Scoped package name causes S3 upload to fail

[andsmedeiros]

• Electron-Builder Version: 23.4.0

• Node Version: 16.13.0

• Electron Version: 19.0.8
• Electron Type (current, beta, nightly): current

• Target: nsis-web ia32/x64

Setting the name property in the package.json of an Electron project to a scoped value makes S3 upload fail, at least when targetting nsis-web. This seems to come from BuildAppPackage(). It calls get sanitizedName() that calls sanitizeFileName() that in turn invokes the sanitize-filename package with the package.json name property as parameter, all the way down.

According to this library, it does not strip the file name of "at" symbols (@) and AWS states that these might need special handling on application level. I'm not sure how electron-builder talks to AWS, but we might be forming URLs without proper escaping. I had no time to check on this further.

I logged args BaseS3Publisher and it corroborates my thesis. I have an application named @transform/heartfix and args is:

[
  'publish-s3',
  '--bucket',
  'heartfix-pc-releases',
  '--key',
  '@transformheartfix-1.0.0-alpha.0-ia32.nsis.7z',
  '--file',
  '[REDACTED]\\heartfix\\dist\\nsis-web\\@transformheartfix-1.0.0-alpha.0-ia32.nsis.7z',
  '--acl',
  'public-read'
]

Upload fails with expected argument for flag '--key' error message.

The artifacts' names should be properly sanitised, escaped or at least overridable via configuration.