feat: adds environment variable to allow PowerShell executable to be specified

[brianpursley]

Checklist

• npm install && npm test passes
• commit message follows commit guidelines

Description of change

The Add-Type powershell command in findVisualStudio2017OrNewer() can fail with early versions of PowerShell (<=5.x) in a restricted corporate environment due to permission denied on a temp folder in ~\AppData\Local\Temp. This is not a problem in node-gyp itself, but rather a limitation of legacy versions of PowerShell in a restricted environment.

Newer versions of PowerShell (7.0 for example) do not have this problem and are able to perform the Add-Type command without any problems in a restricted environment.

This PR adds a new check for a new environment variable (NODE_GYP_POWERSHELL_PATH) which can be used to specify a different PowerShell executable to use, if you want.

Example usage:

$env:NODE_GYP_POWERSHELL_PATH = "C:\Program Files\PowerShell\7\pwsh.exe"
npm i

---

NOTE: This is different than the problem addressed by #2449. I'm looking for a way to use Powershell 7, which is an entirely different executable than powershell.exe.

[cclauss]

Are there new security exposures as a result of the proposed changes?

[brianpursley]

Are there new security exposures as a result of the proposed changes?

I don’t think there are any new security exposures, as this is similar to how node-gyp uses the PYTHON environment variable.

It does allow someone to potentially put any arbitrary executable’s path in this variable and node-gyp will execute it while searching for visual studio. I don’t think it would be an executable they can’t already execute themselves though.

Would you consider this to be a vulnerability?

As an alternative, I could change the new environment variable to something like NODE_GYP_POWERSHELL_VERSION and let you set it to something like 6 or 7 instead of the full path, and then the code would only look for the executable in a well known, whitelisted, location. A little bigger change, but it would be more restrictive.

Another alternative might be to not add any new environment variable and change node-gyp to search for powershell like it does for Python, prefer a newer version of powershell if it is found, and fallback to the current powershell.exe if nothing is found. I don’t see a problem with this approach personally, but I was hesitant to suggest this as it would change the default behavior of node-gyp. Edit: well I don’t think the observed behavior would be different, just that this would be the new default way of working under the hood.

[brianpursley]

The more I think about it, the more I wonder if this should just be some sort of automatic fallback instead.

I originally thought the environment variable would be a good idea because it would let people decide if they want to use a different version of powershell, but node-gyp already has quite a few environment variables and it does make things more complicated for people.

What do you think about something like this?

1. Try to execute the command using powershell.exe like it does currently
2. If powershell.exe fails, then automatically try to execute the same thing using pwsh.exe
3. If both fail, then print the message, like it does today when powershell.exe fails.

---

Edit to add: I probably should have just opened an issue on this instead of going straight to a PR, so sorry about that.

I am happy to update this PR if there is a preferred approach, or if you'd like me to close this and open an issue, that's fine too, so just let me know what is best here.