Why pnpm tries to read _github_workflow/event.json ?

[Liu233w]

Recently I found that if environment variables like GITHUB_EVENT_PATH exists, pnpm test reads the event.json file. Is that intended? If so, what is that used for?

P.S. I created a repo to reproduce it: https://github.com/Liu233w/pnpm-reading-github-event

[Liu233w]

After communicating with Zoltan, I agree that this is not a security issue. But it will be better if pnpm can check if the file exists before reading.

The email contents are listed below:

Click me

Hi Zoltan,

I just checked it with yarn and found that yarn does not have this issue. The repo is in https://github.com/Liu233w/yarn-reading-github-event .

Regards,
Shumin

On 10/25/22 12:50, Shumin Liu wrote:

Thanks Zoltan,

With that I can confirm that it was not a security issue 😄

Although I think it is still an issue because it does not check whether this file exists in the first place.

In one of my project, I simply exposed all environment variables into a docker container for e2e testing, so the library can get enough information to display them in a dashboard. With this code, pnpm test just threw an exception because the file is not there.

Besides, it seems like that it should only check on yarn/pnpm install rather than on yarn/pnpm test.

Since this seems to be a problem on the upstream, I will open an issue in that repo.

Regards,
Shumin

On 10/23/22 12:25, Zoltan Kochan wrote:

Why is it an issue that that file is read?

It is done by Yarn. We import some libs from Yarn and @yarn/core does that read: https://github.com/yarnpkg/berry/blob/9bd982533e16bea12ebb3ffe8cc257e12f229bfc/packages/yarnpkg-core/sources/Configuration.ts#L31-L33 https://github.com/yarnpkg/berry/blob/9bd982533e16bea12ebb3ffe8cc257e12f229bfc/packages/yarnpkg-core/sources/Configuration.ts#L31-L33

Regards,
Zoltan

Oct 20, 2022, 21:04 by [email protected]:

I'll check.


Aug 26, 2022, 07:31 by [[email protected]](mailto:[email protected]):

    Hi pNpm Development team,

    Recently I just found that pnpm tries to read
    `/home/runner/work/_temp/_github_workflow/event.json` when it is
    running on GitHub workflow. And I created a repo[1] to reproduce
    the problem.

    Basically, if there are environment variables about the GitHub
    workflow (e.g.
    `GITHUB_EVENT_PATH="/home/runner/work/_temp/_github_workflow/event.json"`), pnpm tries to read the path when you run `pnpm test`.

    Regards,
    Shumin Liu

    [1] https://github.com/Liu233w/pnpm-reading-github-event

[roger-qi-chen]

Actually, I got the same error as you. How did you guys fix this issue?

[Liu233w]

There are several ways to fix this:

• not passing environment variable GITHUB_EVENT_PATH into the container
• mount that file into the container
• Use npm test for test <-- I use this method