Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#63396 - [npm] [node-gyp] [semver] Non-root user and group owns package.json files
Attached to Project:
Community Packages
Opened by Blair Bonnett (bcb) - Wednesday, 07 August 2019, 07:37 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Thursday, 14 October 2021, 22:24 GMT
Opened by Blair Bonnett (bcb) - Wednesday, 07 August 2019, 07:37 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Thursday, 14 October 2021, 22:24 GMT
|
DetailsWith a freshly installed copy of npm 6.10.2-1, node-gyp 5.0.2-1 and semver 6.3.0-1 all the package.json files are owned by non-root users:
$ ls -l /usr/lib/node_modules/*/node_modules/*/package.json -rw-r--r-- 1 1052 1002 1512 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/abbrev/package.json -rw-r--r-- 1 1052 1002 3773 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ajv/package.json -rw-r--r-- 1 1052 1002 2343 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ansi-regex/package.json -rw-r--r-- 1 1052 1002 1578 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/aproba/package.json -rw-r--r-- 1 1052 1002 1778 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/are-we-there-yet/package.json -rw-r--r-- 1 1052 1002 1875 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/asn1/package.json -rw-r--r-- 1 1052 1002 2192 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/assert-plus/package.json ... For npm and node-gyp it is UID 1052 and GID 1002, while for semver it is UID 1001 and GID 1001: $ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u 1052 1002 root root $ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u 1052 1002 root root $ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u 1001 1001 root root As far as I can tell it only affects the package.json files: $ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u package.json $ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u package.json $ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1001 1001' | awk -F'/' '{print $NF}' | sort -u package.json |
This task depends upon
There's a workaround listed here linking to this issue - https://wiki.archlinux.org/title/Node.js_package_guidelines#Using_npm
The build owner issue is NOT solved.
While this would usually be better sorted in a new issue, many many packages that applied this fix copied the wiki page exammple, thus a whole lot of packages, AUR or official repos, link here.
https://archlinux.org/packages/community/any/bower/
If a new issue were to be created it'd be good to at least leave a comment here and link to it, but it seems like that's impossible to do while this issue is closed.