fix: preserve user-defined npm_config_* env vars in lifecycle scripts#59
Conversation
|
Warning Review limit reached
More reviews will be available in 52 minutes and 32 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughIn ChangesmakeEnv env-var filter narrowing and auth key filtering
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoFix makeEnv filtering to preserve user-defined npm_config_* vars WalkthroughsDescription• Preserve user-defined npm_config_* variables when building lifecycle child environments. • Narrow env-var stripping to only remove regenerated npm_package_* keys. • Add regression test ensuring custom npm_config_* survives makeEnv(). Diagramgraph TD
A[("process.env")] --> B["makeEnv()"] --> C["Strip npm_package_*"] --> D["Child env"] --> E["Lifecycle scripts"]
High-Level AssessmentThe following are alternative approaches to this PR: 1. Allowlist specific npm_config_* variables
2. Re-introduce regenerating npm_config_* from opts.config
Recommendation: Keep the PR’s approach: makeEnv only needs to strip variables it regenerates (npm_package_). This minimizes behavior change, avoids resurrecting the removed opts.config→npm_config_ injection, and fixes the regression where user-defined npm_config_* values were silently dropped. File ChangesBug fix (1)
Tests (1)
|
2e48645 to
0c3e9c8
Compare
3fee7c3 to
61fb252
Compare
61fb252 to
4d3b8b0
Compare
|
I am unsure this is safe. Auth related env vars should still be stripped I believe. |
Preserving all non-npm_package_* vars from process.env would leak auth-related npm_config_* values (e.g. _auth, _authToken, _password, //registry/:_authToken) into every dependency's lifecycle script. Filter these out, mirroring npm's own env-export rule where config keys starting with _, /, or @ (or containing :_) are treated as private.
Apply the same private-key filter to pnpm_config_* as npm_config_*, since pnpm exports config under both prefixes. Also guard the scoped registry auth token form (//registry/:@scope:_authToken) with a test.
Interesting. Thanks a lot for patching and merging this PR, @zkochan! |
makeEnv()strips allnpm_* env vars fromprocess.envwhen building the child environment.This was fine before #55, which re-populated
npm_config_*fromopts.config. After #55 removed that, user-defined vars likenpm_config_platform_archare stripped and never restored.Fix: narrow the filter from
/^npm_/to/^npm_package_/, since those are the only ones makeEnv regenerates.Refs pnpm/pnpm#12399
Summary by CodeRabbit
npm_config_*entries (including platform architecture), while continuing to exclude only the appropriatenpm_package_*variables.npm_config_*keys (such as internal auth and registry/scope auth variants) so they aren’t propagated into the generated lifecycle environment.