Fix npx wrapper PATH leak from node@latest bootstrap#5341
Conversation
Omarchy 3.5.0
There was a problem hiding this comment.
Pull request overview
Pins Omarchy’s generated npx wrappers so both node and npx are executed from the same mise-managed node@latest install (avoiding PATH drift where npx could come from a different runtime).
Changes:
- Update
omarchy-npx-installto resolve thenode@latestinstall root viamise whereand executenode+npxfrom that same root. - Add a migration to regenerate existing shipped wrappers using the updated wrapper template.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| migrations/1776348723.sh | Regenerates the default set of npx wrappers to pick up the new pinned-runtime wrapper logic. |
| bin/omarchy-npx-install | Changes generated wrapper to run node and npx from the same mise where node@latest install path. |
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Pins Omarchy-generated npx wrappers so both node and npx are executed from the same mise-managed node@latest installation (avoiding drift between the selected Node runtime and whatever npx happens to be on PATH).
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Changes:
- Update
omarchy-npx-installto resolve the misenode@latestinstall root and executenode+npxfrom that install explicitly. - Add a migration to regenerate existing wrappers using the updated wrapper template.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| migrations/1776348723.sh | Adds a migration to rerun wrapper generation via install/packaging/npx.sh. |
| bin/omarchy-npx-install | Updates generated wrapper contents to invoke node/npx directly from the mise node@latest install root. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Could you share a concrete reproduction where mise exec node@latest -- npx picks up a foreign npx? My understanding is that mise exec prepends the runtime's bin directory to PATH for the duration of the child process, so npx should resolve to the same install as node. |
|
@dhh Thanks for the feedback! I dug into this more and was able to reproduce it in a mixed shell setup (direnv + Nix + mise). can fail to keep npx coupled to the selected node runtime rather than the node@latest selected by mise, leading to errors such as: A key part of the issue is that npx is a #!/usr/bin/env node script. Even when invoked via an absolute path, it can still pick up a different node from the ambient PATH, so $node_root/bin/npx alone isn’t sufficient to guarantee consistency. I tried a few alternatives (mise exec, --fresh-env, shims, direct paths), but they weren’t reliable in this setup. The fix I’m proposing now is to ensure the wrapper resolves both node and npx from the same runtime: This keeps the fix wrapper-local and ensures that npx resolves the matching node, even in mixed environments. From my perspective, this fix makes sense if the wrapper is intended to keep npx launchers independent of the shell and tied to the selected mise Node runtime. I really appreciate your perspective on this. If I’ve misunderstood the intended scope, I’m happy to close the PR. |
|
Did some rework, related to the reported issue #5451. |
There was a problem hiding this comment.
Pull request overview
This PR updates Omarchy’s generated npx wrappers so both node and npx are executed from the same mise-managed node@latest installation, and adds a migration to regenerate existing wrappers accordingly.
Changes:
- Add a migration to re-run the
npxwrapper installation script. - Update
omarchy-npx-installto generate wrappers that locatenode@latest’s install root and runnode+npxfrom that same location.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| migrations/1776348723.sh | Runs the existing install/packaging/npx.sh to regenerate wrappers with the new behavior. |
| bin/omarchy-npx-install | Generates wrappers that resolve node@latest’s install path and pin both node and npx to that runtime. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
timohubois
changed the title
timohubois
changed the title
Follow-up to #5247. That earlier fix intentionally moved Omarchy's generated npx wrappers to
mise exec node@latest -- npx ...so npm-distributed CLIs would keep working inside projects pinned to old Node versions.This PR preserves that intent: wrappers remain system-wide lazy-loaded npm launchers, and the CLI itself is still bootstrapped with Omarchy's selected
node@latestruntime.The bug fixed here is the side effect reported in #5451:
mise exec node@latestprependsnode@latest/bintoPATH, and long-running agent CLIs like Codex can pass that modifiedPATHon to workspace commands. That makes commands run inside the project resolvenode@latestinstead of the project's own Node.Changes
node@latestinstall withmise where node@latest, installing it globally on first use if needed.npxthrough the matching absolutenodebinary so the bootstrap runtime stays consistent.npx --package ... -- which ...only to resolve the package bin path.node@latestbinary without exporting or prependingnode@latest/binintoPATH.127if no npm bin can be resolved.Testing
codex --versionopencode --versionplaywright-cli --versioncodex sandbox linux node -vresolves the project Node instead ofnode@latest.node@latestruntime.