Skip to content

chore(config): source parent .envrc to inherit GH_TOKEN #555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nanotaboada merged 1 commit into from
Mar 30, 2026
Merged

chore(config): source parent .envrc to inherit GH_TOKEN #555

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .envrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
source_up_if_exists
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "direnv version:"
direnv version

echo
echo "Does stdlib expose source_up_if_exists and source_env_if_exists?"
direnv stdlib | rg -n '^\s*(source_up_if_exists|source_env_if_exists)\s*\('

echo
echo "Current repo root:"
pwd
echo "Candidate direct parent file:"
ls -la ../.envrc || true

Repository: nanotaboada/ts-node-samples-express-restful

Length of output: 166

🌐 Web query:

direnv source_up_if_exists function documentation behavior

πŸ’‘ Result:

The source_up_if_exists function is part of direnv's standard library (stdlib), sourced via direnv stdlib in a .envrc file. Usage: source_up_if_exists [] Behavior: Searches upward from the parent directory (using find_up) for the specified filename (defaults to .envrc). If found, loads (sources) that .envrc file using source_env. If not found, silently does nothing and returns 0 (success). Unlike source_up, it does not log an error or return 1 on failure. Important note: The sourced .envrc bypasses direnv's security framework (no direnv allow required). It relies on a helper _source_up that calls find_up after cd .., so it starts searching from the parent directory, not the current one. Example in .envrc: direnv stdlib source_up_if_exists .envrc.private

Citations:

🏁 Script executed:

# Examine the actual .envrc file in the repository
cat -n .envrc

Repository: nanotaboada/ts-node-samples-express-restful

Length of output: 227

🏁 Script executed:

# Check repository structure and parent directories
git ls-files | grep -i envrc

Repository: nanotaboada/ts-node-samples-express-restful

Length of output: 93

🏁 Script executed:

# Check if there's a parent .envrc that should be sourced
find .. -maxdepth 2 -name ".envrc" 2>/dev/null | head -20

Repository: nanotaboada/ts-node-samples-express-restful

Length of output: 100

🌐 Web query:

direnv stdlib source_env_if_exists function

πŸ’‘ Result:

The source_env_if_exists function is part of direnv's standard library (stdlib.sh), available in .envrc files after sourcing direnv stdlib. Usage: source_env_if_exists It loads another .envrc file only if the specified file exists. Unlike source_env, it requires a direct path to a file (not a directory). It first calls watch_file "$1" to monitor the file for changes, then checks if [[ -f "$1" ]]; then source_env "$1"; fi. Example from docs: source_env_if_exists .envrc.private Note: The loaded .envrc bypasses direnv's security framework (no allow prompt). This is confirmed in the official source code and man pages.

Citations:

🌐 Web query:

direnv how to source parent .envrc directly explicitly

πŸ’‘ Result:

To source a parent .envrc directly and explicitly in direnv, use the stdlib functions in your current directory's .envrc file. For the immediate parent directory's .envrc, use: source_env ../.envrc For the nearest ancestor .envrc (searches up the directory tree): source_up or if optional: source_up_if_exists Note: These bypass direnv's security checks for the sourced file (the parent must already be allowed). After adding to your .envrc, run direnv allow . in the current directory. These functions are part of direnv's standard library, automatically available in .envrc files.

Citations:

Scope ancestor sourcing to the direct parent to avoid unintended code execution.

At Line 1, source_up_if_exists searches the entire ancestor directory tree, not just the immediate parent. This widens the trust scope and can load unintended .envrc files from grandparents or higher ancestors, causing inconsistent environment loading across machines/agents. If the intent is strictly parent inheritance (to load GH_TOKEN), use explicit parent sourcing instead.

Proposed change 
-source_up_if_exists
+source_env_if_exists ../.envrc
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
source_up_if_exists
source_env_if_exists ../.envrc
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.envrc at line 1, The current use of source_up_if_exists in .envrc searches
all ancestor directories which can load unintended environment files; replace it
with an explicit parent-only check and sourcing: detect whether the immediate
parent has a .envrc (../.envrc) and only source that file if present, instead of
calling source_up_if_exists, so the trust scope is limited to the direct parent.


export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && source "$NVM_DIR/nvm.sh" && nvm use
Loading