/resolve/test/node_path/x/ccc/index.js

@@ -0,0 +1 @@
+module.exports = 'C';

node_modules/resolve/test/precedence.js

@@ -0,0 +1,23 @@
+var path = require('path');
+var test = require('tape');
+var resolve = require('../');
+
+test('precedence', function (t) {
+    t.plan(3);
+    var dir = path.join(__dirname, 'precedence/aaa');
+
+    resolve('./', { basedir: dir }, function (err, res, pkg) {
+        t.ifError(err);
+        t.equal(res, path.join(dir, 'index.js'));
+        t.equal(pkg.name, 'resolve');
+    });
+});
+
+test('./ should not load ${dir}.js', function (t) { // eslint-disable-line no-template-curly-in-string
+    t.plan(1);
+    var dir = path.join(__dirname, 'precedence/bbb');
+
+    resolve('./', { basedir: dir }, function (err, res, pkg) {
+        t.ok(err);
+    });
+});