Configuring core.hooksPath is not permitted without enabling allowUnsafeHooksPath

[t3chguy]

How are you running Renovate?

A Mend.io-hosted app

Which platform you running Renovate on?

GitHub.com

Which version of Renovate are you using?

43.116.1

Please tell us more about your question or problem

Renovate fails to run, retry changes nothing.

Last successful run was using 43.110.2

Looks like #42588 may have ingested changes to the simple-git handling of core.hooksPath

Logs (if relevant)

https://developer.mend.io/github/element-hq/element-web/-/job/7458d9b8-04ce-479a-8059-933fd1afc3e3

Logs

INFO: Renovate is exiting with a non-zero code due to the following logged errors
{
  "loggerErrors": [
    {
      "name": "renovate",
      "level": 50,
      "logContext": "9812e719-3487-4f79-8895-570d0c854707",
      "repository": "element-hq/element-web",
      "err": {
        "task": {
          "commands": [
            "config",
            "core.hooksPath",
            "/dev/null"
          ],
          "format": "utf-8",
          "parser": "[function]"
        },
        "plugin": "unsafe",
        "message": "Configuring core.hooksPath is not permitted without enabling allowUnsafeHooksPath",
        "stack": "Error: Configuring core.hooksPath is not permitted without enabling allowUnsafeHooksPath\n    at Object.action (file:///usr/local/renovate/node_modules/.pnpm/simple-git@3.35.2/node_modules/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts:17:22)\n    at PluginStore.exec (file:///usr/local/renovate/node_modules/.pnpm/simple-git@3.35.2/node_modules/simple-git/src/lib/plugins/plugin-store.ts:54:29)\n    at GitExecutorChain.attemptRemoteTask (file:///usr/local/renovate/node_modules/.pnpm/simple-git@3.35.2/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:84:34)\n    at GitExecutorChain.attemptTask (file:///usr/local/renovate/node_modules/.pnpm/simple-git@3.35.2/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:63:20)\n    at processTicksAndRejections (node:internal/process/task_queues:104:5)"
      },
      "msg": "Repository has unknown error"
    }
  ]
}

[stefreak]

We also run into this. Is this a renovate bug or something we need to take action on?

[stevejkang]

Experiencing the same issue.

1. build(deps): update dependency simple-git to v3.35.2 (main) #42588 upgraded simple-git from 3.33.0 to 3.35.2
2. simple-git v3.34.0 https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md#3340) expanded its argument scanner to detect git config subcommand writes — previously it only caught inline -c flags
3. core.hooksPath is explicitly in the blocklist (https://github.com/steveukx/git-js/blob/main/packages/argv-parser/src/vulnerabilities/detect-vulnerable-config-writes.ts)
4. The RENOVATE_X_CLEAR_HOOKS code path in syncGit() (https://github.com/renovatebot/renovate/blob/main/lib/util/git/index.ts) calls git.raw(['config', 'core.hooksPath', '/dev/null']), which now gets blocked

Probably just needs unsafe: { allowUnsafeHooksPath: true } in simpleGitConfig() (https://github.com/renovatebot/renovate/blob/main/lib/util/git/config.ts)?

[jamietanna]

Yep - #42630 fixes it

[jamietanna]

Thanks for reporting! I'd triggered a release of the CLI version across the Dev Platform about an hour ago, which is why this has suddenly popped up

I'm rolling the change back now

[t3chguy]

Thanks, can confirm the rollback fixed it.

[jamietanna]

Some repos may have been marked as in an error state that means they're scheduled less frequently (https://docs.renovatebot.com/mend-hosted/job-scheduling/)

Tomorrow morning we'll trigger a run against those repos to make sure they're processed

In the meantime, manually triggering a job against your repo will do the same thing, albeit slightly more manually!

[raz-drift]

Hit the same issue on our repo — last successful run was 43.110.2, started failing on 43.116.1. We also opened #42632 before finding this discussion. Confirmed working again after the rollback. Thanks for the fast turnaround @jamietanna!