This is, unfortunately, working as expected.

The Minerva repository tries to install an executable script in your .git/hooks directory. This script would then insecurely execute Node.js code as part of your credentialed/authenticated git interactions outside your development environment (e.g. when staging your commit, or when pushing to Gerrit).

Fresh is essentially detecting this as if it were malware trying to escape the container, and correctly prevents it from doing that.

It'd be hard to support something like this in a secure manner, and I'm not sure how Reading Web team generally manage this day-to-day. On occasion when I've patched client-side code in this kind of repository, I've learned to modify package.json to remove the git hook, then run install again, and then let Git undo that change (so as to not commit it).

Personally, I generally use separate terminal tab anyway for running tests vs staging commit and writing commit messages (where the former tab might use a "watch" mode if the project has one, giving you real-time feedback regardless of when a commit is saved). In non-Wikimedia projects I've generally found such hooks obtrusive, usually running at times I specifically don't want or need them to.

In any event, you could for now use the same workaround as me. Though It'd be nice if was a documented recommendation in the repository readme that would do this automatically, e.g. NO_COMMIT_HOOK=1 npm ci. (Maybe something like that exists already?), whicih would skip this step, and Fresh (and WMF CI) could also set such env var by default.

Alternatively, if there's interest from Reading Web, we could prioritize T253924 and support shortcuts like fresh -- npm test which developers could then use as part of a command-line alias like npm-test-and-git-commit, e.g. as git npmtac or some other short or tab-completable phrase of your choosing. This can then be adopt as alternate to git commit for those using that workflow, without it affecting the standard "npm install", "npm test", "git commit", "git rebase" etc workflow that new contributors would generally know and expect to work a certain way.

In T282246#7076661, @Krinkle wrote:

I've learned to modify package.json to remove the git hook, then run install again, and then let Git undo that change (so as to not commit it).

I'm looking at package.json but I don't see anything related to git. What do I need to change?

In T282246#7116083, @zeljkofilipin wrote:

I'm looking at package.json but I don't see anything related to git. What do I need to change?

For my future reference: remove pre-commit package from package.json, run npm i.

@Jdlrobson I believe "Tracking" usually means there is the understanding that a different team will resolve the ticket instead. If so, which team did you have in mind?

Tracking for web team means we don't have bandwidth right now. We review tasks in tracking at end of projects and it can change, particularly if tasks are associated with epics. If you need web to work on this please send me or Olga an email asking for us to prioritize it.

I should note weeb team has had nothing to do with Fresh yet so not really sure we would be the right team or who would be.

npm ci works fine in Popups, but it still fails in MinervaNeue.

Having a hard time debugging T301575 because of this. :(