warn for or forbid `volta install 10`

[bakkot]

Coming from nvm, I've repeatedly found myself doing volta install 10 intending to install node@10. Instead, that installs some random package. I expect it runs that project's install script, too, meaning that it's also running arbitrary code on my computer.

That seems bad.

I think it would be worth having the CLI stop you from doing this, or at least make you confirm that it's what you really wanted. That is, concretely, the CLI should have a warning when the package name starts with a decimal digit and there is no specified @ version number.

(Even better would be if the CLI had different syntax for installing node vs installing random packages. It seems bad to overload install so much.)

[charlespierce]

Hi @bakkot, thanks for the suggestion! We actually do have some logic to handle the case when someone does <package> <version>, e.g. volta install node 10, since that used to be our syntax in the early days.

I suspect we can repurpose some of that to handle the volta install <version-like> case for specifically this reason. @chriskrycho I think you did the initial logic for volta install <package> <version-like>, do you have a sense for how difficult it would be to also handle volta install <version-like> as an error?

[chriskrycho]

It had been long enough that I no longer had a sense, so I looked it up when I implemented it. The key bits are:

• implementing the version parsing, as part of implementing RFC: update version handling. rfcs#32
• providing error cases for e.g. volta install node 10, which expanded on the logic introduced in the section linked above to provide useful errors

[carycodes]

Another possibility: my gut reaction (which admittedly is probably based in part on nvm "muscle memory") is that volta install <version-like> should not be an error--it should be interpreted as a shortcut for volta install node@<version-like>. Installing/changing versions of node is, I'd think, what people will be doing 90+% of the time.

[chriskrycho]

Two notes:

• In practice I haven’t found that to be true. I am just as likely to be setting an npm or Yarn version as a Node version, and packages are actually a pretty close second.
• Even if it were true, volta install 10 has a concrete meaning with Volta’s semantics, which would be a breaking change to alter.

Adding a warning, error, or even an interactive prompt with special handling for a version-like name in the install position seems like the least bad option here.

[carycodes]

I think I'd be fine with it being an error. A warning would not be enough. I agree with @bakkot that it's a meaningful security risk as-is, and a breaking change of some form is necessary.

[bakkot]

While it is technically a breaking change to make this an error, I very much doubt anyone has ever done volta install <version-like> actually intending to install the npm package named <version-like>.

(An error or interactive prompt with default "no" works for me, though I think the interactive prompt is overkill.)

[chriskrycho]

Sorry, I was unclear! I meant that changing the overall semantics of volta install would be a serious breaking change we want to avoid—but adding a special case for this, while technically breaking, I think is probably fine, because I agree!

[bakkot]

I'd be happy to submit a quick PR making this an error, if you'd like. (Edit: done.)