fix(coana): strip npm_package_* env in dlx fallback to avoid E2BIG#1333
Merged
Conversation
The npm-install fallback inherits the parent's env and spawns `npm install` + `node`. In large monorepos the parent already has hundreds of `npm_package_*` vars populated by npm/pnpm from the root package.json — one per dependency, script, etc. Combined with CI runners' own env blocks (GitHub Actions especially) and PATH, the total can exceed Linux ARG_MAX (~128KB), causing the fallback's own child spawns to fail with E2BIG just like the dlx path did. Strip `npm_package_*` from the env passed to both `npm install` (in `installCoanaToTmpdir`) and the Coana `node` spawn (in `spawnCoanaScriptViaNode`). Coana does not read those vars itself. Preserve `npm_config_*` (registry/proxy/cache from .npmrc) and everything else so nested `npm install` still resolves through any custom registry the user has configured. Symptom: `npm exec @coana-tech/cli ...` exits 249 with `spawn E2BIG` in `runScriptPkg → spawnWithShell` before Coana starts; the fallback trips on exit code >= 128 (already handled) but then hits the same overflow when it spawns `npm install`. With this patch the fallback fits within ARG_MAX and completes.
Patch release including the npm_package_* env sanitization in the Coana dlx fallback (prevents spawn E2BIG in large monorepos).
Martin Torp (mtorp)
requested review from
Benjamin Barslev Nielsen (barslev),
John-David Dalton (jdalton),
Jeppe Fredsgaard Blaabjerg (jfblaa) and
Simon (simonhj)
and removed request for
Simon (simonhj)
Jeppe Fredsgaard Blaabjerg (jfblaa)
approved these changes
May 27, 2026
Contributor
Jeppe Fredsgaard Blaabjerg (jfblaa)
left a comment
Jeppe Fredsgaard Blaabjerg (jfblaa)
left a comment
There was a problem hiding this comment.
LGTM 👍
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
spawnCoanaViaNpmInstall) inherits the parent process's env and spawnsnpm install+node. In large monorepos the parent has hundreds ofnpm_package_*vars populated by npm/pnpm from the rootpackage.json— one per dependency, script, etc. Combined with CI runners' own env blocks and PATH, the total can exceed Linux ARG_MAX (~128KB), so the fallback's own child spawns die withspawn E2BIG— the same way the dlx path did.sanitizeEnvForCoanaSubprocess, which stripsnpm_package_*from the env passed to bothnpm installand the Coananodespawn. Coana does not read those vars itself.npm_config_*(registry / proxy / cache settings sourced from.npmrc) and everything else are preserved so nestednpm installstill resolves through any custom registry the user has configured.Why this is safe
npm_package_*— the var family that actually accounts for the size blowup.spawnDlx→npx/pnpm dlx/yarn dlx). Those launchers repopulatenpm_package_*from cwd themselves on every invocation, so stripping at the parent level there has no effect; instead we rely on the existing fallback (exit code ≥128 triggersspawnCoanaViaNpmInstall), which is now robust against the same overflow.spawnCoanaDlx; callers (perform-reachability-analysis.mts,coana-fix.mts) are unaffected.npm_package_*is stripped andnpm_config_registryis preserved across both fallback spawns.Symptom this addresses
npm exec @coana-tech/cli ...exits 249 withspawn E2BIGinrunScriptPkg → spawnWithShellbefore Coana starts.shouldFallbackOnDlxErrorcorrectly trips on exit code ≥128 and routes to the npm-install fallback, but the fallback's ownspawn('npm', ['install', ...])hits the same overflow because the env is identical. After this patch the fallback's env fits within ARG_MAX and the install +nodeinvocation completes normally.Test plan
npx vitest run src/utils/dlx.test.mts— 16/16 pass (1 new test added).npx tsc --noEmit— clean.Note
Low Risk
Narrow env sanitization on an existing fallback spawn path with a focused test; no public API changes.
Overview
Fixes Coana npm-install fallback failing with
spawn E2BIGin large monorepos when the parent process carries hundreds ofnpm_package_*variables from npm/pnpm.Adds
sanitizeEnvForCoanaSubprocessindlx.mts, which omitsnpm_package_*from the environment passed to fallbacknpm installand the subsequentnodeCoana spawn, while keepingnpm_config_*(registry/proxy/cache) and other vars. The primary dlx path is unchanged; this targets the fallback path after dlx launcher failures.Release 1.1.104 with changelog entry; new unit test asserts stripping and registry preservation.
Reviewed by Cursor Bugbot for commit 6460cdc. Configure here.