[BUG] npm run env echo stopped working after 8.13

[viters]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

On npm 8.12.1 I was running npm -s run env echo '$npm_package_version' to get current package.json version. It does not work anymore. There are no traces of changes regarding that in https://github.com/npm/cli/blob/v8.19.2/CHANGELOG.md

Expected Behavior

Steps To Reproduce

No response

Environment

• npm: 8.13.2 and beyond
• Node.js: 18.8.0
• OS Name: MacOS / Linux

[wraithgar]

Looks like #5064 started quoting/escaping environment variable params too aggressively.

If I run npm run env echo \$PATH then sh gets the following args [ '-c', '--', "env echo Hello '$PATH'" ]

[nlf]

this is behaving as intended.

when an argument is passed to a run-script the goal is to ensure that end script sees the exact input the user provided, and does not unexpectedly execute code. unfortunately what you were doing was taking advantage of the lack of escaping we had in the past, so now that the arguments are actually being escaped it no longer works. we do not intend to revert this behavior.

as a workaround, you have a few options though.

1. npm run env | grep '^npm_package_version' | cut -d= -f2 - kind of long, involves three chained commands. you could probably use awk or sed instead of grep and cut to make it a bit shorter.
2. npm exec -c 'echo $npm_package_version' this one runs a shell in your project with the environment variables defined, and the string passed to -c is executed. this one works because npm exec explicitly runs a shell and runs your command in it. this is what i would suggest as it's most similar to what you're doing currently.
3. we'd have to go through our rfc process but potentially we could add an intentional feature that makes the npm run env builtin a bit smarter, or even make it a dedicated command. this could potentially allow you to do things like npm env npm_package_version. i think this idea is worth discussing, especially seeing as it can be done without having to spawn an extra shell like npm run and npm exec do

[viters]

@nlf
Thanks for your comment and the solutions. I like the idea about (3), I will try to post RRFC for that.
I see also another solution, npm/rfcs#634

[moos]

This has broken our build -- it seems other package content like npm_package_dependencies_foo are no longer exposed. We used this to pick up values from package.json for use in dotenv config. Is there a recommended workaround?