From 5e7c44a3211dc8b1bb0b6d3d4764f8fd0b8c665b Mon Sep 17 00:00:00 2001
From: Andrew Kelley <andrew@ziglang.org>
Date: Sun, 8 Oct 2023 17:42:49 -0700
Subject: [PATCH] Package.Fetch: tighten up check for path outside root

---
 src/Package/Fetch.zig    | 4 +++-
 src/Package/Manifest.zig | 3 +--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Package/Fetch.zig b/src/Package/Fetch.zig
index 373ab5be78..8fe1627dbc 100644
--- a/src/Package/Fetch.zig
+++ b/src/Package/Fetch.zig
@@ -257,7 +257,9 @@ pub fn run(f: *Fetch) RunError!void {
                 f.hash_tok,
                 try eb.addString("path-based dependencies are not hashed"),
             );
-            if (std.mem.startsWith(u8, pkg_root.sub_path, "../")) {
+            if (std.mem.startsWith(u8, pkg_root.sub_path, "../") or
+                std.mem.eql(u8, pkg_root.sub_path, ".."))
+            {
                 return f.fail(
                     f.location_tok,
                     try eb.printString("dependency path outside project: '{}{s}'", .{
diff --git a/src/Package/Manifest.zig b/src/Package/Manifest.zig
index 7fce7c8bcb..de1870ea75 100644
--- a/src/Package/Manifest.zig
+++ b/src/Package/Manifest.zig
@@ -318,8 +318,7 @@ const Parse = struct {
 
         for (array_init.ast.elements) |elem_node| {
             const path_string = try parseString(p, elem_node);
-            const normalized = try std.fs.path.resolve(p.arena, &.{path_string});
-            try p.paths.put(p.gpa, normalized, {});
+            try p.paths.put(p.gpa, path_string, {});
         }
     }