Description
@sheerun, unfortunately, looks like the security upgrade on decompress-zip may have had the side effect of breaking .zip archives with certain permissions set on a non-empty directory.
Not sure how many packages this affects, but hit one old one in a build. Pinning bower at v1.8.4 works around the issue.
Output of bower -v && npm -v && node -v:
1.8.6
3.10.10
v6.16.0
Additional environment details (proxy, private registry, etc.):
both macOS and Ubuntu 16.04
Steps to reproduce the issue:
- Install bower 1.8.6
- Install an affected zipfile:
bower install https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip- Encounter permissions errors
Describe the results you received:
Directories inside the archive can end up extracted without +x set, resulting in an access error trying to extract files inside that directory:
bower chosen_v1.1.0#* cached https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#e-tag:face03d32
bower chosen_v1.1.0#* validate e-tag:face03d32 against https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#* new version for https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#* resolve https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#* download https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip
bower chosen_v1.1.0#* extract chosen_v1.1.0.zip
bower chosen_v1.1.0#* EACCES EACCES: permission denied, open '/var/folders/.../docsupport/oss-credit.png'
Stack trace:
Error: EACCES: permission denied, open '/var/folders/.../tmp/.../docsupport/oss-credit.png'
at Error (native)
Console trace:
Error
at StandardRenderer.error (node_modules/bower/lib/renderers/StandardRenderer.js:88:37)
at Logger.<anonymous> (node_modules/bower/lib/bin/bower.js:113:30)
at emitOne (events.js:96:13)
at Logger.emit (events.js:188:7)
at Logger.emit (node_modules/bower/lib/node_modules/bower-logger/lib/Logger.js:29:39)
at node_modules/bower/lib/commands/index.js:49:24
at _rejected (node_modules/q/q.js:864:24)
at node_modules/bower/lib/node_modules/q/q.js:890:30
at Promise.when (node_modules/bower/lib/node_modules/q/q.js:1142:31)
at Promise.promise.promiseDispatch (node_modules/bower/lib/node_modules/q/q.js:808:41)
System info:
Bower version: 1.8.6
Node version: 6.16.0
OS: Darwin 18.2.0 x64
Permissions on the docusupport directory in this case are drw-r--r-- and should probably be drwxr--r--.
Describe the results you expected:
Package installed without error.
bower chosen_v1.1.0#* cached https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#e-tag:face03d32
bower chosen_v1.1.0#* validate e-tag:face03d32 against https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#* new version for https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#* resolve https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#*
bower chosen_v1.1.0#* download https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip
bower chosen_v1.1.0#* extract chosen_v1.1.0.zip
bower chosen_v1.1.0#* resolved https://github.com/harvesthq/chosen/releases/download/v1.1.0/chosen_v1.1.0.zip#e-tag:face03d32
Additional information:
bower diff v1.8.4...v1.8.6
decompress-zip diff bower/decompress-zip@867e439...v0.3.2