fix: add error handling and validation for critical operations

- Add try-catch for JSON.parse in release and package scripts to prevent crashes
- Add array validation in update-manifest to handle malformed entries
- Fix indexOf edge case in git.mjs to prevent package name truncation

Resolves quality scan critical issues #1, #2, #5, #7, #8, #9 (JSON.parse crashes, array access, indexOf bug).

Author: jdalton

scripts/npm/release-npm-packages.mjs

@@ -76,7 +76,14 @@ async function getLocalPackageFileHashes(packagePath) {
   // Read package.json to get files field.
   const pkgJsonPath = path.join(packagePath, PACKAGE_JSON)
   const pkgJsonContent = await readFileUtf8(pkgJsonPath)
-  const pkgJson = JSON.parse(pkgJsonContent)
+  let pkgJson
+  try {
+    pkgJson = JSON.parse(pkgJsonContent)
+  } catch (e) {
+    throw new Error(`Failed to parse package.json at ${pkgJsonPath}`, {
+      cause: e,
+    })
+  }
   const filesPatterns = pkgJson.files || []
 
   // Always include package.json.
@@ -182,7 +189,14 @@ async function getRemotePackageFileHashes(spec) {
 
             if (entry.name === PACKAGE_JSON) {
               // For package.json, hash only relevant fields (not version).
-              const pkgJson = JSON.parse(content)
+              let pkgJson
+              try {
+                pkgJson = JSON.parse(content)
+              } catch (e) {
+                throw new Error(`Failed to parse package.json at ${fullPath}`, {
+                  cause: e,
+                })
+              }
               const exportsValue = pkgJson.exports
               const relevantData = {
                 dependencies: toSortedObject(pkgJson.dependencies ?? {}),

scripts/npm/update-manifest.mjs

@@ -190,7 +190,8 @@ async function addNpmManifestData(manifest, options) {
 
   const latestIndexes = []
   for (let i = 0, { length } = manifestData; i < length; i += 1) {
-    if (manifestData[i][0].endsWith(AT_LATEST)) {
+    const entry = manifestData[i]
+    if (Array.isArray(entry) && entry[0]?.endsWith?.(AT_LATEST)) {
       latestIndexes.push(i)
     }
   }

scripts/utils/git.mjs

@@ -51,9 +51,10 @@ function innerGetPackages(eco, files, options) {
       if (eco === NPM && filepath.startsWith(REL_REGISTRY_PKG_PATH)) {
         sockRegPkgName = '../../registry/dist/index.js'
       } else {
+        const slashIndex = filepath.indexOf('/', sliceStart)
         sockRegPkgName = filepath.slice(
           sliceStart,
-          filepath.indexOf('/', sliceStart),
+          slashIndex === -1 ? undefined : slashIndex,
         )
       }
       packageNames.add(sockRegPkgName)

scripts/utils/package.mjs

@@ -396,7 +396,14 @@ async function installPackageForTesting(sourcePath, packageName, options = {}) {
 
     // Merge back the test scripts and devDependencies if they existed.
     const pkgJsonPath = path.join(installedPath, 'package.json')
-    const pkgJson = JSON.parse(await fs.readFile(pkgJsonPath, 'utf8'))
+    let pkgJson
+    try {
+      pkgJson = JSON.parse(await fs.readFile(pkgJsonPath, 'utf8'))
+    } catch (e) {
+      throw new Error(`Failed to parse package.json at ${pkgJsonPath}`, {
+        cause: e,
+      })
+    }
 
     // Preserve devDependencies from original (only when we installed from npm).
     if (versionSpec && originalDevDependencies) {