Steps to Reproduce
1. Globally install `@commitlint/[email protected]` (or local install and changing step 3)
2. Configure commitlint to conditionally allow a message based on an environment variable
* Example: Disallow `wip` prefixed messages when running in CI with `commit => !process.env.CI && /^wip\b/.test(commit)`
3. Run `echo "wip: test" | commitlint`
4. Run `echo "wip: test" | CI=1 commitlint`
Current Behavior
Error of Ignore function contains forbidden pattern: process is thrown
file:///.../node_modules/@commitlint/cli/lib/cli.js:132
throw err;
^
Error: Ignore function contains forbidden pattern: process.
at validateIgnoreFunction (file:///.../node_modules/@commitlint/is-ignored/lib/validate-ignore-func.js:8:15)
at Array.forEach (<anonymous>)
at isIgnored (file:///.../node_modules/@commitlint/is-ignored/lib/is-ignored.js:9:13)
at lint (file:///.../node_modules/@commitlint/lint/lib/lint.js:13:9)
at file:///.../node_modules/@commitlint/cli/lib/cli.js:238:65
at Array.map (<anonymous>)
at main (file:///.../node_modules/@commitlint/cli/lib/cli.js:238:48)
Node.js v18.17.1
Expected Behavior
Commitlint should block dangerous process calls, but should not prevent accessing process.env.*
echo "wip: test" | commitlint - Should succeed (no CI environment set)echo "wip: test" | CI=1 commitlint (CI environment blocks wip commits)
Affected packages
Possible Solution
This was caused by #4258, and likely involves modifying https://github.com/conventional-changelog/commitlint/blob/v19.7.1/%40commitlint/is-ignored/src/validate-ignore-func.ts to either have a tighter scope for what dangerousPattern matches, or a check to allow process.env.
Potential solution using negative lookahead patterns:
/(?:process(?!\.env)|require|import|eval|fetch|XMLHttpRequest|fs|child_process)(?:\s*\.|\s*\()|(?:exec|execFile|spawn)\s*\(/
Context
Our team runs various checks like ESLint, Prettier, and commitlint locally through lint-staged and in CI. We permit making wip: ... commits in a local environment, but we have a CI check that prevents a PR from being merged until the commit is finalized (the message is updated). We use an ignores function that checks for process.env.CI (set by GitHub CI) to fail messages in PRs
commitlint --version
@commitlint/[email protected]
git --version
v2.44.0
node --version
v18.17.1
Steps to Reproduce
Current Behavior
Error of
Ignore function contains forbidden pattern: processis thrownExpected Behavior
Commitlint should block dangerous
processcalls, but should not prevent accessingprocess.env.*echo "wip: test" | commitlint- Should succeed (no CI environment set)echo "wip: test" | CI=1 commitlint(CI environment blockswipcommits)Affected packages
Possible Solution
This was caused by #4258, and likely involves modifying https://github.com/conventional-changelog/commitlint/blob/v19.7.1/%40commitlint/is-ignored/src/validate-ignore-func.ts to either have a tighter scope for what
dangerousPatternmatches, or a check to allowprocess.env.Potential solution using negative lookahead patterns:
/(?:process(?!\.env)|require|import|eval|fetch|XMLHttpRequest|fs|child_process)(?:\s*\.|\s*\()|(?:exec|execFile|spawn)\s*\(/Context
Our team runs various checks like ESLint, Prettier, and commitlint locally through
lint-stagedand in CI. We permit makingwip: ...commits in a local environment, but we have a CI check that prevents a PR from being merged until the commit is finalized (the message is updated). We use anignoresfunction that checks forprocess.env.CI(set by GitHub CI) to fail messages in PRscommitlint --version
@commitlint/[email protected]
git --version
v2.44.0
node --version
v18.17.1