Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
npm silently runs chownr on a bunch of directories (v5.7.0+) #19829
I'm opening this issue because:
What's going wrong?
Since ce0b709 on
Firstly, this can completely break running npm under some circumstances (see the reproduction below).
Secondly, there seems to be no way to turn this off, and I feel extremely uncomfortable running software that silently sets permissions on random folders (and at least
I obviously can’t tell you what do to, but please make this at least opt-out, and ideally opt-in. There’s nothing wrong with recommending the user to run npm with
How can the CLI team reproduce the problem?
$ sudo mkdir -p test/a/b $ sudo chmod 0777 test # this should be enough for `npm install` to work $ sudo chmod 0700 test/a # directory not related to npm at all $ cd test $ npm install is-positive # or *any* other npm action, including just getting config values Error: EACCES: permission denied, scandir '…/test/a' [… more errors, including the error handling itself breaking …]
This reproduction may look artificial, but it’s a set of conditions that is commonly fulfilled when running
/cc @iarna since you’re the author of the linked patch :)
changed the title
npm silently runs chownr on a bunch of directories (release-next)
Feb 21, 2018
referenced this issue
Feb 22, 2018
That is absolutely the wrong response. If you are looking to push people to leave npm and go to Yarn or similar, then you have just taken a big step towards that goal.
Yes, npm is free. Yes, npm relies on contributors donating their time to work on it. Yes, npm has done more for the Node community than almost any other project. And all of that is appreciated very much.
However, that does not mean that npm, its contributors and managers are not free of obligation or responsibility. Releasing an update that destroys computers is absolutely unacceptable. Millions of developers and organisations have put their trust in you, and expect updates to a system that is capable of doing so much damage to be utterly and rigorously tested. The fact that this problem has been so widespread indicates that it wasn't.
npm is more than a hobby or pet project, it is a vital part of countless of pieces of software.
I also echo the sentiment that npm has gotten to the stage where it changes far more than it can justify, and there should be a debate about what control is handed to it.
You may of course react defensively and confrontationally to this idea, but all you will do is encourage users to abandon your project.
@adam-ainsworth Please note that I’m not speaking for or affiliated with npm in any official way.
All I’m saying is, if you don’t have anything helpful to say, you might not want to take other people’s time by making them listen. (And I usually try to read up on issues that I open.)
I’m obviously not too happy about the bug either – otherwise I wouldn’t have opened this issue.
@addaleax I'm sorry that you find user feedback un-constructive.
I said what I said here because Github seems to be the only place I can find discussions and scrutiny on the design decisions of npm. I can't seem to find much documentation on the internals and from the outside it looks like there are lot of design and QA problems that need to be addressed.
Most times when I browse issues, I see users complaining and commits going in with little discourse as to what's taking place. Remember what's most important to large free / open source projects is the community not how much patches.
If the community is unhappy then who is going to convince people that they should use npm or give it another try?