search

zkat / pacote

programmatic npm package and metadata downloader (moved!)
https://github.com/npm/pacote
MIT License
280 stars 62 forks source link

pacote should pass on opts.uid/opts.gid when invoking cacache.put #174

Open godmar opened 5 years ago

godmar commented 5 years ago

One of my pet peeves with npm for as far as I remember has been that when following the provided installation instructions for Linux systems (specifically installing the NodeSource provided packages in /usr) you invariably end up with a corrupted npm cache as soon as you follow the instructions to update npm that are printed as part of its update check. In fact, anytime you run npm with sudo npm install -g ... your cache is toast, meaning that it contains files owned by root.root that make it impossible to use npm in the intended way by the user who issued the npm install -g command.

I did some sleuthing and added a couple of debugging statements and my impression is that npm doesn't intend to behave that way. It appears that there is logic in place to ensure that files written while running under sudo are chown'd back to the user who invoked the sudo command as recognized by $SUDO_UID.

However, the call to cacache.put here ignores any opts.uid and opts.gid passed to it, resulting in cacache not fixing up the owner for any directories it creates. After applying the following patch:

--- /tmp/finalize-manifest.js   2019-05-26 18:47:04.093580989 +0000
+++ /usr/lib/node_modules/npm/node_modules/pacote/lib/finalize-manifest.js  2019-05-26 18:56:53.466398787 +0000
@@ -57,6 +57,8 @@
         } else {
           return cacache.put(
             opts.cache, cacheKey, '.', {
+              uid: opts.uid,
+              gid: opts.gid,
               metadata: {
                 id: manifest._id,
                 manifest,

the issue disappears, more specifically, there are no more root.root owned files in ${HOME}/.npm/_cacache after running sudo npm install -g. (Caveat: only tested with sudo npm install -g create-react-app; no claims that this fixes all known issues related to sudo and npm.)

This is with npm:

{ npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  llhttp: '1.1.1',
  modules: '67',
  napi: '4',
  nghttp2: '1.37.0',
  node: '11.15.0',
  openssl: '1.1.1b',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.27.0',
  v8: '7.0.276.38-node.19',
  zlib: '1.2.11' }

on node 11.15.0. My apologies if this is already addressed.