From 75a997dd7cbd783490a2fda1a49a5b3cfd9ebbaf Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 21 Jun 2026 22:36:15 +0200
Subject: [PATCH] fix(scripts): reject short flag shrinkwrap refs

---
 scripts/generate-npm-shrinkwrap.mjs          |  6 +++---
 test/scripts/generate-npm-shrinkwrap.test.ts | 13 +++++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/scripts/generate-npm-shrinkwrap.mjs b/scripts/generate-npm-shrinkwrap.mjs
index a611672aaf6..5cb88dbf119 100644
--- a/scripts/generate-npm-shrinkwrap.mjs
+++ b/scripts/generate-npm-shrinkwrap.mjs
@@ -1170,7 +1170,7 @@ function listCheckChangedPaths() {
   }
 }
 
-function resolvePackageDirs(args) {
+export function resolvePackageDirs(args) {
   const packageDirs = [];
   const check = args.includes("--check");
   const all = args.includes("--all");
@@ -1199,7 +1199,7 @@ function resolvePackageDirs(args) {
     }
     if (arg === "--package-dir") {
       const value = args[index + 1];
-      if (!value || value.startsWith("--")) {
+      if (!value || value.startsWith("-")) {
         throw new Error("--package-dir requires a package directory.");
       }
       packageDirs.push(path.resolve(ROOT_DIR, value));
@@ -1208,7 +1208,7 @@ function resolvePackageDirs(args) {
     }
     if (arg === "--base" || arg === "--head") {
       const value = args[index + 1];
-      if (!value || value.startsWith("--")) {
+      if (!value || value.startsWith("-")) {
         throw new Error(`${arg} requires a git ref.`);
       }
       index += 1;
diff --git a/test/scripts/generate-npm-shrinkwrap.test.ts b/test/scripts/generate-npm-shrinkwrap.test.ts
index 669ecdb5b10..237aca43e1c 100644
--- a/test/scripts/generate-npm-shrinkwrap.test.ts
+++ b/test/scripts/generate-npm-shrinkwrap.test.ts
@@ -16,6 +16,7 @@ import {
   pnpmLockOverrideVersionForVersions,
   parsePnpmPackageKey,
   parseLockPackagePath,
+  resolvePackageDirs,
   restoreCurrentPnpmLockedPackages,
   shouldUseLegacyPeerDepsForShrinkwrap,
   shrinkwrapPackageDirsForChangedPaths,
@@ -57,6 +58,18 @@ describe("generate-npm-shrinkwrap", () => {
     });
   });
 
+  it("rejects short flag package selectors before resolving shrinkwrap targets", () => {
+    expect(() => resolvePackageDirs(["--package-dir", "-h"])).toThrow(
+      "--package-dir requires a package directory.",
+    );
+    expect(() => resolvePackageDirs(["--changed", "--base", "-h"])).toThrow(
+      "--base requires a git ref.",
+    );
+    expect(() => resolvePackageDirs(["--changed", "--head", "-h"])).toThrow(
+      "--head requires a git ref.",
+    );
+  });
+
   it("accepts strict npm shrinkwrap command timeout and buffer overrides", () => {
     expect(
       createNpmShrinkwrapExecOptions({ command: "npm", args: ["install"] }, "/tmp/package", {