Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NodeJS unsafe-perm not working on package.json

I'm trying to run a npm install command with a preinstall script at my package.json. I know it's antipattern but I need to run some scripts as root.

It's working fine by adding a .npmrc file containing unsafe-perm = true to my root directory. But it's not working by add a config property in my package.json file:

   {
     "name": "foo",
     "version": "1.4.4",
     "config": {
        "unsafe-perm":true
     },
     "scripts" :  { 
        "preinstall" : "npm install -g bower"
     }
   }
   // It is not working

According with NPM config docs it's ok adding this property in my package file. I want to understand why it's not working.

like image 701
nanndoj Avatar asked Feb 27 '15 11:02

nanndoj


People also ask

What is unsafe Perm in npm?

If set explicitly to false, then installing as a non-root user will fail. If npm was invoked with root privileges, then it will change the uid to the user account or uid specified by the user config, which defaults to nobody. Set the unsafe-perm flag to run scripts with root privileges.

What is package json Devdependencies?

Dev Dependencies: In package. json file, there is an object called as dev Dependencies and it consists of all the packages that are used in the project in its development phase and not in the production or testing environment with its version number.

Is package json required by the node runtime?

Every Node JS application or module or package should contain this package. json file. Every NODE JS project should have this file in the root directory to describe its metadata in plain json object format.

Can I inherit package json?

The central build script package can provide a set of shared partial package. json files. The monorepo packages can then declare that they inherit from those package.


2 Answers

When you add that property, you are adding it to the environment of your script with the prefix npm_config_package:

$ cat package.json
{
 "config": { "unsafe-perm": true }
}
$ npm run env | grep perm
$ npm run env | grep perm
npm_package_config_unsafe_perm=true
npm_config_unsafe_perm=true
$ sudo npm run env | grep perm
npm_package_config_unsafe_perm=true
npm_config_unsafe_perm=
$

This is for security reasons, sort of. It would not be good for an arbitrary package from the npm registry to allow you to change npm's config settings (e.g., what if it set prefix to /etc and installed a file named passwd)

However you can still get around it by setting the environment variable in on your script line (this will not work on Windows):

$ cat package.json 
{
  "config": { "unsafe-perm": true },
  "scripts": { "foo": "npm_config_unsafe_perm=true env" }
 }
$ npm run foo | grep unsafe_perm
npm_config_unsafe_perm=true
npm_package_config_unsafe_perm=true
npm_lifecycle_script=npm_config_unsafe_perm=true env
npm_package_scripts_foo=npm_config_unsafe_perm=true env
$ sudo npm run foo | grep unsafe_perm
npm_config_unsafe_perm=true
npm_package_config_unsafe_perm=true
npm_lifecycle_script=npm_config_unsafe_perm=true env
npm_package_scripts_foo=npm_config_unsafe_perm=true env
$ 

This may be a bug in npm though, so I would recommend not relying on this behavior. Can you get away with using a different user than root?

Source: Tested with [email protected] on OSX. I am a support volunteer on the npm issue tracker, https://github.com/npm/npm/issues.

like image 117
Sam Mikes Avatar answered Oct 03 '22 11:10

Sam Mikes


unsafe-perm

Default: false if running as root, true otherwise Type: Boolean Set to true to suppress the UID/GID switching when running package scripts. If set explicitly to false, then installing as a non-root user will fail.

see the https://docs.npmjs.com/misc/config#unsafe-perm

like image 31
HDK Avatar answered Oct 03 '22 11:10

HDK