fix(@angular/cli): improve resiliency of local package discovery

Author: clydin

packages/angular/cli/lib/init.ts

@@ -59,9 +59,28 @@ if (process.env['NG_CLI_PROFILING']) {
   process.on('uncaughtException', () => exitHandler({ exit: true }));
 }
 
+const isInside = (base: string, potential: string): boolean => {
+  const absoluteBase = path.resolve(base);
+  const absolutePotential = path.resolve(potential);
+  const relativePotential = path.relative(absoluteBase, absolutePotential);
+  if (!relativePotential.startsWith('..') && !path.isAbsolute(relativePotential)) {
+    return true;
+  }
+
+  return false;
+};
+
 let cli;
 try {
-  const projectLocalCli = require.resolve('@angular/cli', { paths: [ process.cwd() ]});
+  const projectLocalCli = require.resolve(
+    '@angular/cli',
+    { paths: [ path.join(process.cwd(), 'node_modules'), process.cwd() ]},
+  );
+
+  const isGlobal = isInside(path.join(__dirname, '..'), projectLocalCli);
+  if (isGlobal) {
+    throw new Error();
+  }
 
   // This was run from a global, check local version.
   const globalVersion = new SemVer(packageJson['version']);

packages/angular/cli/upgrade/version.ts

@@ -33,9 +33,30 @@ export class Version {
   static assertCompatibleAngularVersion(projectRoot: string) {
     let angularPkgJson;
     let rxjsPkgJson;
+
+    const isInside = (base: string, potential: string): boolean => {
+      const absoluteBase = path.resolve(base);
+      const absolutePotential = path.resolve(potential);
+      const relativePotential = path.relative(absoluteBase, absolutePotential);
+      if (!relativePotential.startsWith('..') && !path.isAbsolute(relativePotential)) {
+        return true;
+      }
+
+      return false;
+    };
+
     try {
-      angularPkgJson = requireProjectModule(projectRoot, '@angular/core/package.json');
-      rxjsPkgJson = requireProjectModule(projectRoot, 'rxjs/package.json');
+      const resolveOptions = { paths: [ path.join(projectRoot, 'node_modules'), projectRoot ] };
+      const angularPackagePath = require.resolve('@angular/core/package.json', resolveOptions);
+      const rxjsPackagePath = require.resolve('rxjs/package.json', resolveOptions);
+
+      if (!isInside(projectRoot, angularPackagePath)
+          || !isInside(projectRoot, rxjsPackagePath)) {
+        throw new Error();
+      }
+
+      angularPkgJson = require(angularPackagePath);
+      rxjsPkgJson = require(rxjsPackagePath);
     } catch {
       console.error(terminal.bold(terminal.red(tags.stripIndents`
         You seem to not be depending on "@angular/core" and/or "rxjs". This is an error.