1.8.6 breaks certain existing .zip packages

[ryanwitt]

@sheerun, unfortunately, looks like the security upgrade on decompress-zip may have had the side effect of breaking .zip archives with certain permissions set on a non-empty directory.

Not sure how many packages this affects, but hit one old one in a build. Pinning bower at v1.8.4 works around the issue.

Output of bower -v && npm -v && node -v:

1.8.6
3.10.10
v6.16.0

Additional environment details (proxy, private registry, etc.):

both macOS and Ubuntu 16.04

Steps to reproduce the issue:

1. Install bower 1.8.6
2. Install an affected zipfile:

bower install https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip

3. Encounter permissions errors

Describe the results you received:

Directories inside the archive can end up extracted without +x set, resulting in an access error trying to extract files inside that directory:

bower chosen_v1.1.0#*           cached https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#e-tag:face03d32
bower chosen_v1.1.0#*         validate e-tag:face03d32 against https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#*              new version for https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#*          resolve https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#*         download https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip
bower chosen_v1.1.0#*          extract chosen_v1.1.0.zip
bower chosen_v1.1.0#*           EACCES EACCES: permission denied, open '/var/folders/.../docsupport/oss-credit.png'

Stack trace:
Error: EACCES: permission denied, open '/var/folders/.../tmp/.../docsupport/oss-credit.png'
    at Error (native)

Console trace:
Error
    at StandardRenderer.error (node_modules/bower/lib/renderers/StandardRenderer.js:88:37)
    at Logger.<anonymous> (node_modules/bower/lib/bin/bower.js:113:30)
    at emitOne (events.js:96:13)
    at Logger.emit (events.js:188:7)
    at Logger.emit (node_modules/bower/lib/node_modules/bower-logger/lib/Logger.js:29:39)
    at node_modules/bower/lib/commands/index.js:49:24
    at _rejected (node_modules/q/q.js:864:24)
    at node_modules/bower/lib/node_modules/q/q.js:890:30
    at Promise.when (node_modules/bower/lib/node_modules/q/q.js:1142:31)
    at Promise.promise.promiseDispatch (node_modules/bower/lib/node_modules/q/q.js:808:41)
System info:
Bower version: 1.8.6
Node version: 6.16.0
OS: Darwin 18.2.0 x64

Permissions on the docusupport directory in this case are drw-r--r-- and should probably be drwxr--r--.

Describe the results you expected:

Package installed without error.

bower chosen_v1.1.0#*           cached https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#e-tag:face03d32
bower chosen_v1.1.0#*         validate e-tag:face03d32 against https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#*              new version for https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#*          resolve https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#*         download https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip
bower chosen_v1.1.0#*          extract chosen_v1.1.0.zip
bower chosen_v1.1.0#*         resolved https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#e-tag:face03d32

Additional information:

bower diff v1.8.4...v1.8.6
decompress-zip diff bower/decompress-zip@867e439...v0.3.2

[ryanwitt]

@sheerun I'm guessing it was the "Enable file mode preservation" feature in decompress-zip@v0.3.0.

[sheerun]

Thanks for noticing.. I've published 1.8.8 which should fix this regression. Mind to check?

[ryanwitt]

Seems to work on 1.8.7 which I guess is the pre-release?

[sheerun]

It is not release, thank you

[sheerun]

not -> now a