The browser-edge target builds its package artifact path with the raw Edge productId:
join(ctx.outDir, ${config.productId}-.zip)
If productId contains a path separator, e.g. ../edge-product, dry-run package plans and real build zip paths can point outside ctx.outDir. This is different from browser-firefox, which already sanitizes extension IDs before using them in artifact filenames.
Impact:
- generated package plans can reference artifacts outside the requested output directory
- real builds can write the zip outside ctx.outDir
- accidental or copied IDs containing separators produce surprising paths
Expected behavior: productId should still be preserved as metadata/API input, but filename use should be sanitized so generated artifacts remain under ctx.outDir.
I have a regression test/fix ready.
The browser-edge target builds its package artifact path with the raw Edge productId:
join(ctx.outDir, ${config.productId}-.zip)
If productId contains a path separator, e.g. ../edge-product, dry-run package plans and real build zip paths can point outside ctx.outDir. This is different from browser-firefox, which already sanitizes extension IDs before using them in artifact filenames.
Impact:
Expected behavior: productId should still be preserved as metadata/API input, but filename use should be sanitized so generated artifacts remain under ctx.outDir.
I have a regression test/fix ready.