Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Modules run via npx interpret strings that look like environment variables #3600

Closed
1 task done
YodaDaCoda opened this issue Aug 3, 2021 · 3 comments · Fixed by npm/run-script#78
Closed
1 task done
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 7.x work is associated with a specific npm 7 release

Comments

@YodaDaCoda
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

npm exec is interpreting argv strings that look like environment variables. Passing, for example, test$param results in test being passed to the module (because param is not defined in the environment).

Expected Behavior

Strings passed should not be interpreted.

Steps To Reproduce

  1. Issue occurs with this environment:
    npm >=v7.1.0.
    Earlier versions are unaffected.
    Installed node version doesn't appear to matter (tested with various v14/v15/v16 releases)

  2. With this config
    a file in node_modules/.bin/testington with this content:

#!/usr/bin/env node
console.log(process.argv[2]);
  1. Run '...'

Note proper quotes used to avoid bash interpreting the string.

$ npm exec testington 'test$param'
test
$ export param=asdf
$ npm exec testington 'test$param'
testasdf
  1. See error...

Note that npx intereprets environment variables within the string before they reach the module.

Environment

  • OS: Ubuntu 20.04
  • Node: v16.6.0
  • npm: 7.1.0
@YodaDaCoda YodaDaCoda added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Aug 3, 2021
@ljharb
Copy link
Contributor

ljharb commented Aug 3, 2021

Are you sure that’s not your shell doing it?

@YodaDaCoda
Copy link
Author

YodaDaCoda commented Aug 3, 2021

Positive. This snippet from my console demonstrates the behaviour change. I'm using volta for convenience bisecting, but I am able to replicate this on systems without volta.

$ volta install npm@7.1.0
success: installed and set npm@7.1.0 as default
$ npx --version
7.1.0
$ npx testington 'test$param'
test
$ volta install npm@7.0.15
success: installed and set npm@7.0.15 as default
$ npx --version
7.0.15
$ npx testington 'test$param'
test$param

EDIT: or, if it is the shell interpreting it, it's because npm/npx is passing around the params in an unsafe way.

@egorkel-da14
Copy link

I have similar problem with setting firebase functions config.
When I execute npx firebase functions:config:set settings.var='abc$123' then settings.var='abc'
If I use firebase functions:config:set settings.var='abc$123' (without npx) then settings.var='abc$123'
My npx version 7.20.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants