fix(create): sanitize URL host before using it as a cache path segment

fengmk2 · fengmk2 · commit 7cdcde4a25f7 · 2026-04-25T17:45:15.000+08:00
Codex review (high): `getExtractionDir` joined `new URL(...).host` verbatim into `~/.vite-plus/tmp/create-org/<host>/...`. Hosts can carry a port (`localhost:4873`) or an IPv6 literal (`[::1]:4873`), both of which contain `:` / `[` / `]` — characters Windows refuses in path segments. The first `vp create @your-org:foo` against a non-default-port registry would fail with `EINVAL` on `mkdir`. Add a `sanitizeHostForPath(host)` helper that replaces the Windows- illegal characters (`\ / : * ? " < > |` plus `[ ]`) with `_`, and route the cache path through it. Exported for direct testing; three new unit tests cover the plain hostname, the port colon, and the IPv6 bracketed form. Codex's other finding (P2: `create.defaultTemplate` not discovered from a non-monorepo nested invocation) is the deferred behavior the user explicitly chose to leave as-is in this PR — see commit c83d0634. Skip per that earlier directive.
diff --git a/packages/cli/src/create/__tests__/org-tarball.spec.ts b/packages/cli/src/create/__tests__/org-tarball.spec.ts
@@ -9,6 +9,7 @@ import {
   normalizeEntryName,
   parseEntryMode,
   resolveBundledPath,
+  sanitizeHostForPath,
 } from '../org-tarball.js';
 
 describe('resolveBundledPath', () => {
@@ -87,6 +88,21 @@ describe('normalizeEntryName', () => {
   });
 });
 
+describe('sanitizeHostForPath', () => {
+  it('passes through plain hostnames untouched', () => {
+    expect(sanitizeHostForPath('registry.npmjs.org')).toBe('registry.npmjs.org');
+    expect(sanitizeHostForPath('private.example.com')).toBe('private.example.com');
+  });
+
+  it('replaces the port `:` so the cache path is valid on Windows', () => {
+    expect(sanitizeHostForPath('localhost:4873')).toBe('localhost_4873');
+  });
+
+  it('strips IPv6 brackets and colons from the literal', () => {
+    expect(sanitizeHostForPath('[::1]:4873')).toBe('___1__4873');
+  });
+});
+
 describe('parseEntryMode', () => {
   it('parses octal `755` as 0o755', () => {
     expect(parseEntryMode('755')).toBe(0o755);
diff --git a/packages/cli/src/create/org-tarball.ts b/packages/cli/src/create/org-tarball.ts
@@ -13,6 +13,16 @@ function getCacheRoot(): string {
   return path.join(home, 'tmp', 'create-org');
 }
 
+/**
+ * Replace characters that are illegal in Windows path segments
+ * (`\ / : * ? " < > |` plus the IPv6 bracket pair `[ ]`). The host
+ * comes from `new URL(...).host` which can carry a port (`:4873`) or
+ * IPv6 literal (`[::1]`); both end up in the cache path otherwise.
+ */
+export function sanitizeHostForPath(host: string): string {
+  return host.replaceAll(/[\\/:*?"<>|[\]]/g, '_');
+}
+
 /**
  * Cache extracted tarballs under `<host>/<scope>/create/<version>` so two
  * repos resolving the same `<scope>@<version>` through different registries
@@ -22,7 +32,13 @@ function getCacheRoot(): string {
  */
 function getExtractionDir(manifest: OrgManifest): string {
   const { host } = new URL(manifest.tarballUrl);
-  return path.join(getCacheRoot(), host, manifest.scope, 'create', manifest.version);
+  return path.join(
+    getCacheRoot(),
+    sanitizeHostForPath(host),
+    manifest.scope,
+    'create',
+    manifest.version,
+  );
 }
 
 function parseIntegrity(integrity: string): { algorithm: string; expected: string } | null {
