@n8n-as-code/n8nac 2026.3.1-next.14 → 2026.3.2-next.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/child-env.ts +34 -0
- package/src/cli.ts +2 -0
- package/src/tool.ts +2 -0
package/package.json
CHANGED
package/src/child-env.ts
ADDED
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Build a minimal environment for child processes.
|
|
3
|
+
* Only passes the vars needed for npx/node to operate, deliberately excluding
|
|
4
|
+
* any sensitive credentials that the parent (agent host) may hold in its env
|
|
5
|
+
* (e.g. LLM API keys), preventing accidental credential forwarding.
|
|
6
|
+
*/
|
|
7
|
+
export function getChildEnv(): NodeJS.ProcessEnv {
|
|
8
|
+
const env: NodeJS.ProcessEnv = {};
|
|
9
|
+
|
|
10
|
+
// Matches var names that look like credentials anywhere in the name — these are never forwarded
|
|
11
|
+
// even if they match another allowlist prefix (e.g. NODE_AUTH_TOKEN, npm_config_*:_authToken,
|
|
12
|
+
// npm_config_authority is intentionally over-blocked since we prefer false-positives to leaks).
|
|
13
|
+
const secretPattern = /(?:auth|token|password|secret|apikey|api_key|_key)/i;
|
|
14
|
+
|
|
15
|
+
for (const key of Object.keys(process.env)) {
|
|
16
|
+
const upperKey = key.toUpperCase();
|
|
17
|
+
if (
|
|
18
|
+
// Basic system vars needed by node/npx (case-insensitive, including Windows-specific ones)
|
|
19
|
+
/^(PATH|HOME|USERPROFILE|HOMEDRIVE|HOMEPATH|TMPDIR|TMP|TEMP|LANG|LC_ALL|SHELL|TERM|TERM_PROGRAM|NODE_PATH|NODE_OPTIONS|SYSTEMROOT|COMSPEC|PATHEXT)$/.test(
|
|
20
|
+
upperKey,
|
|
21
|
+
) ||
|
|
22
|
+
// npm execution/config vars required by npx — but NOT auth/token vars
|
|
23
|
+
// (e.g. excludes npm_config_//registry.npmjs.org/:_authToken)
|
|
24
|
+
(key.startsWith("npm_") && !secretPattern.test(key)) ||
|
|
25
|
+
// Specific safe NODE_* vars (deliberately NOT a prefix match to exclude NODE_AUTH_TOKEN)
|
|
26
|
+
/^NODE_(ENV|NO_WARNINGS|ICU_DATA)$/.test(upperKey) ||
|
|
27
|
+
// n8n-as-code specific vars
|
|
28
|
+
key.startsWith("N8N_AS_CODE_")
|
|
29
|
+
) {
|
|
30
|
+
env[key] = process.env[key];
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
return env;
|
|
34
|
+
}
|
package/src/cli.ts
CHANGED
|
@@ -3,6 +3,7 @@ import { spawn } from "node:child_process";
|
|
|
3
3
|
import type { ChildProcess, ChildProcessWithoutNullStreams } from "node:child_process";
|
|
4
4
|
import * as p from "@clack/prompts";
|
|
5
5
|
import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
|
|
6
|
+
import { getChildEnv } from "./child-env.js";
|
|
6
7
|
import { isWorkspaceInitialized } from "./workspace.js";
|
|
7
8
|
|
|
8
9
|
type CliProgram = Parameters<Parameters<OpenClawPluginApi["registerCli"]>[0]>[0]["program"];
|
|
@@ -31,6 +32,7 @@ function runN8nac(
|
|
|
31
32
|
return new Promise((resolve) => {
|
|
32
33
|
const baseOptions = {
|
|
33
34
|
cwd: opts.cwd,
|
|
35
|
+
env: getChildEnv(),
|
|
34
36
|
};
|
|
35
37
|
|
|
36
38
|
const child: ChildProcess | ChildProcessWithoutNullStreams =
|
package/src/tool.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { spawn } from "node:child_process";
|
|
2
2
|
import { Type } from "@sinclair/typebox";
|
|
3
|
+
import { getChildEnv } from "./child-env.js";
|
|
3
4
|
import { isWorkspaceInitialized } from "./workspace.js";
|
|
4
5
|
|
|
5
6
|
// ---------------------------------------------------------------------------
|
|
@@ -106,6 +107,7 @@ function runNpx(
|
|
|
106
107
|
const child = spawn("npx", ["--yes", "n8nac", ...args], {
|
|
107
108
|
cwd,
|
|
108
109
|
stdio: "pipe",
|
|
110
|
+
env: getChildEnv(),
|
|
109
111
|
});
|
|
110
112
|
|
|
111
113
|
let stdout = "";
|