npm package / file ownership issues

[tropicalwave]

First of all, thank you very much for this package! Knowing that it has not been updated since 2019, I'd kindly like to ask if it would nevertheless be possible to release a new npm package because of file ownership issues that currently affect the functionality of the latest versions of https://github.com/github/super-linter in certain scenarios via its eslint-plugin-jsx-a11y dependency.

The specific issue in question is github/super-linter#3785 and this comment outlines the details. In short, the files within the npm package have very high user/group IDs which will not make it possible to use affected images for rootless podman/docker containers with default configurations.

[echoix]

I think this might be affecting MegaLinter too oxsecurity/megalinter#2348

[kyldvs]

Hi! Sorry this is causing problems. I made it 9 years ago and have no idea how it would break things. Before doing an NPM release do I need to update anything? I don't really understand the problem it would be causing.

[echoix]

I was thinking that maybe having a build in a clean environnement, that the files packages wouldn't have weird user ids included in the tarball.

I tried to setup some CI in a fork to test things out, but I can't get it to build. What were the steps that you run to build/package the project?

[kyldvs]

I believe just this gulp build step: https://github.com/kyldvs/ast-types-flow/blob/master/gulpfile.js#L6

but this was from 2015, so I'm not sure if it will actually run without changes. I don't think running the buildTypes script is actually important since we don't want to change any of the files. If someone sent a PR to manually fix the file owners/permissions to something appropriate that might work too

[echoix]

If someone sent a PR to manually fix the file owners/permissions to something appropriate that might work too

File owners/permissions aren't stored by Git, there is only the executable bit that is kept if I recall correctly. So there isn't any PR to make, probably just repackage.

[rmehner]

Running into the same problem.

If you do npm pack ast-types-flow to download the releases tarball and then run tar -ztvf ast-types-flow-0.0.7.tgz, you'll the these results:

tar -ztvf ast-types-flow-0.0.7.tgz 
-rw-r--r--  1 369884941  1876110778 749 Oct 30  2015 package/package.json
-rw-r--r--  1 369884941  1876110778 2007 Sep 14  2015 package/README.md
-rw-r--r--  1 369884941  1876110778 121821 Oct 30  2015 package/lib/types.js

Notice the high UID and GID? Those are the problem. I think a re-package in a clean environment and re-publish should fix the problem.

Happy to assist if needed.

[kyldvs]

Happy to publish a new version to npm. Can someone help by submitting a PR so that the appropriate scripts package things for me to publish cleanly? For example right now npm run-script build crashes. Even if you take out all the logic and just have the build copy/paste the existing distributed files in the right place I'd accept that.

Alternatively if that's unnecessary, tell me exactly the commands to run to publish from the latest commit and that would be helpful, I have not worked in this space in quite a while :)

[rmehner]

@kyldvs

I did a quick thing with Docker (I was in Dockerland anyway):

1. docker run -it node:10.24.1 bash
2. mkdir src && cd src
3. git clone https://github.com/kyldvs/ast-types-flow.git
4. cd ast-types-flow
5. npm install
6. npm run build

This worked successful and you can find the resulting lib/types.js here: https://gist.github.com/rmehner/8aabc75dda33dc8bed1624f68230bec7

So what's left for you to do is this:

• make sure your local npm installation is authenticated (npm login)
• copy the above file into lib/types.js
• run npm version patch which should increase the version to 0.0.8 and create a commit and git tag
• run npm publish to publish the package
• git push
• git push --tags (actually not sure if still needed)

Hope this helps. If not, feel free to reach out. Happy to help.

[kyldvs]

@rmehner thanks a bunch for the clear steps. I think I've got a new release out, please let me know if this resolves the issues: https://www.npmjs.com/package/ast-types-flow/v/0.0.8

[rmehner]

Getting the package with npm pack ast-types-flow@0.0.8 and then checking the contents of the package with tar -ztvf ast-types-flow-0.0.8.tgz leads to this:

-rw-r--r--  0 0      0        1067 Oct 26  1985 package/LICENSE
-rw-r--r--  0 0      0      122152 Oct 26  1985 package/lib/types.js
-rw-r--r--  0 0      0         749 Oct 26  1985 package/package.json
-rw-r--r--  0 0      0        2007 Oct 26  1985 package/README.md

Looks good! Thanks @kyldvs!