Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm dlx (1.1.130) #1383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Martin Torp (mtorp) merged 1 commit into from
Jun 29, 2026
+44 −13
Merged

fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm dlx (1.1.130) #1383

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions 5 CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

## [1.1.130](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.130) - 2026-06-29

### Fixed
- Reachability analysis no longer fails to start in pnpm workspaces that define a `.pnpmfile.cjs`. Socket now launches its bundled analysis tools without running the project's pnpm hooks, so a broken or environment-specific hook (for example, one that loads a file managed by Git LFS) can no longer stop a scan before it begins.

## [1.1.129](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.129) - 2026-06-26

### Changed
Expand Down
2 changes: 1 addition & 1 deletion 2 package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "socket",
"version": "1.1.129",
"version": "1.1.130",
"description": "CLI for Socket.dev",
"homepage": "https://github.com/SocketDev/socket-cli",
"license": "MIT",
Expand Down
31 changes: 19 additions & 12 deletions 31 src/utils/dlx.mts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,19 +128,26 @@ export async function spawnDlx(
spawnArgs.push(FLAG_SILENT)
}
spawnArgs.push('dlx')
// Never let the target project's `.pnpmfile.cjs` hooks run while we launch
// a third-party tool via `pnpm dlx`. In a pnpm workspace root, `pnpm dlx`
// loads the cwd's `.pnpmfile.cjs`, so a broken hook there (e.g. a `require`
// of an unresolved Git LFS pointer) crashes the launcher with a bare exit
// code before our tool ever starts. The dlx tool installs into an isolated
// store, so the project's install hooks are irrelevant to it. pnpm honors
// this only as a config setting, not as a `dlx` CLI flag, so it must be set
// via the npm_config_ env var. See: https://pnpm.io/npmrc#settings
const pnpmEnv: Record<string, string | undefined> = {
...getOwn(finalShadowOptions, 'env'),
npm_config_ignore_pnpmfile: 'true',
}
if (force) {
// For pnpm, set dlx-cache-max-age to 0 via env to force fresh download.
// This ensures we always get the latest version within the range.
finalShadowOptions = {
...finalShadowOptions,
env: {
...getOwn(finalShadowOptions, 'env'),
// Set dlx cache max age to 0 minutes to bypass cache.
// The npm_config_ prefix is how pnpm reads config from environment variables.
// See: https://pnpm.io/npmrc#settings
npm_config_dlx_cache_max_age: '0',
},
}
// Set dlx-cache-max-age to 0 minutes to bypass cache and force a fresh
// download. This ensures we always get the latest version within the range.
pnpmEnv['npm_config_dlx_cache_max_age'] = '0'
}
finalShadowOptions = {
...finalShadowOptions,
env: pnpmEnv,
}
spawnArgs.push(packageString, ...args)

Expand Down
19 changes: 19 additions & 0 deletions 19 src/utils/dlx.test.mts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,25 @@ describe('utils/dlx', () => {
expect(options.env.npm_config_dlx_cache_max_age).toBe('0')
})

it('should set npm_config_ignore_pnpmfile env var for pnpm regardless of force', async () => {
const packageSpec: DlxPackageSpec = {
name: '@coana-tech/cli',
version: '1.0.0',
}

// force defaults to false here, exercising the non-force path.
await spawnDlx(packageSpec, ['run', '/some/path'], { agent: 'pnpm' })

expect(mockShadowPnpmBin).toHaveBeenCalledTimes(1)
const [, options] = mockShadowPnpmBin.mock.calls[0]

// The target project's `.pnpmfile.cjs` must be ignored so a broken hook
// (e.g. a require of an unresolved Git LFS pointer) cannot crash the
// `pnpm dlx` launcher before the tool starts.
expect(options.env).toBeDefined()
expect(options.env.npm_config_ignore_pnpmfile).toBe('true')
})

it('should handle pinned version without silent flag by default', async () => {
const packageSpec: DlxPackageSpec = {
name: '@coana-tech/cli',
Expand Down
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.