fix(@angular/cli): quote complex range specifiers in package manager

Complex range specifiers that include shell special characters (e.g., '>', '<') can be misinterpreted when not quoted. This change ensures that version ranges are always enclosed in quotes to prevent such issues.

A test case has been added to verify that complex specifiers are handled correctly.

Author: clydin

packages/angular/cli/src/package-managers/package-manager.ts

@@ -34,7 +34,7 @@ const METADATA_FIELDS = ['name', 'dist-tags', 'versions', 'time'] as const;
  * This is a performance optimization to avoid downloading unnecessary data.
  * These fields are the ones required by the CLI for operations like `ng add` and `ng update`.
  */
-const MANIFEST_FIELDS = [
+export const MANIFEST_FIELDS = [
   'name',
   'version',
   'deprecated',
@@ -444,7 +444,7 @@ export class PackageManager {
     version: string,
     options: { timeout?: number; registry?: string; bypassCache?: boolean } = {},
   ): Promise<PackageManifest | null> {
-    const specifier = `${packageName}@${version}`;
+    const specifier = `${packageName}@"${version}"`;
     const commandArgs = [...this.descriptor.getManifestCommand, specifier];
     const formatter = this.descriptor.viewCommandFieldArgFormatter;
     if (formatter) {

packages/angular/cli/src/package-managers/package-manager_spec.ts

@@ -7,7 +7,7 @@
  */
 
 import { Host } from './host';
-import { PackageManager } from './package-manager';
+import { MANIFEST_FIELDS, PackageManager } from './package-manager';
 import { SUPPORTED_PACKAGE_MANAGERS } from './package-manager-descriptor';
 import { MockHost } from './testing/mock-host';
 
@@ -22,6 +22,22 @@ describe('PackageManager', () => {
     host.runCommand = runCommandSpy;
   });
 
+  describe('getRegistryManifest', () => {
+    it('should quote complex range specifiers', async () => {
+      const pm = new PackageManager(host, '/tmp', descriptor);
+      const manifest = { name: 'foo', version: '1.0.0' };
+      runCommandSpy.and.resolveTo({ stdout: JSON.stringify(manifest), stderr: '' });
+
+      await pm.getRegistryManifest('foo', '>=1.0.0 <2.0.0');
+
+      expect(runCommandSpy).toHaveBeenCalledWith(
+        descriptor.binary,
+        [...descriptor.getManifestCommand, 'foo@">=1.0.0 <2.0.0"', ...MANIFEST_FIELDS],
+        jasmine.anything(),
+      );
+    });
+  });
+
   describe('getVersion', () => {
     it('should fetch the version from the package manager if not cached', async () => {
       const pm = new PackageManager(host, '/tmp', descriptor);