禁用 oh my zsh 更新 #16
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Warning
ZSH_DISABLE_COMPFIX=true 会禁用 compaudit/compfix 检查与修复提示。compfix 的目的之一是防止 zsh 从 group/world 可写目录加载补全脚本导致潜在代码执行风险。在容器里虽然多为单用户 root 环境,但仍可能存在挂载卷、CI 缓存、或后续镜像层引入的权限异常,从而把真实问题“静默化”。
建议: 优先通过修正补全相关目录/文件权限来消除 compfix 提示,而不是全局禁用。若必须禁用,建议在 PR 描述中明确风险与适用场景,并确认镜像运行时不会加载来自不受信任路径的补全脚本。可考虑仅在已知受控环境(例如 CI)通过运行时 env 覆盖,而不是在基础镜像里永久写死。