fix(runtime): stabilize dist runtime artifacts (#53855)

* fix(build): stabilize lazy runtime entry paths * fix(runtime): harden bundled plugin npm staging * docs(changelog): note runtime artifact fixes * fix(runtime): stop trusting npm_execpath * fix(runtime): harden Windows npm staging * fix(runtime): add safe Windows npm fallback
2026-03-27 09:21:35 +07:00 · 2026-03-24 11:37:39 -07:00
parent 0cdd4db6e9
commit e4ce1d9a0e
5 changed files with 192 additions and 23 deletions
--- a/test/scripts/stage-bundled-plugin-runtime-deps.test.ts
+++ b/test/scripts/stage-bundled-plugin-runtime-deps.test.ts
@@ -12,6 +12,7 @@ describe("resolveNpmRunner", () => {

    const runner = resolveNpmRunner({
      execPath,
+      env: {},
      existsSync: (candidate: string) => candidate === expectedNpmCliPath,
      platform: "darwin",
    });
@@ -23,10 +24,74 @@ describe("resolveNpmRunner", () => {
    });
  });

-  it("falls back to bare npm when npm-cli.js is unavailable", () => {
+  it("anchors Windows npm staging to the adjacent npm-cli.js without a shell", () => {
+    const execPath = "C:\\nodejs\\node.exe";
+    const expectedNpmCliPath = path.win32.resolve(
+      path.win32.dirname(execPath),
+      "node_modules/npm/bin/npm-cli.js",
+    );
+
+    const runner = resolveNpmRunner({
+      execPath,
+      env: {},
+      existsSync: (candidate: string) => candidate === expectedNpmCliPath,
+      platform: "win32",
+    });
+
+    expect(runner).toEqual({
+      command: execPath,
+      args: [expectedNpmCliPath],
+      shell: false,
+    });
+  });
+
+  it("uses an adjacent npm.exe on Windows without a shell", () => {
+    const execPath = "C:\\nodejs\\node.exe";
+    const expectedNpmExePath = path.win32.resolve(path.win32.dirname(execPath), "npm.exe");
+
+    const runner = resolveNpmRunner({
+      execPath,
+      env: {},
+      existsSync: (candidate: string) => candidate === expectedNpmExePath,
+      npmArgs: ["install", "--silent"],
+      platform: "win32",
+    });
+
+    expect(runner).toEqual({
+      command: expectedNpmExePath,
+      args: ["install", "--silent"],
+      shell: false,
+    });
+  });
+
+  it("wraps an adjacent npm.cmd via cmd.exe without enabling shell mode", () => {
+    const execPath = "C:\\nodejs\\node.exe";
+    const npmCmdPath = path.win32.resolve(path.win32.dirname(execPath), "npm.cmd");
+
+    const runner = resolveNpmRunner({
+      comSpec: "C:\\Windows\\System32\\cmd.exe",
+      execPath,
+      env: {},
+      existsSync: (candidate: string) => candidate === npmCmdPath,
+      npmArgs: ["install", "--omit=dev"],
+      platform: "win32",
+    });
+
+    expect(runner).toEqual({
+      command: "C:\\Windows\\System32\\cmd.exe",
+      args: ["/d", "/s", "/c", `${npmCmdPath} install --omit=dev`],
+      shell: false,
+      windowsVerbatimArguments: true,
+    });
+  });
+
+  it("prefixes PATH with the active node dir when falling back to bare npm", () => {
    expect(
      resolveNpmRunner({
        execPath: "/tmp/node",
+        env: {
+          PATH: "/usr/bin:/bin",
+        },
        existsSync: () => false,
        platform: "linux",
      }),
@@ -34,20 +99,22 @@ describe("resolveNpmRunner", () => {
      command: "npm",
      args: [],
      shell: false,
+      env: {
+        PATH: `/tmp${path.delimiter}/usr/bin:/bin`,
+      },
    });
  });

-  it("keeps shell mode for bare npm fallback on Windows", () => {
-    expect(
+  it("fails closed on Windows when no toolchain-local npm CLI exists", () => {
+    expect(() =>
      resolveNpmRunner({
        execPath: "C:\\node\\node.exe",
+        env: {
+          Path: "C:\\Windows\\System32",
+        },
        existsSync: () => false,
        platform: "win32",
      }),
-    ).toEqual({
-      command: "npm",
-      args: [],
-      shell: true,
-    });
+    ).toThrow("OpenClaw refuses to shell out to bare npm on Windows");
  });
 });