Skip to content

pnpm handler ignores InstallCommandArgs #626

New issue
New issue
Open
Open
pnpm handler ignores InstallCommandArgs#626
Labels
bugSomething isn't working
@lukasbach

Description

@lukasbach
lukasbach
opened on Dec 22, 2025

Describe the bug

The pnpm BOM generator ignores custom InstallCommandArgs and always runs pnpm install --ignore-scripts, unlike npm, yarn, and python handlers which respect user-provided install arguments.

Maybe I also misunderstood the internal behavior of frogbot, but this seems to be the behavior based on my experiments and my understanding of the code.

Current behavior

installProjectIfNeeded() in https://github.com/jfrog/jfrog-cli-security/blob/main/sca/bom/buildinfo/technologies/pnpm/pnpm.go#L123 hardcodes the install command:

output, err := getPnpmCmd(pnpmExecPath, dirForDependenciesCalculation, "install", npm.IgnoreScriptsFlag).GetCmd().CombinedOutput()

This will always call pnpm install --ignore-scripts.

Other handlers like the one for yarn and python respect custom arguments:

yarn:

func runYarnInstallAccordingToVersion(curWd, yarnExecPath string, installCommandArgs []string) (err error) {
    installCommandProvidedFromUser := len(installCommandArgs) != 0

    if installCommandProvidedFromUser {
        return build.RunYarnCommand(yarnExecPath, curWd, installCommandArgs...)
    }
    
    // default install command only if no custom args provided
    installCommandArgs = []string{"install"}
    // ...
}

python:

func getPipInstallArgs(requirementsFile, remoteUrl, cacheFolder, reportFileName string, customArgs ...string) []string {
    args := []string{"-m", "pip", "install"}
    // ... base args ...
    args = append(args, parseCustomArgs(remoteUrl, cacheFolder, reportFileName, customArgs...)...)
    return args
}

Reproduction steps

Configure a custom installCommand in the frogbot config file that points to a custom script, this script will not be run.

Expected behavior

When InstallCommandArgs is provided (e.g., via frogbot's installCommand: "pnpm custom-script"), pnpm should execute the custom command like other technology handlers do. My use case is that I want to run a custom script before installing dependencies, something like running pnpm run custom-script where custom-script does some preparation and then installs dependencies.

JFrog CLI-Security version

1.24.2

JFrog CLI version (if applicable)

No response

Operating system type and version

Ubuntu 24.04.3

JFrog Xray version

3.131.22

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions