Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

npm cache config not sensible if $HOME unset #3064

jwhitley opened this Issue Jan 16, 2013 · 4 comments


None yet
2 participants


OS: Ubuntu 12.04 LTS
node: v0.8.17
npm: v1.1.71

Repro steps

  1. Unset the HOME environment variable
  2. Run npm config ls -l
  3. Observe the value of cache.

Expected result

cache should be a sensible value based on the home directory of the current user. On Posix systems, the common idiom is to obtain the user's home directory as a value for home when $HOME is unset. (E.g. search for code calling getpwnam(3), also first para of bash tilde expansion ). The getpwnam call is already available node code via modules such as node-posix.

Actual result

The cache config is set as cache = "/tmp/.npm". This can be problematic; see Notes, below.


Environments such as Puppet 3.x will run with HOME unset. The release note at that link starting "LANG, LC_*, and HOME" has more info and brief rationale. This breaks npm in run contexts that don't set HOME (certain provisioning and non-interactive shell environments, see below), as all users' cache dirs collide on /tmp/.npm creating a lovely little conflicting permissions mess if more than one user ever installs a node module.

Proposed solution

osenv.home is the primary culprit. On master, this code has been inlined into the node codebase, but on 0.8.x it's still referenced via package.json as a release of isaacs/osenv. That method should instead look roughly like this:

memo('home', function () {
  return ( isWindows ? process.env.USERPROFILE
         : process.env.HOME || posix.getpwnam(process.getuid()).dir

This would already be a pull request, except I'm unsure the best way to bring in getpwnam. It looks like node is cutting external dependencies in favor of bringing code into this repository. Advice?

Moved from joyent/node#4600; see prior discussion there. Salient point from @isaacs:

If there's no $HOME dir, then perhaps we can use something like $TMP + 'npm-' + uid (or pid), so it won't collide.

Agreed; I'd prefer uid so that the cache is doing at least some sharing. pid practically defeats the purpose, and could even become a performance problem during initial system provisioning and/or reloads. (e.g. successive npm install runs to bring a dev environment up-to-date).

For posterity, I've found a solid external workaround for this issue, useful for folks who can install packages on the target system. Under Ubuntu/Debian, install pam-tmpdir via:

sudo apt-get install pam-tmpdir

Per the link above:

PAM tmpdir module sets $TMPDIR and $TMP for PAM sessions to /tmp/user/[uid].

This prevents various users (esp. root for global installs) from having permissions collisions on /tmp/.npm.

@isaacs isaacs added a commit to npm/npmconf that referenced this issue Jan 19, 2013

@isaacs isaacs Don't use a shared tmp dir in homeless envs
Addresses npm/npm#3064

timoxley commented Jan 7, 2014

@jwhitley Based on the above commit, looks like this can perhaps be closed?


jwhitley commented Jan 7, 2014

@timoxley Looks good, thanks. I'll close this now.

@jwhitley jwhitley closed this Jan 7, 2014

@vvision vvision added a commit to vvision/npmconf that referenced this issue Sep 23, 2014

@isaacs @vvision isaacs + vvision Don't use a shared tmp dir in homeless envs
Addresses npm/npm#3064
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment