-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
39 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| diff --git a/index.js b/index.js | ||
| index 931c9170414e3161a86ea6661727e0822d144f2e..96cb1cb3198089d2c0cba5ddffec0ecc17a1305f 100644 | ||
| --- a/index.js | ||
| +++ b/index.js | ||
| @@ -235,12 +235,27 @@ function runCmd_ (cmd, pkg, env, wd, opts, stage, unsafe, uid, gid, cb_) { | ||
|
|
||
| if (customShell) { | ||
| sh = customShell | ||
| } else if (process.platform === 'win32') { | ||
| sh = process.env.comspec || 'cmd' | ||
| shFlag = '/d /s /c' | ||
| conf.windowsVerbatimArguments = true | ||
| } | ||
|
|
||
| + // Spawning .bat and .cmd files on Windows requires the "shell" option to | ||
| + // spawn to be set. Otherwise spawn will throw with EINVAL. | ||
| + // | ||
| + // https://nodejs.org/api/child_process.html#spawning-bat-and-cmd-files-on-windows | ||
| + // https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 | ||
| + // | ||
| + // The shell option is security sensitive. It should make sense for this | ||
| + // usecase since scripts in package.json intentionally run on the shell. | ||
| + // Avoiding setting the shell option in all cases to preserve existing | ||
| + // behavior on non-Windows platforms. | ||
| + if (process.platform === 'win32' && customShell && (customShell.endsWith('.bat') || customShell.endsWith('.cmd'))) { | ||
| + conf.shell = true | ||
| + conf.windowsVerbatimArguments = true | ||
| + } | ||
| + | ||
| opts.log.verbose('lifecycle', logid(pkg, stage), 'PATH:', env[PATH]) | ||
| opts.log.verbose('lifecycle', logid(pkg, stage), 'CWD:', wd) | ||
| opts.log.silly('lifecycle', logid(pkg, stage), 'Args:', [shFlag, cmd]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -109,7 +109,8 @@ | |
| "onlyBuiltDependencies": [], | ||
| "patchedDependencies": { | ||
| "[email protected]": "__patches__/pkg.patch", | ||
| "[email protected]": "__patches__/[email protected]" | ||
| "[email protected]": "__patches__/[email protected]", | ||
| "@pnpm/[email protected]": "__patches__/@[email protected]" | ||
| }, | ||
| "updateConfig": { | ||
| "ignoreDependencies": [ | ||
|
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.