Skip to content

Reject empty or whitespace-only configKey values in include_assets builds#7530

Open
JoshuaWhite1 wants to merge 1 commit into
mainfrom
05-11-reject_empty_or_whitespace-only_configkey_values_in_include_assets_builds
Open

Reject empty or whitespace-only configKey values in include_assets builds#7530
JoshuaWhite1 wants to merge 1 commit into
mainfrom
05-11-reject_empty_or_whitespace-only_configkey_values_in_include_assets_builds

Conversation

@JoshuaWhite1
Copy link
Copy Markdown
Contributor

@JoshuaWhite1 JoshuaWhite1 commented May 11, 2026
edited
Loading

WHY are these changes introduced?

Splitting out the empty/whitespace validation from #7504.
The additional path validation from that PR requires a larger conversation, while this portion is a lot simpler.

WHAT is this pull request doing?

Adds an empty-value validation pass in copyConfigKeyEntry that throws AbortError with message '<field>' can't be empty. when a configKey resolves to an empty or whitespace-only string.

  • Validation runs before any filesystem I/O — no partial copies on failure
  • Error message uses the leaf segment of the configKey ('assets', not 'extension_points[].assets'), matching what the developer wrote in their TOML
  • Field omitted entirely still works — the check only triggers when a value is explicitly written as empty. Optional fields still allowed.
  • Applies to every configKey routed through this helper: assets, tools, instructions, and intents[].schema (on extension_points[] and targeting[])

How to test your changes?

Follow the steps in #7504

  • test deploying an app with assets = "./assets". assert correct value does not error
  • test deploying an app with assets = "" assert "cannot be empty" error is thrown
  • test deploying an app with assets = " " assert cannot be empty error is thrown

Post-release steps

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch for bug fixes · minor for new features · major for breaking changes) and added a changeset with pnpm changeset add

@JoshuaWhite1 Graphite App
Copy link
Copy Markdown
Contributor Author

JoshuaWhite1 commented May 11, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label May 11, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 11, 2026

⚠️ Potential Breaking Changes Detected

This PR contains changes that may break the existing contract.

@shopify/dev_experience — this PR contains breaking changes that require coordination for the next major release. This check will remain failed until a member of the team approves the workflow run.

💬 Head to #help-dev-platform to discuss timing and plan the release.

📦 Major Version Changesets

The following changesets request a major version bump:

Changeset Package
thin-webs-notice.md '@shopify/plugin-did-you-mean': major
thin-webs-notice.md '@shopify/plugin-cloudflare': major
thin-webs-notice.md '@shopify/create-app': major
thin-webs-notice.md '@shopify/cli-kit': major
thin-webs-notice.md '@shopify/store': major
thin-webs-notice.md '@shopify/theme': major
thin-webs-notice.md '@shopify/app': major
thin-webs-notice.md '@shopify/cli': major
thin-webs-notice.md '@shopify/e2e': major

@JoshuaWhite1 JoshuaWhite1 temporarily deployed to breaking-change-approval May 11, 2026 20:59 — with GitHub Actions Inactive
@JoshuaWhite1 JoshuaWhite1 marked this pull request as ready for review May 11, 2026 21:11
@JoshuaWhite1 JoshuaWhite1 requested a review from a team as a code owner May 11, 2026 21:11
Copilot AI review requested due to automatic review settings May 11, 2026 21:11
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an early validation guard to the copyConfigKeyEntry helper used by the include-assets build step to reject configKey values that are explicitly set to an empty or whitespace-only string, failing fast before any filesystem copying begins.

Changes:

  • Add a pre-I/O validation pass that throws an AbortError when a resolved config path is empty/whitespace-only.
  • Format the error message using the leaf field name (e.g., assets) rather than the full dotted configKey path.
  • Add unit tests covering empty string, whitespace-only string, and nested configKey behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
packages/app/src/cli/services/build/steps/include-assets/copy-config-key-entry.ts Adds early validation to reject empty/whitespace-only resolved config paths and throw an AbortError with a leaf-field message.
packages/app/src/cli/services/build/steps/include-assets/copy-config-key-entry.test.ts Adds tests verifying the new guard triggers for empty/whitespace-only values and uses the leaf field name for nested keys.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

melissaluu
melissaluu reviewed May 11, 2026
View reviewed changes
Comment thread packages/app/src/cli/services/build/steps/include-assets/copy-config-key-entry.ts
// should only be copied once; the pathMap entry is reused for all references.
const uniquePaths = [...new Set(paths)]

const fieldName = key.split('.').pop()?.replace(/\[\]$/, '') ?? key
Copy link
Copy Markdown
Contributor

@melissaluu melissaluu May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should do the check earlier when we get the value so we don't have to do the extra unnecessary work of setting up the paths etc.

Copy link
Copy Markdown
Contributor

@melissaluu melissaluu May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep things simple, let's just add the check here to scope this validation to the single string value block - this will fulfill our current use case.

In the case where an asset key can have an array, I think we should review what the expected outcome should be for arrays before forcing an error if only one of the paths are empty string - and it's out of scope for us ATM so we can defer

MitchLillie
MitchLillie reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MitchLillie MitchLillie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎩 looks good

Are you sure we want to disallow all config values from being empty? I know we're against hard-coding things, but this seems too broad.

For example [[extensions]] \n description = "" is optional so we should allow that to be empty. When I add an empty description, the validation passes though, so maybe I am not understanding the flow of things.

@vividviolet
Copy link
Copy Markdown
Member

vividviolet commented May 12, 2026

@Mitch this check is only for the copy-configKey step which copy files over to the deploy bundle - setting an empty string doesn't make any sense for this. Other configs not related to file copying are unaffected and already have their own validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MitchLillie MitchLillie MitchLillie left review comments

@melissaluu melissaluu melissaluu left review comments

Copilot code review Copilot Copilot left review comments

@elanalynn elanalynn Awaiting requested review from elanalynn

@vividviolet vividviolet Awaiting requested review from vividviolet

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@JoshuaWhite1 @vividviolet @MitchLillie @melissaluu