Explicitly clear Node.js runtime environment variables when spawning child processes

Author: JamesMessinger

src/npm-config.ts

@@ -4,6 +4,7 @@ import { promises as fs } from "fs";
 import { EOL } from "os";
 import { dirname } from "path";
 import { NormalizedOptions } from "./normalize-options";
+import { getNpmEnvironment } from "./npm-env";
 
 /**
  * Sets/updates the NPM config based on the options.
@@ -49,11 +50,14 @@ function updateConfig(config: string, { registry, debug }: NormalizedOptions): s
 /**
  * Gets the path of the NPM config file.
  */
-async function getNpmConfigPath({ debug }: NormalizedOptions): Promise<string> {
+async function getNpmConfigPath(options: NormalizedOptions): Promise<string> {
   try {
-    debug("Running command: npm config get userconfig");
+    // Get the environment variables to pass to NPM
+    let env = getNpmEnvironment(options);
 
-    let process = await ezSpawn.async("npm", "config", "get", "userconfig");
+    options.debug("Running command: npm config get userconfig");
+
+    let process = await ezSpawn.async("npm", "config", "get", "userconfig", { env });
     return process.stdout.trim();
   }
   catch (error) {

src/npm-env.ts

@@ -0,0 +1,25 @@
+import { NormalizedOptions } from "./normalize-options";
+
+/**
+ * Returns the environment variables that should be passed to NPM, based on the given options.
+ */
+export function getNpmEnvironment(options: NormalizedOptions): NodeJS.ProcessEnv {
+  /* eslint-disable @typescript-eslint/naming-convention */
+  let env: NodeJS.ProcessEnv = {
+    // Copy all the host's environment variables
+    ...process.env,
+
+    // Don't pass Node.js runtime variables to NPM
+    NODE_ENV: "",
+    NODE_OPTIONS: "",
+  };
+
+  // Determine if we need to set the NPM token
+  let needsToken = Boolean(options.token && process.env.INPUT_TOKEN !== options.token);
+
+  if (needsToken) {
+    env.INPUT_TOKEN = options.token;
+  }
+
+  return env;
+}

src/npm.ts

@@ -5,6 +5,7 @@ import { dirname, resolve } from "path";
 import { SemVer } from "semver";
 import { NormalizedOptions } from "./normalize-options";
 import { setNpmConfig } from "./npm-config";
+import { getNpmEnvironment } from "./npm-env";
 import { Manifest } from "./read-manifest";
 
 /**
@@ -70,17 +71,3 @@ export const npm = {
     }
   },
 };
-
-
-/**
- * Returns the environment variables that should be passed to NPM, based on the given options.
- */
-function getNpmEnvironment(options: NormalizedOptions): NodeJS.ProcessEnv | undefined {
-  // Determine if we need to set the NPM token
-  let needsToken = Boolean(options.token && process.env.INPUT_TOKEN !== options.token);
-
-  if (needsToken) {
-    // eslint-disable-next-line @typescript-eslint/naming-convention
-    return { ...process.env, INPUT_TOKEN: options.token };
-  }
-}

test/utils/exec.js

@@ -17,6 +17,7 @@ module.exports = {
       ...options,
       env: {
         ...process.env,
+        NODE_OPTIONS: "",
         INPUT_REGISTRY: "https://registry.npmjs.org/",
         INPUT_PACKAGE: "package.json",
         "INPUT_CHECK-VERSION": "true",