New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(pnpm): stop ignore pnpmfile #4845
Conversation
If this allows for execution of untrusted code then we'd only want to enable if the repo is set to a high trust level. Are you running self-hosted or in the app? |
Self-hosted |
In that case, can you refactor it so that it's similar to renovate/lib/manager/composer/artifacts.ts Lines 126 to 128 in 24a9e29
|
Sure |
Done |
@@ -92,7 +92,9 @@ export async function generateLockFile( | |||
cmd += ' install'; | |||
cmd += ' --lockfile-only'; | |||
cmd += ' --ignore-scripts'; | |||
cmd += ' --ignore-pnpmfile'; | |||
if (global.trustLevel !== 'high') { | |||
cmd += ' --ignore-pnpmfile'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be consistent with other managers, we should include --ignore-scripts
here too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Thanks @Djaler |
🎉 This PR is included in version 19.67.5 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Pnpfile contains hooks that can be required to install packages correct. And because of this it shouldn't be ignored by default