Skip to content

Support undefined/null as unset in setEnvVars #342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ghostwriternr merged 3 commits into from
Jan 13, 2026
Merged

Support undefined/null as unset in setEnvVars #342

ghostwriternr merged 3 commits into from
Jan 13, 2026

Conversation

@ghostwriternr
Copy link
Member

@ghostwriternr ghostwriternr commented Jan 9, 2026

Summary

setEnvVars({ KEY: undefined }) now runs unset KEY instead of throwing or silently doing nothing, enabling idiomatic patterns:

await sandbox.setEnvVars({
  API_KEY: 'new-key',      // exported
  OLD_SECRET: undefined,   // unset
});

@ghostwriternr
Support undefined/null as unset in setEnvVars
38a79a4 
Previously, passing undefined values to setEnvVars would either throw
runtime errors or silently do nothing. Now undefined/null triggers an
unset command, enabling patterns like { API_KEY: 'new', OLD_VAR: undefined }.

Also fixes a shell injection vulnerability by validating env var names
before interpolating into unset commands.
@changeset-bot
Copy link

changeset-bot bot commented Jan 9, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 1a528ff

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/sandbox Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@ghostwriternr ghostwriternr mentioned this pull request Jan 9, 2026
Closed
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 9, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/sandbox-sdk/@cloudflare/sandbox@342

commit: 1a528ff

@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2026
edited
Loading

🐳 Docker Images Published

Default:

FROM cloudflare/sandbox:0.0.0-pr-342-0abb711

With Python:

FROM cloudflare/sandbox:0.0.0-pr-342-0abb711-python

With OpenCode:

FROM cloudflare/sandbox:0.0.0-pr-342-0abb711-opencode

Version: 0.0.0-pr-342-0abb711

Use the -python variant if you need Python code execution, or -opencode for the variant with OpenCode AI coding agent pre-installed.

📦 Standalone Binary

For arbitrary Dockerfiles:

COPY --from=cloudflare/sandbox:0.0.0-pr-342-0abb711 /container-server/sandbox /sandbox
ENTRYPOINT ["/sandbox"]

Download via GitHub CLI:

gh run download 20971037432 -n sandbox-binary

Extract from Docker:

docker run --rm cloudflare/sandbox:0.0.0-pr-342-0abb711 cat /container-server/sandbox > sandbox && chmod +x sandbox

@agents-git-bot agents-git-bot bot mentioned this pull request Jan 13, 2026
Open
github-actions[bot]
github-actions bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenCode Review

The implementation looks well-architected and follows established codebase patterns effectively. The change enables idiomatic JavaScript patterns where undefined means "unset", which aligns with how optional fields work throughout the SDK.

Key strengths:

  • Leverages existing shellEscape() and partitionEnvVars() utilities consistently across both layers
  • Maintains atomic operations via session mutex locking
  • POSIX environment variable name validation covers both set and unset operations
  • Comprehensive test coverage including edge cases and E2E scenarios
  • Type updates are consistent across the three-layer architecture

Documentation impact check: The changeset properly documents the behavior change for end users. No additional Cloudflare docs need updating since this doesn't change the core Workers/DO environment variable concepts.

Architecture consideration: The implementation correctly handles the flow through all three layers (SDK → DO → Container), with appropriate error handling and shell escaping at each boundary.

The approach is sound and ready to merge.

@ghostwriternr ghostwriternr merged commit 7da85c0 into main Jan 13, 2026
17 of 18 checks passed
@ghostwriternr ghostwriternr deleted the fix/undefined-env-vars branch January 13, 2026 20:30
@github-actions github-actions bot mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

+1 more reviewer

@roerohan roerohan roerohan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ghostwriternr @roerohan