1 files changed, 17 insertions, 13 deletions

diff --git a/deps/npm/node_modules/tuf-js/dist/updater.js b/deps/npm/node_modules/tuf-js/dist/updater.js
index 7f8b6bedee..68243e554f 100644
--- a/deps/npm/node_modules/tuf-js/dist/updater.js
+++ b/deps/npm/node_modules/tuf-js/dist/updater.js
@@ -31,6 +31,7 @@ const config_1 = require("./config");
 const error_1 = require("./error");
 const fetcher_1 = require("./fetcher");
 const store_1 = require("./store");
+const url = __importStar(require("./utils/url"));
 class Updater {
     constructor(options) {
         const { metadataDir, metadataBaseUrl, targetDir, targetBaseUrl, fetcher, config, } = options;
@@ -75,12 +76,13 @@ class Updater {
         const consistentSnapshot = this.trustedSet.root.signed.consistentSnapshot;
         if (consistentSnapshot && this.config.prefixTargetsWithHash) {
             const hashes = Object.values(targetInfo.hashes);
-            const basename = path.basename(targetFilePath);
-            targetFilePath = `${hashes[0]}.${basename}`;
+            const { dir, base } = path.parse(targetFilePath);
+            const filename = `${hashes[0]}.${base}`;
+            targetFilePath = dir ? `${dir}/${filename}` : filename;
         }
-        const url = path.join(targetBaseUrl, targetFilePath);
+        const targetUrl = url.join(targetBaseUrl, targetFilePath);
         // Client workflow 5.7.3: download target file
-        await this.fetcher.downloadFile(url, targetInfo.length, async (fileName) => {
+        await this.fetcher.downloadFile(targetUrl, targetInfo.length, async (fileName) => {
             // Verify hashes and length of downloaded file
             await targetInfo.verify(fs.createReadStream(fileName));
             // Copy file to target path
@@ -116,10 +118,10 @@ class Updater {
         const lowerBound = rootVersion + 1;
         const upperBound = lowerBound + this.config.maxRootRotations;
         for (let version = lowerBound; version <= upperBound; version++) {
-            const url = path.join(this.metadataBaseUrl, `${version}.root.json`);
+            const rootUrl = url.join(this.metadataBaseUrl, `${version}.root.json`);
             try {
                 // Client workflow 5.3.3: download new root metadata file
-                const bytesData = await this.fetcher.downloadBytes(url, this.config.rootMaxLength);
+                const bytesData = await this.fetcher.downloadBytes(rootUrl, this.config.rootMaxLength);
                 // Client workflow 5.3.4 - 5.4.7
                 this.trustedSet.updateRoot(bytesData);
                 // Client workflow 5.3.8: persist root metadata file
@@ -142,9 +144,9 @@ class Updater {
             // continue
         }
         //Load from remote (whether local load succeeded or not)
-        const url = path.join(this.metadataBaseUrl, `timestamp.json`);
+        const timestampUrl = url.join(this.metadataBaseUrl, 'timestamp.json');
         // Client workflow 5.4.1: download timestamp metadata file
-        const bytesData = await this.fetcher.downloadBytes(url, this.config.timestampMaxLength);
+        const bytesData = await this.fetcher.downloadBytes(timestampUrl, this.config.timestampMaxLength);
         try {
             // Client workflow 5.4.2 - 5.4.4
             this.trustedSet.updateTimestamp(bytesData);
@@ -178,10 +180,10 @@ class Updater {
             const version = this.trustedSet.root.signed.consistentSnapshot
                 ? snapshotMeta.version
                 : undefined;
-            const url = path.join(this.metadataBaseUrl, version ? `${version}.snapshot.json` : `snapshot.json`);
+            const snapshotUrl = url.join(this.metadataBaseUrl, version ? `${version}.snapshot.json` : 'snapshot.json');
             try {
                 // Client workflow 5.5.1: download snapshot metadata file
-                const bytesData = await this.fetcher.downloadBytes(url, maxLength);
+                const bytesData = await this.fetcher.downloadBytes(snapshotUrl, maxLength);
                 // Client workflow 5.5.2 - 5.5.6
                 this.trustedSet.updateSnapshot(bytesData);
                 // Client workflow 5.5.7: persist snapshot metadata file
@@ -213,10 +215,10 @@ class Updater {
             const version = this.trustedSet.root.signed.consistentSnapshot
                 ? metaInfo.version
                 : undefined;
-            const url = path.join(this.metadataBaseUrl, version ? `${version}.${role}.json` : `${role}.json`);
+            const metadataUrl = url.join(this.metadataBaseUrl, version ? `${version}.${role}.json` : `${role}.json`);
             try {
                 // Client workflow 5.6.1: download targets metadata file
-                const bytesData = await this.fetcher.downloadBytes(url, maxLength);
+                const bytesData = await this.fetcher.downloadBytes(metadataUrl, maxLength);
                 // Client workflow 5.6.2 - 5.6.6
                 this.trustedSet.updateDelegatedTargets(bytesData, role, parentRole);
                 // Client workflow 5.6.7: persist targets metadata file
@@ -291,7 +293,9 @@ class Updater {
         if (!this.targetDir) {
             throw new error_1.ValueError('Target directory not set');
         }
-        return path.join(this.targetDir, targetInfo.path);
+        // URL encode target path
+        const filePath = encodeURIComponent(targetInfo.path);
+        return path.join(this.targetDir, filePath);
     }
     async persistMetadata(metaDataName, bytesData) {
         try {