[Bug?]: `yarn rw test` causes antivirus program to warn me about access to folder on Mac OS

[alundiak]

What's not working?

I expected yarn rw test to not cause any security, virus or malware warnings what so ever.

How do we reproduce the bug?

• Setup new project yarn create redwood-app my-redwood-project-2023 --typescript on Mac OS Sonoma when you have pre-installed some Antivirus-like software on Mac OS.
• yarn install works (after play with corepack)
• yarn redwood dev works OK (http://localhost:8910 is available/reachable).
• yarn rw storybook works.
• yarn rw test seems to be working but causing Antivirus software to warn me about schema-engine-darwin-arm64 via node is trying to access my custom folder projects.

Here is rest of output:

Environment variables loaded from .env
Prisma schema loaded from api/db/schema.prisma
Datasource "db": SQLite database "test.db" at "file:/Users/lund/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023/.redwood/test.db"

The SQLite database "test.db" at "file:/Users/lund/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023/.redwood/test.db" was successfully reset.
Error: SQLite database error
attempt to write a readonly database
   0: sql_schema_connector::apply_migration::apply_migration
             at schema-engine/connectors/sql-schema-connector/src/apply_migration.rs:10
   1: schema_core::state::SchemaPush
             at schema-engine/core/src/state.rs:436

  ● Test suite failed to run

    Jest: Got error running globalSetup - /Users/lund/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023/node_modules/@redwoodjs/testing/config/jest/api/globalSetup.js, reason: Command failed with exit code 1: yarn rw prisma db push --force-reset --accept-data-loss

      at makeError (node_modules/execa/lib/error.js:60:11)
      at module.exports.sync (node_modules/execa/index.js:194:17)
      at module.exports (node_modules/@redwoodjs/testing/config/jest/api/globalSetup.js:36:11)
      at node_modules/@jest/core/build/runGlobalHook.js:109:19
      at ScriptTransformer.requireAndTranspileModule (node_modules/@jest/transform/build/ScriptTransformer.js:806:24)
      at async runGlobalHook (node_modules/@jest/core/build/runGlobalHook.js:101:9)
      at async runJest (node_modules/@jest/core/build/runJest.js:327:5)

What's your environment? (If it applies)

System:
    OS: macOS 14.1.2 (Sonoma on iMac 2021, M1 CPU)
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 21.4.0 - /private/var/folders/92/_xv***00gn/T/xfs-3***7/node
    Yarn: 4.0.2 - /private/var/folders/92/_xv***00gn/T/xfs-3***d7/yarn
  Databases:
    SQLite: 3.39.5 - /usr/bin/sqlite3
  Browsers:
    Safari: 17.1.2 (but I also have Chrome, Opera, Firefox and Brave)
  npmPackages:
    @redwoodjs/cli-storybook: 6.6.0 => 6.6.0 
    @redwoodjs/core: 6.6.0 => 6.6.0
    UPD: prisma@npm:5.7.0 (looked up in yarn.lock)

PS.

Note. Maybe not related but while yarn rw dev is running, I have these error and warning:

web |   ➜  Local:   http://localhost:8910/
web |   ➜  Network: http://192.168.18.3:8910/
web | 1:22:04 PM [vite] http proxy error at /graphql:

web | AggregateError
web |     at internalConnectMultiple (node:net:1114:18)
web |     at afterConnectMultiple (node:net:1667:5)

gen | (node:30205) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.

Are you interested in working on this?

• [ ] I'm interested in working on this

[jtoar]

Hey @alundiak, whoa yeah that's weird. That binary sounds like a prisma binary. Do the other prisma commands work like yarn rw prisma migrate dev?

I'm on MacOS Ventura (13) and can't reproduce this but I'm overdue for an upgrade and could try reproducing again after upgrading my OS version.

[alundiak]

@jtoar yes, similar:

yarn rw prisma migrate dev

Running Prisma CLI...
$ yarn prisma migrate dev --schema /Users/lund/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023/api/db/schema.prisma

Environment variables loaded from .env
Prisma schema loaded from api/db/schema.prisma
Datasource "db": SQLite database "dev.db" at "file:./dev.db"

SQLite database dev.db created at file:./dev.db

Error: SQLite database error
attempt to write a readonly database

   0: sql_schema_connector::sql_migration_persistence::initialize
           with namespaces=None
             at schema-engine/connectors/sql-schema-connector/src/sql_migration_persistence.rs:14

   1: schema_core::state::ApplyMigrations
             at schema-engine/core/src/state.rs:201

plus a notification from security.antivirus software:

PS. I assume that MAYBE my Poland ISP TOYA has some rules too strict and maybe treats access to folder by ANY executable on Mac OS / Darwin / M1 CPU in some other ways as maybe other softwares...

