npm package / file ownership issues
Closed this issue ยท 10 comments
First of all, thank you very much for this package! Knowing that it has not been updated since 2019, I'd kindly like to ask if it would nevertheless be possible to release a new npm package because of file ownership issues that currently affect the functionality of the latest versions of https://github.com/github/super-linter in certain scenarios via its eslint-plugin-jsx-a11y
dependency.
The specific issue in question is github/super-linter#3785 and this comment outlines the details. In short, the files within the npm package have very high user/group IDs which will not make it possible to use affected images for rootless podman/docker containers with default configurations.
I think this might be affecting MegaLinter too oxsecurity/megalinter#2348
Hi! Sorry this is causing problems. I made it 9 years ago and have no idea how it would break things. Before doing an NPM release do I need to update anything? I don't really understand the problem it would be causing.
I was thinking that maybe having a build in a clean environnement, that the files packages wouldn't have weird user ids included in the tarball.
I tried to setup some CI in a fork to test things out, but I can't get it to build. What were the steps that you run to build/package the project?
I believe just this gulp build step: https://github.com/kyldvs/ast-types-flow/blob/master/gulpfile.js#L6
but this was from 2015, so I'm not sure if it will actually run without changes. I don't think running the buildTypes
script is actually important since we don't want to change any of the files. If someone sent a PR to manually fix the file owners/permissions to something appropriate that might work too
If someone sent a PR to manually fix the file owners/permissions to something appropriate that might work too
File owners/permissions aren't stored by Git, there is only the executable bit that is kept if I recall correctly. So there isn't any PR to make, probably just repackage.
Running into the same problem.
If you do npm pack ast-types-flow
to download the releases tarball and then run tar -ztvf ast-types-flow-0.0.7.tgz
, you'll the these results:
tar -ztvf ast-types-flow-0.0.7.tgz
-rw-r--r-- 1 369884941 1876110778 749 Oct 30 2015 package/package.json
-rw-r--r-- 1 369884941 1876110778 2007 Sep 14 2015 package/README.md
-rw-r--r-- 1 369884941 1876110778 121821 Oct 30 2015 package/lib/types.js
Notice the high UID and GID? Those are the problem. I think a re-package in a clean environment and re-publish should fix the problem.
Happy to assist if needed.
Happy to publish a new version to npm. Can someone help by submitting a PR so that the appropriate scripts package things for me to publish cleanly? For example right now npm run-script build
crashes. Even if you take out all the logic and just have the build copy/paste the existing distributed files in the right place I'd accept that.
Alternatively if that's unnecessary, tell me exactly the commands to run to publish from the latest commit and that would be helpful, I have not worked in this space in quite a while :)
I did a quick thing with Docker (I was in Dockerland anyway):
docker run -it node:10.24.1 bash
mkdir src && cd src
git clone https://github.com/kyldvs/ast-types-flow.git
cd ast-types-flow
npm install
npm run build
This worked successful and you can find the resulting lib/types.js
here: https://gist.github.com/rmehner/8aabc75dda33dc8bed1624f68230bec7
So what's left for you to do is this:
- make sure your local npm installation is authenticated (
npm login
) - copy the above file into
lib/types.js
- run
npm version patch
which should increase the version to 0.0.8 and create a commit and git tag - run
npm publish
to publish the package git push
git push --tags
(actually not sure if still needed)
Hope this helps. If not, feel free to reach out. Happy to help.
@rmehner thanks a bunch for the clear steps. I think I've got a new release out, please let me know if this resolves the issues: https://www.npmjs.com/package/ast-types-flow/v/0.0.8
Getting the package with npm pack ast-types-flow@0.0.8
and then checking the contents of the package with tar -ztvf ast-types-flow-0.0.8.tgz
leads to this:
-rw-r--r-- 0 0 0 1067 Oct 26 1985 package/LICENSE
-rw-r--r-- 0 0 0 122152 Oct 26 1985 package/lib/types.js
-rw-r--r-- 0 0 0 749 Oct 26 1985 package/package.json
-rw-r--r-- 0 0 0 2007 Oct 26 1985 package/README.md
Looks good! Thanks @kyldvs!