Skip to content

[BUG] Modules run via npx interpret strings that look like environment variables #3600

New issue
New issue
Closed
npm/run-script
#78
Closed
[BUG] Modules run via npx interpret strings that look like environment variables#3600
npm/run-script
#78
Labels
Bugthing that needs fixingPriority 2secondary priority issueRelease 7.xwork is associated with a specific npm 7 release
@YodaDaCoda

Description

@YodaDaCoda
YodaDaCoda
opened on Aug 3, 2021

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

npm exec is interpreting argv strings that look like environment variables. Passing, for example, test$param results in test being passed to the module (because param is not defined in the environment).

Expected Behavior

Strings passed should not be interpreted.

Steps To Reproduce

  1. Issue occurs with this environment:
    npm >=v7.1.0.
    Earlier versions are unaffected.
    Installed node version doesn't appear to matter (tested with various v14/v15/v16 releases)

  2. With this config
    a file in node_modules/.bin/testington with this content:

#!/usr/bin/env node
console.log(process.argv[2]);
  1. Run '...'

Note proper quotes used to avoid bash interpreting the string.

$ npm exec testington 'test$param'
test
$ export param=asdf
$ npm exec testington 'test$param'
testasdf
  1. See error...

Note that npx intereprets environment variables within the string before they reach the module.

Environment

  • OS: Ubuntu 20.04
  • Node: v16.6.0
  • npm: 7.1.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingPriority 2secondary priority issueRelease 7.xwork is associated with a specific npm 7 release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions