-
Notifications
You must be signed in to change notification settings - Fork 3k
npm gets permissions of node_modules all wrong #16766
Comments
I just browsed through the npm code for keywords like I didn't find anything in the npm code itself, but i found that Node.js uses the following syscall internally to execute
It looks like npm uses the module mkdirp to create folders, which in turn uses the built-in Node.js module If somehow npm runs under the user:group 502:dialout while creating the folder, this would be the cause of the problem. However, that must be a problem with npm itself and not with @Cyberuben's setup, because he is running npm as root:root. |
@alexrsagen The place to look is in It's possible I brainfarted about how our permissions-dropping works. I should check with @iarna about what the intentions were, but I thought we were supposed to drop perms to If it's not supposed to drop perms like this, the fix is just to path |
The fact that some packages are missing might well be a separate bug -- it might be useful to see what it is you tried to install that's missing. (I've seen some cases like #16744 where it's literally a completely invalid semver, and I have no idea how npm4 ever installed it). |
In the meantime: you should be able to blow away |
The list of dependencies I'm trying to install is as following:
What happens when |
I'm also observing user:group of 501:20 when installing by root (in a linux container), without
Which don't look like sensible user and group id. Reproduced on npm@5.0.1 |
I've also been experiencing this bug while trying to use npm5 in a Docker container on CircleCI 2.0. npm is being run by root and neither After reading this issue I employed the tried and true debugging method of deleting code at random until something works, and I discovered that the following change to lib/config/pacote.js fixes the problem for me: --- pacote.js 2017-06-02 15:03:57.000000000 -0700
+++ pacote.fixed.js 2017-06-02 15:04:13.000000000 -0700
@@ -42,9 +42,7 @@
userAgent: npm.config.get('user-agent')
}
- if (ownerStats.uid || ownerStats.gid) {
- Object.assign(opts, ownerStats)
- }
+ Object.assign(opts, ownerStats)
npm.config.keys.forEach(function (k) {
const authMatch = k[0] === '/' && k.match( At least in my case, the problem seems to have been that since |
This is a workaround for a permissions-related npm crash within Docker on CircleCI. See also: - npm/npm#16892 - npm/npm#16766 - Similar yarn issue with the workaround: yarnpkg/yarn#918
* Fix bug 1368977: Remove es2015 and stage-0 preset from Babel. The minimum Firefox version that we target for both the system add-on and the website is Firefox 52, which includes support for most es2015 features, including native async/await syntax. This means we can safely switch to using those features without transpiling them via Babel. This removes both the es2015 and stage-0 presets from Babel, and includes a few individual plugins that we still need support for. This also adds a new Webpack plugin to enable it to parse async/await syntax while resolving modules. UglifyJS can't parse async/await syntax, even on the harmony branch, so this switches to using Babili for minification. We use the webpack plugin instead of including it in the Babel config so that code inside node_modules, which is ignored by babel-loader, also gets minified. * Switch to app user in linting Dockerfile before running npm install. This is a workaround for a permissions-related npm crash within Docker on CircleCI. See also: - npm/npm#16892 - npm/npm#16766 - Similar yarn issue with the workaround: yarnpkg/yarn#918
I'm seeing |
@rgrove's suggestion above also seems on point for what we are experiencing: trying to do global installs while logged in as root results in files set to the uid/gid of the package maintainer (whomever created the source tarball). I.E., since uid/gid is 0/0 in that case, the code rgrove referenced above in the rgrove's suggestion in combination with the recent |
I’m still seeing this in 5.0.4, even though the patch (80c33cf) seems to be in 5.0.4…? |
@haggholm 80c33cf doesn't appear to address the issue I described in #16766 (comment). I think both changes are needed, as @DanRagle said in #16766 (comment), but I'm not confident enough in my knowledge of npm's internals to say for sure that what I proposed in my comment is the correct fix. It would be helpful if someone with a deeper understanding of npm and pacote could weigh in. |
@rgrove @Cyberuben @mhart @haggholm I've pushed a new canary, |
@zkat npmc@5.0.4-canary.7 works like a charm for me. Thanks! 🎉 |
@zkat doesn't seem to work for me. At least in the sense that You can reproduce with:
|
Oh wait, that's probably because npm installed npmc, right...? |
@mhart yes. You need to use npmc itself ;) |
Right, duh 😸 Yes, this indeed works:
|
looks like we're done here. thanks all! |
Any idea when this patch is getting merged to mainline? |
@jspiro the release should be ~ wednesday next week. |
I’m still getting bad permissions when installing packages globally. I don’t know precisely what the cases are, but it seems to happen when running |
5.6.0 an this error still occurs for npm global builds for root. npm... |
I'm still seeing global install permissions bugs in 5.7.1. |
Like @cadavre; errors on global root install for packages:
|
@cadavre I had the same issue. Updating to Although, the following command saved me:
or just
|
Wow, this is still an issue in |
I'm opening this issue because:
What's going wrong?
When installing modules in a freshly cloned git repo using
npm install
on npm version5.0.0
, I get the weird behavior of thenode_modules
folder having the wrong owner. Usingls -la
I can see the following info is returned:When starting the application, I get several dependency errors. When installing the dependency that is reported to be missing, another entry appears.
When doing the same using npm at version
4.6.1
, I get the following output:Which is expected behavior, and no packages are missing
Note: The missing dependencies seem to be devDependencies from a few of the packages I depend on. There is something mentioned in the
Breaking changes
section of the NPM update changelog, but not about these packages not being installed when runningnpm install
How can the CLI team reproduce the problem?
There is no npm-debug.log file, as there are no errors reported.
I'm positive I'm running npm as root:root.
supporting information:
npm -v
prints:5.0.0
node -v
prints:v7.10.0
npm config get registry
prints:https://registry.npmjs.org/
Ubuntu 16.04 LTS
OVH, France
The text was updated successfully, but these errors were encountered: