FS#63396 - [npm] [node-gyp] [semver] Non-root user and group owns package.json files
Attached to Project:
Community Packages
Opened by Blair Bonnett (bcb) - Wednesday, 07 August 2019, 07:37 GMT
Last edited by Daniel M. Capella (polyzen) - Sunday, 09 July 2023, 21:34 GMT
Opened by Blair Bonnett (bcb) - Wednesday, 07 August 2019, 07:37 GMT
Last edited by Daniel M. Capella (polyzen) - Sunday, 09 July 2023, 21:34 GMT
|
Details
With a freshly installed copy of npm 6.10.2-1, node-gyp
5.0.2-1 and semver 6.3.0-1 all the package.json files are
owned by non-root users:
$ ls -l /usr/lib/node_modules/*/node_modules/*/package.json -rw-r--r-- 1 1052 1002 1512 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/abbrev/package.json -rw-r--r-- 1 1052 1002 3773 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ajv/package.json -rw-r--r-- 1 1052 1002 2343 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ansi-regex/package.json -rw-r--r-- 1 1052 1002 1578 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/aproba/package.json -rw-r--r-- 1 1052 1002 1778 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/are-we-there-yet/package.json -rw-r--r-- 1 1052 1002 1875 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/asn1/package.json -rw-r--r-- 1 1052 1002 2192 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/assert-plus/package.json ... For npm and node-gyp it is UID 1052 and GID 1002, while for semver it is UID 1001 and GID 1001: $ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u 1052 1002 root root $ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u 1052 1002 root root $ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u 1001 1001 root root As far as I can tell it only affects the package.json files: $ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u package.json $ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u package.json $ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1001 1001' | awk -F'/' '{print $NF}' | sort -u package.json |
This task depends upon
Closed by Daniel M. Capella (polyzen)
Sunday, 09 July 2023, 21:34 GMT
Reason for closing: Fixed
Additional comments about closing: npm 9.8.0-1
Sunday, 09 July 2023, 21:34 GMT
Reason for closing: Fixed
Additional comments about closing: npm 9.8.0-1
There's a workaround listed here linking to this issue - https://wiki.archlinux.org/title/Node.js_package_guidelines#Using_npm
The build owner issue is NOT solved.
While this would usually be better sorted in a new issue, many many packages that applied this fix copied the wiki page exammple, thus a whole lot of packages, AUR or official repos, link here.
https://archlinux.org/packages/community/any/bower/
If a new issue were to be created it'd be good to at least leave a comment here and link to it, but it seems like that's impossible to do while this issue is closed.