Git.commit: --author value is wrapped in literal double quotes, corrupting author names that contain a quote character

[joewalker]

Observed behavior

Git.commit builds the --author argument with literal double quotes:

args.push(`--author="${committer.name} <${committer.email}>"`);

Because child_process.spawn is used without a shell, the literal " characters are part of the value passed to git. Git's "crud stripping" of identity strings hides the problem for ordinary names (leading/trailing quotes get filtered out), but the protection breaks down if committer.name itself contains a ".

Expected behavior

The literal quotes should not be in the value. The standard format that git documents is just --author=Name <email>, with no surrounding quotes.

Minimal reproduction

await git.commit('msg', {
  committer: { name: 'Joe \"Real\"', email: 'x@y.com' },
});
// git log -1 --format='%an'
// -> Joe \"Real           (the trailing quote is silently lost)

Verified with a standalone Node script that replicates Git.commit's exact spawn arguments. Observed result:

AN=[Joe \"Real] AE=[joe@example.com] CN=[Joe \"Real] CE=[joe@example.com]

The trailing \" from the source name is gone.

Suggested fix

args.push(`--author=${committer.name} <${committer.email}>`);

A regression test that commits with committer.name = 'Joe \"Real\"' and asserts git log -1 --format='%an' returns Joe \"Real\" would catch this.