fix: prevent arbitrary code execution from node_modules directory

Tygo-van-den-Hurk · Tygo-van-den-Hurk · commit e4c215b061e4 · 2026-02-16T15:13:18.000+01:00
Before this patch any JavaScript files matching the globs:
`**/*.plugins.{js,mjs}`, `**/*.plugin.{js,mjs}`, or `**/*.slyde.{js,mjs}`
would be imported automatically. Which includes the `node_modules` folder.
Which means that any malicious package with a `*.slyde.js` file could have
arbitrary code execution by being installed and have the user run slyde in
a parent directory.
diff --git a/src/commands/base.ts b/src/commands/base.ts
@@ -38,13 +38,7 @@ export const cli = yargs(hideBin(process.argv))
     alias: 'p',
     array: true,
     coerce: (value: readonly string[]) => FastGlob.sync([...value]),
-    default: [
-      'plugins/**.{js,mjs}',
-      'slyde/**.{js,mjs}',
-      '**/*.plugins.{js,mjs}',
-      '**/*.plugin.{js,mjs}',
-      '**/*.slyde.{js,mjs}',
-    ] as string[],
+    default: ['plugins/**.slyde.{js,mjs}'] as string[],
     description: 'A directory or file to import and use as custom tags',
     type: 'string',
   })
