Skip to content

Clarify <...> test-name expansion in 6.0.0: release notes say "data only" but rc2 evaluates expressions #2808

Description

@nohwnd

Summary

While updating the v6 docs from the 6.0.0 release notes, I found that the release notes (and the draft migration guide) describe <...> test-name expansion as data-only, but Pester 6.0.0-rc2 actually evaluates arbitrary expressions inside <...>. The two descriptions are opposite, so I'd like to confirm the intended 6.0.0 behavior before the docs lock in either wording.

What the release notes say

Test and block names expand data templates only. <...> tokens in Describe/Context/It names (and in -ForEach/-TestCases data) now interpolate only the current data item and its properties — not arbitrary PowerShell expressions. This closes a code-injection vector where an expression embedded in a name could execute during discovery. If you relied on full expression expansion in a name, compute the value into a -ForEach property and reference that instead.

What rc2 actually does

Expressions inside <...> are evaluated, not just data tokens:

Describe 'name expansion' {
    It 'data token: adds <a> and <b>' -ForEach @(@{ a = 1; b = 2 }) { }
    It 'expression token: adds up to <($a + $b)>' -ForEach @(@{ a = 1; b = 2 }) { }
    It 'method/format expression: <($a.ToString("000"))>' -ForEach @(@{ a = 7 }) { }
}

Expanded names (Pester 6.0.0-rc2, PowerShell 7.5.5):

data token: adds 1 and 2
expression token: adds up to 3
method/format expression: 007

So <($a + $b)> renders 3 and <($a.ToString("000"))> renders 007 — full expression evaluation. This is a superset of v5, which left <($a + $b)> literal.

Question

Which is the intended 6.0.0 behavior?

  • If data-only is intended, rc2 still evaluates expressions (the code-injection vector the notes mention appears to still be open), and the docs should describe data-only.
  • If expression evaluation is intended, the release notes / migration guidance are inaccurate and should be corrected.

For now the docs PR (pester/docs) documents actual rc2 behavior (expression evaluation). Happy to flip it if the intent is data-only.

Environment

  • Pester 6.0.0-rc2
  • PowerShell 7.5.5, macOS

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions