[rush] Missing documentation of INSTALL_RUN_LOCKFILE_PATH environment variable

[gabriel-bezerra]

Summary

While handling https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised in our project, we found out that node common/scrips/install-run-rush.js installed malicious versions of the affected dependencies.

We mitigated it by setting the undocumented environment variable INSTALL_RUN_RUSH_LOCKFILE_PATH from #3671. Thank you for providing this option 👍 .

We couldn't find any documentation about this in https://rushstack.io/ nor in this GitHub organization. We think it would be valuable to have that documented to avoid similar issues in future.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question	Answer
@microsoft/rush globally installed version?	5.158.1
rushVersion from rush.json?	5.158.1
useWorkspaces from rush.json?	true
Operating system?	Linux
Would you consider contributing a PR?	Yes
Node.js version (node -v)?	22.19.0

[iclanton]

Yup, looks like it's missing from https://rushjs.io/pages/configs/environment_vars/#docusaurus_skipToContent_fallback. Probably along with a few other newer env vars.

Care to make a contribution? (https://github.com/microsoft/rushstack-websites/blob/main/websites/rushjs.io/docs/pages/configs/environment_vars.md)