fix: update file path handling in RegexScannerDriver to use POSIX format. This change ensures consistent path representation across different operating systems.#29
Open
NotWrench wants to merge 3 commits into
Conversation
…mat. This change ensures consistent path representation across different operating systems.
|
@NotWrench is attempting to deploy a commit to the Vercel Labs Team on Vercel. A member of the Team first needs to authorize it. |
…ded global setup for E2E tests and updated path functions to use POSIX format for consistent behavior across different operating systems.
divyamagrawal06
approved these changes
May 5, 2026
divyamagrawal06
left a comment
divyamagrawal06
left a comment
There was a problem hiding this comment.
Reproduced on Windows in another repo: pnpm deepsec scan crashed at missing-auth with Invalid filePath: contains backslash.
This PR’s scanner normalization (glob output \ → /) matches the root cause and should unblock that path.
This was referenced May 5, 2026
4 tasks
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
| // "\"), so normalize once here before anything reads or writes records. | ||
| const files = rawFiles.map((f) => f.replaceAll("\\", "/")); | ||
| globCache.set(key, files); | ||
| const posixPaths = files.map((p) => p.replace(/\\/g, "/")); |
There was a problem hiding this comment.
Merge conflict resolution left three references to a renamed variable files (now rawFiles), causing a ReferenceError that crashes every scan.
|
Any update on this? Would be nice to have it in main so people (including me) can use this on Windows :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On Windows, fast-glob returns paths with backslashes (packages\api\src...). Deepsec stores paths as repo-relative POSIX strings and assertSafeFilePath() rejects \ before reading/writing data//files/.json. The first matcher that touched file records (auth-bypass) hit that and crashed.
What changed
After globbing, paths are normalized with path.replace(/\/g, "/") (or equivalent) before they are stored in the per-pattern cache and used for:
path.join(root, relPath) reads (still correct on Windows),
readFileRecord / writeFileRecord and any code that enforces POSIX filePath invariants.
No behavior change on Unix: paths already use /.
How to verify
From a Windows checkout of a real monorepo:
pnpm deepsec scan --project-id <id>(or equivalent).Confirm the scan completes past regex matchers that upsert file records (e.g. auth-bypass), with no Invalid filePath: contains backslash error.
Verification