Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(pnpm): stop ignore pnpmfile #4845

Merged
merged 1 commit into from Nov 22, 2019
Merged

fix(pnpm): stop ignore pnpmfile #4845

merged 1 commit into from Nov 22, 2019

Conversation

Djaler
Copy link
Contributor

@Djaler Djaler commented Nov 21, 2019

Pnpfile contains hooks that can be required to install packages correct. And because of this it shouldn't be ignored by default

@rarkins
Copy link
Collaborator

rarkins commented Nov 21, 2019

If this allows for execution of untrusted code then we'd only want to enable if the repo is set to a high trust level. Are you running self-hosted or in the app?

@Djaler
Copy link
Contributor Author

Djaler commented Nov 21, 2019

Self-hosted

@rarkins
Copy link
Collaborator

rarkins commented Nov 21, 2019

In that case, can you refactor it so that it's similar to

renovate/lib/manager/composer/artifacts.ts

Lines 126 to 128 in 24a9e29

if (global.trustLevel !== 'high') {
args += ' --no-scripts --no-autoloader';
}
?

@Djaler
Copy link
Contributor Author

Djaler commented Nov 21, 2019

Sure

@Djaler
Copy link
Contributor Author

Djaler commented Nov 21, 2019

Done

rarkins
rarkins reviewed Nov 21, 2019
View reviewed changes
lib/manager/npm/post-update/pnpm.ts
@@ -92,7 +92,9 @@ export async function generateLockFile(
cmd += ' install';
cmd += ' --lockfile-only';
cmd += ' --ignore-scripts';
cmd += ' --ignore-pnpmfile';
if (global.trustLevel !== 'high') {
cmd += ' --ignore-pnpmfile';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be consistent with other managers, we should include --ignore-scripts here too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@rarkins rarkins merged commit edc2dc3 into renovatebot:master Nov 22, 2019
@rarkins
Copy link
Collaborator

rarkins commented Nov 22, 2019

Thanks @Djaler

@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 19.67.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@Djaler Djaler deleted the patch-1 branch November 22, 2019 09:22
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rarkins rarkins rarkins left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Djaler @rarkins @renovate-release