Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(lifecycle): replace shell-quote with shlex #9695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 30, 2025
Merged

fix(lifecycle): replace shell-quote with shlex #9695

merged 2 commits into from
Jun 30, 2025

Conversation

yoursunny
Copy link
Contributor

fixes #9381

@yoursunny yoursunny requested a review from zkochan as a code owner June 27, 2025 18:43
@zkochan zkochan requested review from a team and Copilot June 29, 2025 20:17
Copilot
Copilot AI reviewed Jun 29, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces the previous use of shell-quote with shlex for quoting command arguments, aligning dependency declarations and tests with the new library.

  • Swapped imports and dependency entries from shell-quote to shlex
  • Updated test expectations to match shlex.join behavior (removal of = escaping)
  • Removed obsolete type packages and updated change log

Reviewed Changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
worker/src/index.ts Replaced shell-quote import with shlex.join
exec/lifecycle/src/runLifecycleHook.ts Same import replacement for lifecycle hook quoting
worker/package.json Swapped dependency from shell-quote to shlex
exec/lifecycle/package.json Swapped dependency from shell-quote to shlex
pnpm/test/run.ts Adjusted regex for new quoting semantics
exec/lifecycle/test/index.ts Updated expected output to match shlex.join
pnpm-workspace.yaml Updated catalog entries to use shlex
cspell.json Added β€œshlex” to the custom dictionary
.changeset/tired-points-brake.md Documented the migration to shlex
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported
Comments suppressed due to low confidence (3)

worker/src/index.ts:11

  • [nitpick] Aliasing shlex.join as shellQuote can confuse readers. Rename the import alias to something like shlexJoin or joinArgs to better reflect its origin and purpose.
import { join as shellQuote } from 'shlex'

exec/lifecycle/src/runLifecycleHook.ts:9

  • [nitpick] Update the surrounding comment or add a note to clarify that shlex.join is now used instead of shell-quote for argument quoting to keep docs accurate.
import { join as shellQuote } from 'shlex'

worker/package.json:46

  • The new dependency shlex does not include TypeScript declarations. Consider adding @types/shlex or bundling type definitions to prevent compilation errors.
    "shlex": "catalog:"

@zkochan zkochan merged commit 589ac1f into pnpm:main Jun 30, 2025
16 of 19 checks passed
@fz6m
Copy link

fz6m commented Jul 9, 2025

IMO shlex has few stars and is not popular. adding more third-party libraries to pnpm brings big supply chain risks.

pnpm adds onlyBuiltDependencies for safety, but still includes more third-party libraries.

pnpm should care more about dependency security.

@yoursunny
Copy link
Contributor Author

IMO shlex has few stars and is not popular. adding more third-party libraries to pnpm brings big supply chain risks.

It solves the bug.
I've been using shlex for years and never got hacked.

@zkochan
Copy link
Member

zkochan commented Jul 9, 2025
edited
Loading

The version of shlex is locked in the lockfile. If it will have a new version, we can review it before upgrading. We also have pnpm audit as part of CI. Also, it is untrue that shlex is not popular. It is a niche library, the number of stars, number of downloads and dependents is high for such a library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@zkochan zkochan zkochan approved these changes

@btea btea btea approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incorrect pnpm escaping introduced by #9018
4 participants
@yoursunny @fz6m @zkochan @btea