fix(@callstack/licenses): sanitize unsafe characters in AboutLibraries license filenames

[alexisloiselle]

Summary

prepareAboutLibrariesLicenseField uses license.type verbatim as part of a filename written under android/config/licenses/ by writeAboutLibrariesNPMOutput. When a dependency declares a legacy SPDX expression like MIT/X11 (e.g. nub@0.0.0 or optimist), the unsanitized / causes the writer to attempt to create android/config/licenses/MIT/X11_<hash>.json. That fails with ENOENT because MIT/ is interpreted as a subdirectory that doesn't exist.

This PR sanitizes any character outside [A-Za-z0-9._-] to _ before constructing both the filename prefix and the sha512 input (when content is absent), so the prefix and hash stay consistent and the filename is always valid.

Repro

Without this fix, against @callstack/licenses@0.3.1:

// package.json depends on nub@0.0.0
const { scanDependencies, writeAboutLibrariesNPMOutput } = require('@callstack/licenses');

const licenses = scanDependencies('./package.json', () => ({
  includeTransitiveDependencies: true,
}));
writeAboutLibrariesNPMOutput(licenses, './android');

Throws:

ENOENT: no such file or directory, open
  '<cwd>/android/config/licenses/MIT/X11_<hash>.json'

After this PR, the same script writes android/config/licenses/MIT_X11_<hash>.json successfully, and libraryJsonPayload.licenses[0] matches licenseJsonPayload.hash.

Behaviour change

license.type	Before	After
MIT	MIT_<hash>	MIT_<hash> (unchanged)
Apache-2.0	Apache-2.0_<hash>	Apache-2.0_<hash> (unchanged)
MIT/X11	MIT/X11_<hash> (ENOENT on write)	MIT_X11_<hash>
(MIT OR Apache-2.0)	(MIT OR Apache-2.0)_<hash> (unsafe)	_MIT_OR_Apache-2.0__<hash>
LGPL-2.1-only WITH Classpath-exception-2.0	unchanged (unsafe)	LGPL-2.1-only_WITH_Classpath-exception-2.0_<hash>

The allowlist approach (vs. blocklisting just /()) is chosen because other compound SPDX expressions can also produce filenames that are invalid on some filesystems.

Why this matters

Without this fix, any project depending (even transitively) on a package with such a license expression will fail Android license metadata generation entirely (the first throw aborts the loop), or produce an incomplete android/config/licenses/ directory, leading to a missing or broken OSS notice screen.

Test plan

• Added unit tests in packages/licenses-api/src/node/utils/__tests__/packageUtils.test.ts:
  • Missing license type
  • Plain MIT
  • Legacy MIT/X11 (the reproduction case)
  • Compound (MIT OR Apache-2.0)
  • Hash consistency when content is absent (sanitized type is hashed, matching the prefix)
• yarn workspace @callstack/licenses test → 52 passing
• yarn typescript
• yarn lint:js

Checklist

• Added a changeset (patch bump for @callstack/licenses)
• Added unit tests
• Conventional commit message

[mateusz1913]

Hi @alexisloiselle, the changes look good, thanks! Is the PR ready to be undrafted?

[alexisloiselle]

Hi @alexisloiselle, the changes look good, thanks! Is the PR ready to be undrafted?

Yes! although I'm on my phone right now, will put ready for review whenever I get the chance!

[alexisloiselle]

@mateusz1913 Undrafted and ready to merge 🎉