Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

web3 postinstall script modifies files in another package #3717

Closed
abacabadabacaba opened this issue Sep 10, 2020 · 4 comments
Closed

web3 postinstall script modifies files in another package #3717

abacabadabacaba opened this issue Sep 10, 2020 · 4 comments
Assignees
@frankiebee

Comments

@abacabadabacaba
Copy link

I found that postinstall script in web3 package attempts to modify files in an unrelated package, @angular-devkit/build-angular. I believe this to be an abuse of NPM script functionality. Packages should not modify files that they don't own without the user's explicit request.

There are other problems with this behavior:

  • If @angular-devkit/build-angular package is installed or upgraded after web3, the modifications will not be performed. This makes build result nondeterministic, and also leads to bugs that may or may not reproduce depending on the order the packaged are installed.
  • The modifications may break a future version of @angular-devkit/build-angular package. If this happens, it will be difficult for the user to find the root cause of the breakage.
  • The script that performs the modifications assumes that the relative path to the @angular-devkit/build-angular package is ../../node_modules/@angular-devkit. This may not be true, as NPM may use a different directory structure in case of name conflicts. See npm-folders documentation page for details.

If the modifications are needed, they should be performed by a script that the user needs to run explicitly, perhaps as part of their build process.

Expected behavior

Installing web3 package doesn't mess with other packages.

Actual behavior

Installing web3 package attempts to modify a different package.

Steps to reproduce the behavior

  1. Install web3 package

Logs

Environment
@GregTheGreek
Copy link
Contributor

GregTheGreek commented Sep 12, 2020
edited
Loading

@abacabadabacaba this is extremely concerning. Thank you for reporting this.

I'm not seeing any post-install scripts, do you mind sharing how you discovered this?

I've dumped my install log, and if you could do the same that would be great. I did so with the following steps.

  1. Fresh directory
  2. yarn add @angular-devkit/build-angular
  3. yarn add web3
> yarn add web3
yarn add v1.22.4
warning package.json: No license field
warning No license field
[1/4] Resolving packages...
warning web3 > web3-bzz > swarm-js > mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
warning web3 > web3-eth > web3-eth-ens > content-hash > multicodec@0.5.7: stable api reached
warning web3 > web3-bzz > swarm-js > eth-lib > servify > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning web3 > web3-bzz > swarm-js > eth-lib > servify > request > har-validator@5.1.5: this library is no longer supported
[2/4] Fetching packages...
info fsevents@2.1.3: The platform "linux" is incompatible with this module.
info "fsevents@2.1.3" is an optional dependency and failed compatibility check. Excluding it from installation.
info fsevents@1.2.13: The platform "linux" is incompatible with this module.
info "fsevents@1.2.13" is an optional dependency and failed compatibility check. Excluding it from installation.
[3/4] Linking dependencies...
warning " > @angular-devkit/build-angular@0.1001.1" has unmet peer dependency "@angular/compiler-cli@^10.0.0".
warning " > @angular-devkit/build-angular@0.1001.1" has unmet peer dependency "typescript@>=3.9 < 4.1".
warning "@angular-devkit/build-angular > @ngtools/webpack@10.1.1" has unmet peer dependency "@angular/compiler-cli@^10.0.0".
warning "@angular-devkit/build-angular > @ngtools/webpack@10.1.1" has unmet peer dependency "typescript@>=3.9 < 4.1".
[4/4] Building fresh packages...
success Saved lockfile.
warning No license field
success Saved 128 new dependencies.
info Direct dependencies
└─ web3@1.2.11
info All dependencies
<REDACTED>
Done in 4.57s.

@abacabadabacaba
Copy link
Author 

$ yarn add @angular-devkit/build-angular
[...]
info Direct dependencies
└─ @angular-devkit/build-angular@0.1001.1
[...]
$ sha256sum node_modules/@angular-devkit/build-angular/src/angular-cli-files/models/webpack-configs/browser.js 
c6c485fe4a27099bb14b3740b6008672c3f8e4b9530d56cea94cedf051c0934d  node_modules/@angular-devkit/build-angular/src/angular-cli-files/models/webpack-configs/browser.js
$ yarn add web3
[...]
info Direct dependencies
└─ web3@1.2.11
[...]
$ sha256sum node_modules/@angular-devkit/build-angular/src/angular-cli-files/models/webpack-configs/browser.js 
540f3b70edbd9a31de29c5a0b5d227415ee9fe475848dcca96202ba9cb3a8341  node_modules/@angular-devkit/build-angular/src/angular-cli-files/models/webpack-configs/browser.js

See also: PR #3136.

@GregTheGreek
Copy link
Contributor

Hmmm interesting ok. I'm going to look into it this week.

@GregTheGreek
Copy link
Contributor

This has been merged

@GregTheGreek GregTheGreek mentioned this issue Oct 23, 2020
Closed
@manuelwedler manuelwedler mentioned this issue Dec 11, 2020
Closed
@spacesailor24 spacesailor24 mentioned this issue Jan 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@frankiebee frankiebee

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abacabadabacaba @frankiebee @GregTheGreek