[BUG] npm version commits with incorrect author name and email

[denis-sokolov]

Current Behavior:

npm version creates a git commit that has faulty author and committer name and email, if I rely on GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL variables.

Expected Behavior:

npm version creates a git commit that follows the same rules as git does and respects GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL variables.

Steps To Reproduce:

1. export GIT_AUTHOR_NAME=John
2. npm version major
3. git show

Expected: see John as the author name.
Actual: see whatever is set in your ~/.gitconfig.

Environment:

• OS: macOS Big Sur 11.2.3
• Node: 14.14.0
• npm: 7.5.0

On same OS and Node, but with npm 6.14.9 this works correctly, so this issue seems to be a regression.

Possibly related issues, although they were about old npm versions: npm/npm#14708, npm/npm#17306, npm/npm#8277.

[denis-sokolov]

The cause seems to be this strict decision to not pass through all environment variables, but explicitly whitelist the allowed ones. I can’t understand the reasoning behind the code, so it’s difficult to suggest a fix:

https://github.com/npm/git/blob/a34a6f221fd898c659ebf7e374f76e0b36f9ee37/lib/env.js#L26

[darcyclarke]

@wraithgar any chance you can take a look at this as you were just in npm version the last few days making it workspace-aware?

[wraithgar]

After some internal discussion we have decided that if a user has set any of the GIT_ environment variables they meant do do it, and they should not be filtered out. The PR in npm/git will add the two entries we do care about (askpass and ssh) but only if they were not already set by the end user. The rest of the environment will pass through unaltered, as I would assume is expected by most end users.

[wraithgar]

@npmcli/[email protected] is in release-next on the cli and unless some show stopper is found there will go out w/ the next cli release.