Skip to content

Secure brew bundle npm installs#22405

Open
MikeMcQuaid wants to merge 1 commit into
mainfrom
bundle-npm-secure-install
Open

Secure brew bundle npm installs#22405
MikeMcQuaid wants to merge 1 commit into
mainfrom
bundle-npm-secure-install

Conversation

@MikeMcQuaid
Copy link
Copy Markdown
Member

@MikeMcQuaid MikeMcQuaid commented May 24, 2026

  • Reuse Language::Node.local_npm_install_args so brew bundle npm installs get the same cooldown and script blocking used by formulae.
  • Cover the command shape because package-manager installs otherwise drift from the hardened formula path without an obvious failure.
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you written new tests (excluding integration tests) for your changes? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?
  • AI was used to generate or assist with generating this PR.

OpenAI Codex 5.5 xhigh with local review and testing.

Copilot AI review requested due to automatic review settings May 24, 2026 12:53
@MikeMcQuaid MikeMcQuaid enabled auto-merge May 24, 2026 12:56
Copilot AI reviewed May 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens brew bundle’s npm package installation path by reusing Homebrew’s existing Node install-argument helper, aligning Bundle’s npm behavior with the more security-focused defaults used elsewhere in the codebase.

Changes:

  • Use Language::Node.local_npm_install_args when running npm install -g from the Bundle npm extension.
  • Update the Bundle npm spec to reflect the new command argument shape and prevent silent drift.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Library/Homebrew/bundle/extensions/npm.rb Switch npm installs to use Language::Node.local_npm_install_args for hardened defaults.
Library/Homebrew/test/bundle/npm_spec.rb Adjust expected npm install invocation to include the shared Node install args.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Library/Homebrew/test/bundle/npm_spec.rb
Comment thread Library/Homebrew/bundle/extensions/npm.rb
@MikeMcQuaid
Secure bundle npm installs
10f5833 
- Share only the npm security args so `brew bundle` gets the cooldown
  and script blocking that protect formula installs.
- Keep formula-only npm defaults out of Bundle because verbose npm output
  can add unnecessary buffering cost on successful installs.
- Cover the concrete Bundle argv so the hardened flags cannot drift behind
  helper changes without a focused failure.
@MikeMcQuaid MikeMcQuaid force-pushed the bundle-npm-secure-install branch from 293a4b1 to 10f5833 Compare May 24, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MikeMcQuaid