pacote leaves user-owned files in /usr/lib/node_modules on Linux under sudo

[godmar]

After documenting the source of the permission corruption regularly occurring in ~/.npm/_cacache (see issue #174 ) I looked at the opposite error, which is sudo npm install -g leaving files and directories owned by the invoking user in the global /usr/lib/node_modules folder (e.g., when using NodeSource's packages which are recommended on nodejs.org).

Running, e.g., sudo npm install -g create-react-app leaves a slew of files owned by the invoking user/group under /usr/lib/node_modules. The reason is that pacote passes the uid/gid obtained from $SUDO_UID/$SUDO_GID to node-tar here, a change introduced with commit 2fa45989.

After applying this patch:

--- /usr/lib/node_modules/npm/node_modules/pacote/lib/extract-stream.js 2019-05-28 02:36:14.425241001 +0000
+++ /tmp/extract-stream.js  2019-05-28 02:36:05.437346917 +0000
@@ -55,8 +55,6 @@
     filter: (name, entry) => !entry.header.type.match(/^.*link$/i),
     strip: 1,
     onwarn: msg => opts.log && opts.log.warn('tar', msg),
-    uid: opts.uid,
-    gid: opts.gid,
     umask: opts.umask,
     transform: opts.resolved && pkgJsonTransform(spec, opts),
     onentry (entry) {

sudo npm install -g create-react-app completes successfully without leaving any user-owned files or directories in /usr/lib/node_modules, as can be verified using find(1).

This regression appears to have been introduced as part of release 5.0.1, but there does not appear to be a github issue related/linked to the change, making it difficult to establish the context in which this change was introduced.