fix(@angular/build): prevent deleting parent directories of project root

Previously, the output path validation only checked for an exact match
against the project root. This allowed ancestor directories (e.g. ../
or ../../) to be used as the output path, which would silently delete
all their contents including source files.

Use path.relative() to detect when the output path is the project root
or any ancestor of it, and throw a descriptive error in both cases.

Fixes #6485

Author: pradhankukiran

packages/angular/build/src/utils/delete-output-dir.ts

@@ -7,7 +7,7 @@
  */
 
 import { readdir, rm } from 'node:fs/promises';
-import { join, resolve } from 'node:path';
+import { join, relative, resolve } from 'node:path';
 
 /**
  * Delete an output directory, but error out if it's the root of the project.
@@ -18,8 +18,11 @@ export async function deleteOutputDir(
   emptyOnlyDirectories?: string[],
 ): Promise<void> {
   const resolvedOutputPath = resolve(root, outputPath);
-  if (resolvedOutputPath === root) {
-    throw new Error('Output path MUST not be project root directory!');
+  const relativePath = relative(resolvedOutputPath, root);
+  if (!relativePath || !relativePath.startsWith('..')) {
+    throw new Error(
+      `Output path "${resolvedOutputPath}" MUST not be the project root directory or a parent of it!`,
+    );
   }
 
   const directoriesToEmpty = emptyOnlyDirectories

packages/angular/build/src/utils/delete-output-dir_spec.ts

@@ -0,0 +1,64 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import { mkdir, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { deleteOutputDir } from './delete-output-dir';
+
+describe('deleteOutputDir', () => {
+  let root: string;
+
+  beforeEach(async () => {
+    // Use a unique temp directory for each test
+    const { mkdtemp } = await import('node:fs/promises');
+    const { tmpdir } = await import('node:os');
+    root = await mkdtemp(join(tmpdir(), 'ng-test-'));
+  });
+
+  it('should throw when output path is the project root', async () => {
+    await expectAsync(deleteOutputDir(root, '.')).toBeRejectedWithError(
+      /MUST not be the project root directory or a parent of it/,
+    );
+  });
+
+  it('should throw when output path is a parent of the project root', async () => {
+    await expectAsync(deleteOutputDir(root, '..')).toBeRejectedWithError(
+      /MUST not be the project root directory or a parent of it/,
+    );
+  });
+
+  it('should throw when output path is a grandparent of the project root', async () => {
+    await expectAsync(deleteOutputDir(root, '../..')).toBeRejectedWithError(
+      /MUST not be the project root directory or a parent of it/,
+    );
+  });
+
+  it('should not throw when output path is a child of the project root', async () => {
+    const outputDir = join(root, 'dist');
+    await mkdir(outputDir, { recursive: true });
+    await writeFile(join(outputDir, 'old-file.txt'), 'content');
+
+    await expectAsync(deleteOutputDir(root, 'dist')).toBeResolved();
+  });
+
+  it('should delete contents of a valid output directory', async () => {
+    const outputDir = join(root, 'dist');
+    await mkdir(outputDir, { recursive: true });
+    await writeFile(join(outputDir, 'old-file.txt'), 'content');
+
+    await deleteOutputDir(root, 'dist');
+
+    const { readdir } = await import('node:fs/promises');
+    const entries = await readdir(outputDir);
+    expect(entries.length).toBe(0);
+  });
+
+  it('should not throw when output directory does not exist', async () => {
+    await expectAsync(deleteOutputDir(root, 'nonexistent')).toBeResolved();
+  });
+});