-
Notifications
You must be signed in to change notification settings - Fork 20.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The husky lint git hook is vulnerable to PATH changes #2915
Comments
I wouldn't call it a "significant fault", since when you change your node version, it is always a good idea to reinstall your modules, like if you change from .10 to 5.1 without reinstall you shouldn't expect that everything would work correctly. |
Not really. If you change major Node versions all that's usually needed is |
Why would use nvm to switch back and forth patch versions of node? Why wouldn't you always use
I'd say yeah, i would really want to be safe, when i switch major versions. /cc @typicode I don't use |
Of course I'd always use
It seems like a |
I'd say it is hard to consider this raaare case a "significant fault", nevertheless, if this is frustrating for some of us, that could be a grounds for removal a commit-hook |
We'll, it will affect anyone that both:
nvm is very popular so I don't think this qualifies as an edge case. And it's a significant fault to me as it prevents you from committing at all, even locally (unless you bypass hooks) so it's an additional barrier for new contributors. |
What's the proposed solution here? I see a couple possibilities.
|
That's how they're doing it:
I assume the provided hardcoded PATH is derived from the current shell PATH at the moment of invoking |
https://github.com/typicode/husky/blob/c06d6e8894b65ff51da39bcf877cedfb277467a0/src/index.js#L36
I don't believe i have said that this an edge case, i said when you switching node LTS patch versions is a rare case, not an "edge" though a "rare" one.
I think who this behaviour affects is clear, the other issue, if you should or shouldn't reinstall the node modules or just run It seems nvm also favours the reinstall approach then |
So you think people are only upgrading their local Node instances to new major versions? Some do that but I don't think upgrading only a patch or a minor is that rare.
This only affects global packages so it's not relevant to this case. |
Again, i didn't said that, i'm trying to be precise, so i wouldn't repeat myself, i.e. see above.
Yeah, one of the most common things maintainers of some package ask you to do before thoroughly reviewing your issue, is "Did you try There is a lot of packages that needs to be reinstalled when you change node versions it seems its just easy to solve the issue then to find out why it happened.
You can install |
Yea, that's interesting. I'm surprised it doesn't work without setting PATH. |
@mgol it seems we are going to the particulars of things, i suggest to move on and focus on what are we want to do with all that. Do you want to remove pre-commit because of this? |
Hi @markelog thanks for the heads up :) At the time, I was using So when committing from Sublime Text, git hook was failing because it couldn't find Hard-coding PATH makes it possible to run hooks out of the terminal. But yeah, it's a trade-off. I think a check and warning message in I'll verify if the issue is still present with Sublime, maybe there's no need for setting |
@typicode I know As for the PATH issue, it's a general issue on OS X that GUI apps have different PATH than terminal ones, even regular, non-dynamic PATH modifications done in |
Regarding commitplease, there's an open issue: jzaefferer/commitplease#47 (still looking for steps to reproduce) |
@mgol I've also noticed that current Sublime Text build inherits This new version supports If I've tested it on OS X and Ubuntu with Sublime Text. Feedbacks are welcome. |
What if you start it e.g. from Launchpad? GUI apps on OS X don't inherit the terminal
How is that done? Will it work in GUI apps with default |
If you start from Launchpad it will work too. The new hook scripts loads # .git/hooks/pre-commit
export NVM_DIR="/Users/typicode"
[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh" So even though your GUI tool isn't aware of terminal The only thing you need to do is to set a default version |
@typicode Great, thanks! :) I guess we can treat this ticket as a reminder to update husky in our @jzaefferer What do you think about supporting |
The linter git hook added in d94c453 has a significant fault; it creates a pre-commit file where PATH is hard-coded to the one at the end of initial
npm install
(subsequentnpm install
s don't update it). This poses a problem for tools like nvm where after removing an older Node version (e.g. when a new patch release comes out you might want to remove the older one to not keep vulnerable & outdated releases on the disk) the previous PATH stops being valid, the hook stops working and packages need to be re-installed.The text was updated successfully, but these errors were encountered: