ENV vars in pkgx.yaml present a pretty serious security risk, potentially allowing scripts to be run if you clone a repo with a malicious pkgx.yaml. Notice what happens to my important-file.txt😟 :
Systems like direnv get around this by making you direnv allow in directories before it sources your .envrc file (also when it's changed). In theory, pkgx could avoid having to allow each directory since it's not sourcing the file like direnv does. However, precautions need to be taken to not evaluate scripts inside of ENV vars.
ENV vars in pkgx.yaml present a pretty serious security risk, potentially allowing scripts to be run if you clone a repo with a malicious pkgx.yaml. Notice what happens to my
important-file.txt😟 :Systems like
direnvget around this by making youdirenv allowin directories before it sources your.envrcfile (also when it's changed). In theory, pkgx could avoid having toalloweach directory since it's not sourcing the file like direnv does. However, precautions need to be taken to not evaluate scripts inside of ENV vars.