From 8389a29e7a5bdff6411c0aca5f5d5a42417d64ef Mon Sep 17 00:00:00 2001
From: techchrism <chris@techchrism.me>
Date: Sun, 19 Nov 2023 22:15:17 -0800
Subject: [PATCH 1/2] fix: prevent yarn directory traversal on plugin
 installation fixes #4041

---
 packages/insomnia/src/main/install-plugin.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/insomnia/src/main/install-plugin.ts b/packages/insomnia/src/main/install-plugin.ts
index b72b7411ad5..f09e9605ab9 100644
--- a/packages/insomnia/src/main/install-plugin.ts
+++ b/packages/insomnia/src/main/install-plugin.ts
@@ -1,4 +1,4 @@
-import { cp, mkdir, readdir, stat } from 'node:fs/promises';
+import { cp, mkdir, readdir, stat, writeFile } from 'node:fs/promises';
 
 import childProcess from 'child_process';
 import * as electron from 'electron';
@@ -160,6 +160,8 @@ async function _installPluginToTmpDir(lookupName: string) {
   return new Promise<{ tmpDir: string }>(async (resolve, reject) => {
     const tmpDir = path.join(electron.app.getPath('temp'), `${lookupName}-${Date.now()}`);
     await mkdir(tmpDir, { recursive: true });
+    // Write a dummy package.json so that yarn doesn't traverse up the directory tree
+    await writeFile(path.join(tmpDir, 'package.json'), JSON.stringify({license: 'ISC', workspaces: []}), 'utf-8');
 
     console.log(`[plugins] Installing plugin to ${tmpDir}`);
     childProcess.execFile(
@@ -176,6 +178,7 @@ async function _installPluginToTmpDir(lookupName: string) {
         '--no-lockfile',
         '--production',
         '--no-progress',
+        '--ignore-workspace-root-check',
       ],
       {
         timeout: 5 * 60 * 1000,

From 35b0626984f8d78c21ebe0b76281389ca0b6fcbc Mon Sep 17 00:00:00 2001
From: techchrism <chris@techchrism.me>
Date: Wed, 22 Nov 2023 20:33:00 -0800
Subject: [PATCH 2/2] fix: fix code formatting in `install-plugin.ts`

---
 packages/insomnia/src/main/install-plugin.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/insomnia/src/main/install-plugin.ts b/packages/insomnia/src/main/install-plugin.ts
index f09e9605ab9..f73205def5f 100644
--- a/packages/insomnia/src/main/install-plugin.ts
+++ b/packages/insomnia/src/main/install-plugin.ts
@@ -161,7 +161,7 @@ async function _installPluginToTmpDir(lookupName: string) {
     const tmpDir = path.join(electron.app.getPath('temp'), `${lookupName}-${Date.now()}`);
     await mkdir(tmpDir, { recursive: true });
     // Write a dummy package.json so that yarn doesn't traverse up the directory tree
-    await writeFile(path.join(tmpDir, 'package.json'), JSON.stringify({license: 'ISC', workspaces: []}), 'utf-8');
+    await writeFile(path.join(tmpDir, 'package.json'), JSON.stringify({ license: 'ISC', workspaces: [] }), 'utf-8');
 
     console.log(`[plugins] Installing plugin to ${tmpDir}`);
     childProcess.execFile(