Conversation
- Bump cross-spawn to ^7.0.5 and which to ^4; drop unused spawn-sync. - Fix spawnSync result checks (use status/signal/error, not .code). - Treat non-zero / null close codes from npm run spawns reliably. - Install hook via absolute path to package hook script for Yarn PnP; chmod 0755. - Hook: cd to git root before require.resolve; use exec for node. - Install: guard gitdir parse; avoid fs.existsSync(null) on missing .git. - Dev: mocha 10, assume 2, nyc; engines node>=16; stub tty in tests. - Version 1.2.3; add package-lock.json; ignore .nyc_output. Addresses GH-167, GH-160, GH-157; mitigates GH-166 (cwd / exit handling). Made-with: Cursor
There was a problem hiding this comment.
Pull request overview
This PR upgrades spawn-related dependencies to address security concerns and improves the reliability/portability of the git hook installation and hook execution (notably for Yarn PnP and inconsistent hook cwd/exit handling).
Changes:
- Upgrade
cross-spawn/which, modernize dev tooling to mocha+nyc, and bump package version/Node engine. - Harden hook installation and hook runtime behavior (absolute hook path,
chmod 0755,cdto repo root,execusage). - Add
package-lock.jsonand ignore nyc output.
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
index.js |
Uses status/signal/error semantics for spawnSync results; improves close-code handling from npm run. |
install.js |
Installs hook via absolute path (PnP-friendly), adds shell quoting, updates chmod mode, and guards gitdir parsing. |
hook |
Ensures hook runs from repo root; uses exec for the Node invocation. |
test.js |
Stubs tty.isatty for deterministic color/TTY-dependent behavior in tests. |
package.json |
Dependency/devDependency updates, switches coverage tooling to nyc, adds Node engine, bumps version. |
package-lock.json |
Newly added lockfile for dependency reproducibility. |
.gitignore |
Ignores .nyc_output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Addresses long-standing open PRs whose intent fits the cross-spawn / hook-hardening cleanup: * #127 - install.js: "backuped" -> "backed up". * #148 - magit workaround: emit `unset GIT_LITERAL_PATHSPECS` in the generated `.git/hooks/pre-commit` wrapper, and also at the top of the package's `hook` script for defense-in-depth, so hooks invoked from emacs/magit behave the same as on the command line. * #112 - resilience for missing pre-commit package: when a user switches to a branch without `node_modules`, the generated wrapper now exits 0 instead of failing the commit, and the `hook` script detects an unresolvable `pre-commit` package and skips with a friendly warning instead of throwing a Node module-not-found stack. Made-with: Cursor
* getGitFolderPath previously recursed past a `.git` *file*, which made the existing submodule-aware gitdir parsing block unreachable -- in a submodule we silently walked up to the super-project's `.git` dir and installed the hook there instead. Return the `.git` path whether it is a file or directory. * Resolve `gitdir:` pointers against the directory containing the `.git` file (path.dirname(git)) instead of the package root, since git stores those paths relative to the file. Fixes submodules whose `.git` file is not at the package root, and linked worktrees. * Tighten engines.node to >=16.13.0 to match `which@4`'s minimum (`^16.13.0 || >=18.0.0`); the previous `>=16` allowed Node 16.0-16.12 where `which@4` will warn/fail at install time. Addresses copilot-pull-request-reviewer feedback on PR #169. Supersedes the submodule-install half of #75. Made-with: Cursor
This release contains breaking changes that warrant a major bump:
* Drops support for Node < 16.13 by introducing
`engines.node: ">=16.13.0"` (matches `which@4`'s minimum). Previous
releases declared no engine, so anything old enough to run them is
now incompatible.
* Production deps make jumps that raise the floor and change result
shapes: `cross-spawn` ^5 -> ^7 (`spawnSync` returns `status`, not
`code`), `which` 1.2.x -> ^4. The runtime `spawn-sync` dep is dropped
in favor of `cross-spawn.spawnSync`.
* The generated `.git/hooks/pre-commit` wrapper format is rewritten
(single `exec bash <abs-hook> "\$@"` instead of the previous inline
bash). Anyone parsing or scripting against the previous wrapper
shape will see a different file.
* Hook file mode tightened from 0777 to 0755 (CIS 6.1.10).
* Submodule install location now resolves correctly to
`<super>/.git/modules/<sub>/hooks` (previously the unreachable
gitdir-parsing block silently caused submodule hooks to land in the
super-project).
Minor / patch additions in the same release (carried by the same PR):
* Magit fix: generated wrapper and hook script `unset
GIT_LITERAL_PATHSPECS` so hooks behave the same way under emacs.
* Resilient missing-package handling: a removed `pre-commit` (e.g.
branch-switch without `node_modules`) skips with a friendly warning
instead of breaking the commit.
* Internal: harden `index.js` spawn result checks; guard install-time
gitdir parsing against null matches; spelling fix
("backuped" -> "backed up"); drop `istanbul` for `nyc`; modernize
`mocha` and `assume` test deps.
Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cross-spawn upgrade + hook hardening
Cleanup folded in from open PRs
This PR also takes care of three long-standing open PRs whose intent
overlaps with the cleanup. Each is implemented from scratch on top of
the new wrapper/hook code rather than rebasing the original branches.
.git/hooks/pre-commitwrapper now
unsetsGIT_LITERAL_PATHSPECS, and the packagehookscript does the same as defense-in-depth. Fixes the magit
pathspec ':/' did not match any file(s)error.node_modules(or otherwise removing thepre-commitpackage) nolonger blocks commits. The generated wrapper exits 0 if the
package's
hookfile is missing, and thehookscript exits 0 witha friendly warning if
require.resolve('pre-commit')fails, insteadof throwing a Node module-not-found stack trace.
Existing PRs superseded by this one (close on merge)
which, and doesn't fix thecodevsstatusshape mismatch inindex.js.0o755.spawn-syncremoved entirely;cross-spawn≥ 6 ships a built-inspawnSync.Addresses GH-167, GH-160, GH-157; mitigates GH-166 (cwd / exit handling).