codeant-ai-for-open-source[bot] commented on code in PR #40557:
URL: https://github.com/apache/superset/pull/40557#discussion_r3329260548
##########
scripts/uv-pip-compile.sh:
##########
@@ -31,7 +31,7 @@ if [ -z "$RUNNING_IN_DOCKER" ]; then
-w /app \
-e RUNNING_IN_DOCKER=1 \
python:${PYTHON_VERSION}-slim \
- bash -c "pip install uv && ./scripts/uv-pip-compile.sh $*"
+ bash -c "pip install uv==0.11.17 && ./scripts/uv-pip-compile.sh $*"
Review Comment:
Thanks — I think the flagged issue is **valid**.
The current Docker re-invocation:
```bash
bash -c "pip install uv==0.11.17 && ./scripts/uv-pip-compile.sh $*"
```
does re-parse user input through a second shell, so arguments can lose
quoting and shell metacharacters may be interpreted.
### Minimal fix
Pass the original args as positional parameters to `bash -c` instead of
interpolating `$*` into the command string:
```bash
docker run --rm \
-v "$(pwd)":/app \
-w /app \
-e RUNNING_IN_DOCKER=1 \
python:${PYTHON_VERSION}-slim \
bash -c 'pip install uv==0.11.17 && ./scripts/uv-pip-compile.sh "$@"' --
"$@"
```
This preserves argument boundaries and avoids shell re-parsing.
### On the PR itself
The `uv==0.11.17` pin is fine, but I wouldn’t stamp this until the
argument-forwarding issue is fixed as well, since the script is used for
developer/CI flows and the shell handling is the riskier part here.
If you want, I can also review the rest of the comments in this PR and help
trim any other minimal fixes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
