sapient/oh-my-openagent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(#2857): prevent npm scoped package paths from being resolved as skill paths

Browse Source 
resolveSkillPathReferences: add looksLikeFilePath() guard that requires
a file extension or trailing slash before resolving @scope/package
references. npm packages like @mycom/my_mcp_tools@beta were incorrectly
being rewritten to absolute paths in skill templates.

2 new tests.
This commit is contained in:
YeonGyu-Kim
2026-03-27 16:59:04 +09:00
parent c41e59e9ab
commit ec7a2e3eae
2 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/shared/skill-path-resolver.test.ts
View File

@@ -90,6 +90,30 @@ describe("resolveSkillPathReferences", () => {
expect(result).toBe("No path references here")
})
it("does not resolve npm scoped packages in commands", () => {
//#given
const content = "npx --package=@mycom/my_mcp_tools@beta cli my_cmd_tool XXX"
const basePath = "C:/Users/Admin/.config/opencode/skills/my_skills"
//#when
const result = resolveSkillPathReferences(content, basePath)
//#then
expect(result).toBe("npx --package=@mycom/my_mcp_tools@beta cli my_cmd_tool XXX")
})
it("does not resolve npm scoped packages without version suffix", () => {
//#given
const content = "npm install @angular/core @types/node"
const basePath = "/skills/frontend"
//#when
const result = resolveSkillPathReferences(content, basePath)
//#then
expect(result).toBe("npm install @angular/core @types/node")
})
it("handles basePath with trailing slash", () => {
//#given
const content = "@scripts/search.py"

12
src/shared/skill-path-resolver.ts
View File

@@ -1,10 +1,17 @@
import { join } from "path"
function looksLikeFilePath(path: string): boolean {
if (path.endsWith("/")) return true
const lastSegment = path.split("/").pop() ?? ""
return /\.[a-zA-Z0-9]+$/.test(lastSegment)
}
/**
* Resolves @path references in skill content to absolute paths.
*
* Matches @references that contain at least one slash (e.g., @scripts/search.py, @data/)
* to avoid false positives with decorators (@param), JSDoc tags (@ts-ignore), etc.
* Also skips npm scoped packages (@scope/package) by requiring a file extension or trailing slash.
*
* Email addresses are excluded since they have alphanumeric characters before @.
*/
@@ -12,6 +19,9 @@ export function resolveSkillPathReferences(content: string, basePath: string): s
const normalizedBase = basePath.endsWith("/") ? basePath.slice(0, -1) : basePath
return content.replace(
/(?<![a-zA-Z0-9])@([a-zA-Z0-9_-]+\/[a-zA-Z0-9_.\-\/]*)/g,
(_, relativePath: string) => join(normalizedBase, relativePath)
(match, relativePath: string) => {
if (!looksLikeFilePath(relativePath)) return match
return join(normalizedBase, relativePath)
}
)
}