Reject symbolic links in build zip path

[riderx]

This PR updates build zipping to handle symbolic links safely.
It now avoids hard-failing by skipping dangling symlinks during directory traversal instead of crashing the zip.
Relevant symlinked node_modules package paths are still included when required by native dependency filtering.
Test coverage was updated in test/test-build-zip-filter.mjs with a pnpm-style symlinked package fixture and a dangling-symlink regression case.
Files changed: src/build/request.ts, test/test-build-zip-filter.mjs.

[coderabbitai]

📝 Walkthrough

Walkthrough

Changes add symlink detection and handling to the directory traversal logic used when building ZIP files. Symbolic links are now identified via lstatSync and skipped when they shouldn't be recursed into, preventing traversal errors and unintended symlink following.

Changes

Cohort / File(s)	Summary
Symlink Handling in ZIP Building src/build/request.ts	Extended filesystem imports to include lstatSync for symlink detection. Added checks to skip symlinks in two places: before recursing into directories and when processing files. Refactored to reuse precomputed shouldInclude value instead of recomputing shouldIncludeFile for recursion decisions.
Symlink Test Coverage test/test-build-zip-filter.mjs	Added new test case for symlinked pnpm-style node_modules packages. Imports symlinkSync from node:fs to create symlinked test artifacts and verify they are correctly included in generated ZIP files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: handle pnpm node_modules paths in native build zip #502: Modifies zipDirectory flow to add pnpm path normalization and rewrites alongside symlink handling logic
• Cloud build: honor android.path/ios.path #489: Modifies directory-walking and file-inclusion logic in src/build/request.ts with changes to shouldIncludeFile and addDirectoryToZip traversal behavior

Poem

🐰 Symlinks once caused confusion and strife,
But now we detect them with lstatSync's light,
Skip them with care, don't recurse where we shouldn't,
The ZIP builds more safely than ever it could! 🎁✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Reject symbolic links in build zip path' directly and accurately describes the main change: handling symbolic links in the build zipping logic by detecting and skipping them appropriately.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/fix-capgo-symlink-zip

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd4beb0f6f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Exclude symlinks instead of aborting directory zipping

Throwing on any symbolic link at this point causes native builds to fail for pnpm-based projects, where node_modules/<package> paths are symlinks by design. Because the check runs before the existing include/filter logic, recursing into node_modules now aborts with Refusing to include symbolic link... instead of packaging required native dependencies, which is a regression for a supported package-manager layout.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/build/request.ts`:
- Around line 710-713: When a symlink is detected (using lstatSync and
lstats.isSymbolicLink()) statSync(itemPath) can throw ENOENT for dangling links;
modify the logic around statSync in the block that computes stats so that you
catch errors from statSync, detect ENOENT, and treat that case as a broken
symlink to be skipped (i.e., set stats to null/undefined or continue to skip
adding the entry) before calling shouldIncludeFile(itemZipPath, platform,
nativeDeps, platformDir); ensure you only call shouldIncludeFile when stats is
valid and reference lstatSync, statSync, isSymbolicLink, itemPath, and
shouldIncludeFile to locate the exact spot to add the try/catch and skip
behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 84503129-d202-4012-beee-a09fba4f0e8d

📥 Commits

Reviewing files that changed from the base of the PR and between 9b3eb3a and 5b73ad6.

📒 Files selected for processing (2)

• src/build/request.ts
• test/test-build-zip-filter.mjs

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud