fix: prevent setEnv from clobbering envConfig when merging NODE_CONFIG#896
Merged
jdmarshall merged 3 commits intonode-config:masterfrom Mar 2, 2026
Merged
Conversation
When building the combined NODE_CONFIG value from the environment variable
and --NODE_CONFIG command-line argument, Util.extendDeep was called with
envConfig as the target object. This caused extendDeep to mutate envConfig
in-place, effectively clobbering it.
Fix by using an empty object {} as the merge target so neither envConfig
nor cmdLineConfig is mutated.
Fixes: node-config#894
Signed-off-by: Sputnik-MAC <[email protected]>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: defaults Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe merge target in config construction was changed to use a fresh object ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
lib/config.mjs (1)
697-697: Please add a regression test for this merge behavior.Add a test that verifies: (1) source env config object is not mutated, and (2)
--NODE_CONFIGoverrides$NODE_CONFIGin the finalNODE_CONFIGpayload.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@lib/config.mjs` at line 697, Add a regression test that exercises load.setEnv('NODE_CONFIG', JSON.stringify(Util.extendDeep({}, envConfig, cmdLineConfig))) to ensure merge behavior: create an original envConfig object and a cmdLineConfig object, call the code path that performs Util.extendDeep({}, envConfig, cmdLineConfig) (or call load.setEnv with those values) and assert two things—(1) the original envConfig object remains strictly equal to its pre-call shape (not mutated), and (2) when both envConfig and cmdLineConfig set the same key, the value from cmdLineConfig (simulating --NODE_CONFIG) appears in the final NODE_CONFIG payload produced by load.setEnv / JSON.parse(process.env.NODE_CONFIG). Use the actual symbols envConfig, cmdLineConfig, Util.extendDeep and load.setEnv in the test to locate and exercise the behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@lib/config.mjs`:
- Line 697: Add a regression test that exercises load.setEnv('NODE_CONFIG',
JSON.stringify(Util.extendDeep({}, envConfig, cmdLineConfig))) to ensure merge
behavior: create an original envConfig object and a cmdLineConfig object, call
the code path that performs Util.extendDeep({}, envConfig, cmdLineConfig) (or
call load.setEnv with those values) and assert two things—(1) the original
envConfig object remains strictly equal to its pre-call shape (not mutated), and
(2) when both envConfig and cmdLineConfig set the same key, the value from
cmdLineConfig (simulating --NODE_CONFIG) appears in the final NODE_CONFIG
payload produced by load.setEnv / JSON.parse(process.env.NODE_CONFIG). Use the
actual symbols envConfig, cmdLineConfig, Util.extendDeep and load.setEnv in the
test to locate and exercise the behavior.
Collaborator
|
I was hoping for unit tests but the only ones I can think of are to mock load.scan(). |
Verifies that: - --NODE_CONFIG overrides $NODE_CONFIG for shared keys - $NODE_CONFIG exclusive keys survive the merge - --NODE_CONFIG exclusive keys are present in merged result - the $NODE_CONFIG source object is not mutated by extendDeep (the original bug: cmd-only keys must not bleed into envConfig) Requested-by: CodeRabbit review on node-config#896 Signed-off-by: Sputnik-MAC <[email protected]>
Contributor
Author
|
Thanks for the review! I've added a regression test suite in
All four tests pass against the fixed code. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@test/24-setenv-nodeconfig-merge.js`:
- Around line 19-36: The before hook mutates global process.env and process.argv
and doesn't restore them; capture originals at start of the suite (e.g., const
_origEnv = { ...process.env }; const _origArgv = process.argv.slice()) and add
an after hook that restores them (Object.assign(process.env, _origEnv) and
process.argv = _origArgv) and also delete any added keys (NODE_CONFIG_DIR,
NODE_ENV, NODE_CONFIG) or restore their previous values; ensure CONFIG is
cleared or reset if needed (e.g., delete from module cache or set CONFIG =
undefined) so the global process state is identical after the suite.
Add an after() hook that saves and restores process.argv, NODE_CONFIG_DIR, NODE_ENV, and NODE_CONFIG around the test suite, preventing state from leaking into subsequent test files. Signed-off-by: Sputnik-MAC <[email protected]>
jdmarshall
approved these changes
Mar 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When building the combined
NODE_CONFIGvalue from the environment variable and--NODE_CONFIGcommand-line argument,Util.extendDeepwas called withenvConfigas the target object:Since
extendDeepmutates its first argument in-place, this clobbersenvConfigitself — the config from the$NODE_CONFIGenvironment variable is overwritten before it can be used further.Fix
Use an empty object
{}as the merge target so neitherenvConfignorcmdLineConfigis mutated:This is consistent with the pattern used elsewhere in the codebase (e.g.
Util.extendDeep({}, ...)).Fixes #894
Signed-off-by: Sputnik-MAC [email protected]
Summary by CodeRabbit