More info here: https://toya.net.pl/strona/bezpieczny-internet (web page in Polish language only)

[alundiak]

UPD: prisma@npm:5.7.0 (looked up in yarn.lock). And I see that almost latest: https://github.com/prisma/prisma/releases

✨ In this release, we improved the SQL queries Prisma Client generates for you with two new Preview features, the driver adapters, and support for the database drivers we currently support. 5.7.0 will be the last release of the year. Stay tuned for the next one in January! ✨

Maybe some breaking changes were introduced in 5.6.0?

[dthyresson]

Hi @alundiak I'll mention this issue to Prisma, but from what I've read, your DeepGuard software is letting you know that Prisma needs access to the "projects" folder -- since it reads the schema and will write to the folder when making migration files.

To me, this is just informative and it's letting you choose to allow that to happen or not. But, if you deny it, then Prisma may not work properly since -- it can't creator schema migration files.

Running yarn rw test accesses Prisma to create a test database (create a .sql or .db file), reset it, set data via scenarios, and then reset back to a known state with each test case. Therefore, it is not unreasonable for it to ask Prisma for permissions to access the project folder.

Question:

> Datasource "db": SQLite database "test.db" at "file:/Users/lund/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023/.redwood/test.db"

The SQLite database "test.db" at "file:/Users/lund/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023/.redwood/test.db" was successfully reset.
Error: SQLite database error
attempt to write a readonly database

Did you deny access and then got that message?

[alundiak]

Yes, I did deny because I wanted to see the RedwoodJS/Prisma behavior.

[alundiak]

I wouldn't expect that access to folder / files is matter of any DeepGuard/SecurityMalware software.

Besides, on the very similar conditions I have a setup of Nest JS with SQLite and I have file nestjs.db a database file, which NestJS creates, recreates, deletes and I have no warnings about access to folder or file removal from DeepGuard software.

By saying this, I think Prisma executable does something, which is treated as potential risky (or suspicious) behavior. Although I know it's not. It's just matter of surprise.

[dthyresson]

y saying this, I think Prisma executable does something

I mentioned this behavior to Prisma and will report back what they say might cause this.

[janpio]

Hey @prisma here 👋

db push indeed writes into your dev.db in your projects folder, and it seems this "DeepGuard" somehow sees this as problematic. It is not. When you use SQLite directly via Nest JS the request just comes from the Node process itself, while with Prisma it comes via our Schema Engine.

You can totally approve that file access, and potentially give the provider of that software feedback that it is being overly cautious.

In which folder are you running the commands?

[alundiak]

@janpio In folder ~/projects/sandbox_backend/RedwoodJS/my-redwood-project-2023 :)

[janpio]

Interesting, I would have expected the tool to understand that running a CLI in that project is expected to run executables from that project to also modify files from that project - it is not a very uncommon case I would say.

If you allow DeepGuard's prompt to access the projects folder, everything works as expected?

[alundiak]

@janpio Yes.

These worked OK before (meaning commands were not causing DeepGuard to interrupt):

• yarn rw dev
• yarn rw setup ui tailwindcss
• yarn rw storybook

This causes DeepGuard to interrupt, but after "Allow" I have results

• yarn rw test =>

PASS   api  api/src/directives/requireAuth/requireAuth.test.ts
PASS   api  api/src/directives/skipAuth/skipAuth.test.ts

Test Suites: 2 passed, 2 total
Tests:       3 passed, 3 total
Snapshots:   0 total
Time:        1.735 s

[janpio]

We didn't really change anything in how our Engine works.

Does it work again if you go back to an older version of Prisma that used to work in the past?

[alundiak]

@janpio I didn't have time to revert. I specifically upgrade my 2022 codebase setup with belief that it will behave the same or better :) But I started using DeepGuard some time recently just before I've upgraded my educational codebase to Redwood.JS v.6.x. anyway.

[janpio]

Ok. Then I would say you just found a slightly inconvenient feature of DeepGuard. We @prisma will not treat this as something to further investigate, unless you find something not working even when access is allowed.