fix(npx)!: detect new npx versions and fail gracefully (#10452)

BREAKING CHANGE: the `npx` plugin used a feature of `npx` to check for npm packages and run them if a command was not found. This feature was removed in v7.0.0 and was deemed insecure. The `npx` plugin is now officially deprecated and will be removed soon. Fixes #10452
2025-12-12 01:52:31 +01:00 · 2022-01-26 17:13:10 +01:00 · 2022-01-26 17:13:10 +01:00 · 3741d1aa02
commit 3741d1aa02
parent fc40b53e64
3 changed files with 14 additions and 32 deletions
--- a/plugins/npx/npx.plugin.zsh
+++ b/plugins/npx/npx.plugin.zsh
@ -1,7 +1,12 @@
-# NPX Plugin
-# https://www.npmjs.com/package/npx
-# Maintainer: Pooya Parsa <pooya@pi0.ir>
+if (( ! $+commands[npx] )); then
+  return
+fi

-(( $+commands[npx] )) && {
- source <(npx --shell-auto-fallback zsh)
-}
+if ! npx_fallback_script="$(npx --shell-auto-fallback zsh 2>/dev/null)"; then
+  print -u2 ${(%):-"%F{yellow}This \`npx\` version ($(npx --version)) is not supported.%f"}
+else
+  source <(<<< "$npx_fallback_script")
+fi
+
+print -u2 ${(%):-"%F{yellow}The \`npx\` plugin is deprecated and will be removed soon. %BPlease disable it%b.%f"}
+unset npx_fallback_script