rushstack icon indicating copy to clipboard operation
rushstack copied to clipboard
verified publisher icon microsoft

[rush] Missing documentation of INSTALL_RUN_LOCKFILE_PATH environment variable

Open gabriel-bezerra opened this issue 4 months ago • 1 comments

Summary

While handling https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised in our project, we found out that node common/scrips/install-run-rush.js installed malicious versions of the affected dependencies.

We mitigated it by setting the undocumented environment variable INSTALL_RUN_RUSH_LOCKFILE_PATH from https://github.com/microsoft/rushstack/pull/3671. Thank you for providing this option 👍 .

We couldn't find any documentation about this in https://rushstack.io/ nor in this GitHub organization. We think it would be valuable to have that documented to avoid similar issues in future.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
@microsoft/rush globally installed version? 5.158.1
rushVersion from rush.json? 5.158.1
useWorkspaces from rush.json? true
Operating system? Linux
Would you consider contributing a PR? Yes
Node.js version (node -v)? 22.19.0

gabriel-bezerra avatar Sep 15 '25 14:09 gabriel-bezerra

Yup, looks like it's missing from https://rushjs.io/pages/configs/environment_vars/#docusaurus_skipToContent_fallback. Probably along with a few other newer env vars.

Care to make a contribution? (https://github.com/microsoft/rushstack-websites/blob/main/websites/rushjs.io/docs/pages/configs/environment_vars.md)

iclanton avatar Oct 06 '25 18:10 iclanton