Skip to content
This repository has been archived by the owner. It is now read-only.

npm silently runs chownr on a bunch of directories (v5.7.0+) #19829

Closed
addaleax opened this issue Feb 15, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@addaleax
Copy link
Contributor

commented Feb 15, 2018

I'm opening this issue because:

  • npm is crashing.
  • npm is producing an incorrect install.
  • npm is doing something I don't understand.
  • Other (see below for feature requests):

What's going wrong?

Since ce0b709 on release-next, running npm install (intentionally? 😱) runs chownr on, for example, the prefix where it is installed (and etc/ under it) and the current directory.

Firstly, this can completely break running npm under some circumstances (see the reproduction below).

Secondly, there seems to be no way to turn this off, and I feel extremely uncomfortable running software that silently sets permissions on random folders (and at least $prefix/etc/ definitely falls into the “npm should not modify in any way” category).

I obviously can’t tell you what do to, but please make this at least opt-out, and ideally opt-in. There’s nothing wrong with recommending the user to run npm with --fix-permissions or something in case an action fails with a permissions error.

How can the CLI team reproduce the problem?

$ sudo mkdir -p test/a/b
$ sudo chmod 0777 test  # this should be enough for `npm install` to work
$ sudo chmod 0700 test/a  # directory not related to npm at all
$ cd test
$ npm install is-positive  # or *any* other npm action, including just getting config values
Error: EACCES: permission denied, scandir '…/test/a'
[… more errors, including the error handling itself breaking …]

This reproduction may look artificial, but it’s a set of conditions that is commonly fulfilled when running npm install in /tmp on UNIX machines when another user (including root) is or was active in some way.

supporting information:

  • npm -v prints: 5.6.0 (but it’s release-next = 737dc85, really.)
  • node -v prints: v10.0.0-pre
  • npm config get registry prints: Doesn’t work either in such directories, https://registry.npmjs.org/ elsewhere.
  • Windows, OS X/macOS, or Linux?: Ubuntu 17.10, Linux.
  • Network issues:
    • Geographic location where npm was run:
    • I use a proxy to connect to the npm registry.
    • I use a proxy to connect to the web.
    • I use a proxy when downloading Git repos.
    • I access the npm registry via a VPN
    • I don't use a proxy, but have limited or unreliable internet access.
  • Container:
    • I develop using Vagrant on Windows.
    • I develop using Vagrant on OS X or Linux.
    • I develop / deploy using Docker.
    • I deploy to a PaaS (Triton, Heroku).

/cc @iarna since you’re the author of the linked patch :)

@addaleax addaleax changed the title npm silently runs chownr on a bunch of directories (release-next) npm silently runs chownr on a bunch of directories (v5.7.0+) Feb 21, 2018

@addaleax

This comment has been minimized.

Copy link
Contributor Author

commented Feb 22, 2018

Fixed by 74e149d

@addaleax addaleax closed this Feb 22, 2018

@metasansana

This comment has been minimized.

Copy link

commented Feb 23, 2018

I think it's time to acknowledge npm is doing way too much.

@addaleax

This comment has been minimized.

Copy link
Contributor Author

commented Feb 23, 2018

@metasansana If you’re giving unconstructive criticism, maybe do that on Twitter. npm is free, open source, and there’s nothing forcing you to use it or keeping you from using something else.

@adam-ainsworth

This comment has been minimized.

Copy link

commented Feb 23, 2018

That is absolutely the wrong response. If you are looking to push people to leave npm and go to Yarn or similar, then you have just taken a big step towards that goal.

Yes, npm is free. Yes, npm relies on contributors donating their time to work on it. Yes, npm has done more for the Node community than almost any other project. And all of that is appreciated very much.

However, that does not mean that npm, its contributors and managers are not free of obligation or responsibility. Releasing an update that destroys computers is absolutely unacceptable. Millions of developers and organisations have put their trust in you, and expect updates to a system that is capable of doing so much damage to be utterly and rigorously tested. The fact that this problem has been so widespread indicates that it wasn't.

npm is more than a hobby or pet project, it is a vital part of countless of pieces of software.

I also echo the sentiment that npm has gotten to the stage where it changes far more than it can justify, and there should be a debate about what control is handed to it.

You may of course react defensively and confrontationally to this idea, but all you will do is encourage users to abandon your project.

@addaleax

This comment has been minimized.

Copy link
Contributor Author

commented Feb 23, 2018

@adam-ainsworth Please note that I’m not speaking for or affiliated with npm in any official way.

All I’m saying is, if you don’t have anything helpful to say, you might not want to take other people’s time by making them listen. (And I usually try to read up on issues that I open.)

I’m obviously not too happy about the bug either – otherwise I wouldn’t have opened this issue.

@metasansana

This comment has been minimized.

Copy link

commented Feb 23, 2018

@addaleax I'm sorry that you find user feedback un-constructive.

I said what I said here because Github seems to be the only place I can find discussions and scrutiny on the design decisions of npm. I can't seem to find much documentation on the internals and from the outside it looks like there are lot of design and QA problems that need to be addressed.

Most times when I browse issues, I see users complaining and commits going in with little discourse as to what's taking place. Remember what's most important to large free / open source projects is the community not how much patches.

If the community is unhappy then who is going to convince people that they should use npm or give it another try?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.