From 8eea585e11bc71898c404c88db629a8083c5ede2 Mon Sep 17 00:00:00 2001
From: Henry Heng <henryheng@flowiseai.com>
Date: Sat, 15 Nov 2025 13:12:44 +0000
Subject: [PATCH] Update utils.ts

---
 packages/components/src/utils.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/packages/components/src/utils.ts b/packages/components/src/utils.ts
index 3457382c1..df21ce36c 100644
--- a/packages/components/src/utils.ts
+++ b/packages/components/src/utils.ts
@@ -1516,7 +1516,13 @@ export const executeJavaScriptCode = async (
 
             // Install libraries
             for (const library of librariesToInstall) {
-                await sbx.commands.run(`npm install ${library}`)
+                // Validate library name to prevent command injection.
+                const validPackageNameRegex = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/;
+                if (validPackageNameRegex.test(library)) {
+                    await sbx.commands.run(`npm install ${library}`)
+                } else {
+                    console.warn(`[Sandbox] Skipping installation of invalid module: ${library}`);
+                }
             }
 
             // Separate imports from the rest of the code for proper ES6 module structure