BC: rework npm-cli detction#1489
Conversation
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Not up to standards ⛔🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | ✅ 6 (≤ 20 complexity) |
🔴 Coverage 55.29% diff coverage
Metric Results Coverage variation Report missing for ee61a441 Diff coverage ❌ 55.29% diff coverage (80.00%) Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (ee61a44) Report Missing Report Missing Report Missing Head commit (e9d2d4d) 4848 4229 87.23% Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#1489) 85 47 55.29% Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
There was a problem hiding this comment.
Pull request overview
This PR reworks how the project detects and executes the npm CLI (including fallback “system npm” resolution), and expands integration tests to validate argument pass-through and prevent --workspace shell-injection across more scenarios (including Windows .cmd).
Changes:
- Updated
NpmRunnerto resolve npm CLI vianpm_execpathor a system lookup, and to always execute npm vianode <npm-cli.*js>. - Strengthened integration tests for argument pass-through and shell-injection prevention, adding a Windows
.cmdnpm stub. - Added
.gitignoreentry for generated sentinel files used by injection tests.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/npmRunner.ts |
Reworked npm execpath discovery and runner construction logic. |
tests/integration/index.js |
Updated integration harness (added Windows stub path, ensured streams close after runs). |
tests/integration/cli.args-pass-through.test.js |
Expanded integration coverage for verbose flag pass-through and shell-injection test matrix. |
tests/_data/npm-ls_replacement/just-exit.cmd |
Added Windows npm_execpath stub for integration tests. |
.gitignore |
Ignored injection-test sentinel files. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
npmdetection and handling.--workspaceargument.See GHSA-q69g-4hcv-6jg4
Resolves or fixes issue:
AI Tool Disclosure
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.][Summarize the key prompts or instructions given to the AI tools]Affirmation