mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-05-18 13:51:38 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: escape shell arguments (#3956)

Browse Source 
close #3907

Co-authored-by: Zoltan Kochan <z@kochan.io>
This commit is contained in:
Li YuBei
2021-11-09 08:41:45 +08:00
committed by GitHub
parent 302ae4f6f1
commit fa03cbdc85
5 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.changeset/shaggy-buckets-fail.md Normal file
View File

@@ -0,0 +1,6 @@
---
"@pnpm/lifecycle": patch
"pnpm": patch
---
Escape the arguments that are passed to the scripts [#3907](https://github.com/pnpm/pnpm/issues/3907).

3
packages/lifecycle/src/runLifecycleHook.ts
View File

@@ -36,7 +36,8 @@ export default async function runLifecycleHook (
m.scripts.start = 'node server.js' m.scripts.start = 'node server.js'
} }
if (opts.args?.length && m.scripts?.[stage]) { if (opts.args?.length && m.scripts?.[stage]) {
m.scripts[stage] = `${m.scripts[stage]} ${opts.args.map((arg) => `"${arg}"`).join(' ')}` const escapedArgs = opts.args.map((arg) => JSON.stringify(arg))
m.scripts[stage] = `${m.scripts[stage]} ${escapedArgs.join(' ')}`
} }
// This script is used to prevent the usage of npm or Yarn. // This script is used to prevent the usage of npm or Yarn.
// It does nothing, when pnpm is used, so we may skip its execution. // It does nothing, when pnpm is used, so we may skip its execution.

6
packages/lifecycle/test/fixtures/escape-args/echo.sh vendored Normal file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/env node
const fs = require('fs');
const path = require('path');
fs.writeFileSync(path.join(__dirname, 'output.json'), JSON.stringify(process.argv.slice(2), null, 2))

7
packages/lifecycle/test/fixtures/escape-args/package.json vendored Normal file
View File

@@ -0,0 +1,7 @@
{
"name": "issue-3907",
"version": "1.0.0",
"scripts": {
"echo": "node echo.sh"
}
}

15
packages/lifecycle/test/index.ts
View File

@@ -22,6 +22,21 @@ test('runLifecycleHook()', async () => {
expect((await import(path.join(pkgRoot, 'output.json'))).default).toStrictEqual(['install']) expect((await import(path.join(pkgRoot, 'output.json'))).default).toStrictEqual(['install'])
}) })
test('runLifecycleHook() escapes the args passed to the script', async () => {
const pkgRoot = path.join(fixtures, 'escape-args')
const pkg = await import(path.join(pkgRoot, 'package.json'))
await runLifecycleHook('echo', pkg, {
depPath: '/escape-args/1.0.0',
pkgRoot,
rawConfig: {},
rootModulesDir,
unsafePerm: true,
args: ['Revert "feature (#1)"'],
})
expect((await import(path.join(pkgRoot, 'output.json'))).default).toStrictEqual(['Revert "feature (#1)"'])
})
test('runPostinstallHooks()', async () => { test('runPostinstallHooks()', async () => {
const pkgRoot = path.join(fixtures, 'with-many-scripts') const pkgRoot = path.join(fixtures, 'with-many-scripts')
rimraf.sync(path.join(pkgRoot, 'output.json')) rimraf.sync(path.join(pkgRoot, 'output.json'))