feat: infer uid/gid instead of accepting as options by isaacs · Pull Request #1 · npm/cacache

isaacs · 2019-07-15T18:19:17Z

BREAKING CHANGE: the uid gid options are no longer respected or
necessary. As of this change, cacache will always match the cache
contents to the ownership of the cache directory (or its parent
directory), regardless of what the caller passes in.

Reasoning:

The number one reason to use a uid or gid option was to keep root-owned
files from causing problems in the cache. In npm's case, this meant
that CLI's ./lib/command.js had to work out the appropriate uid and gid,
then pass it to the libnpmcommand module, which had to in turn pass the
uid and gid to npm-registry-fetch, which then passed it to
make-fetch-happen, which passed it to cacache. (For package fetching,
pacote would be in that mix as well.)

Added to that, cacache.rm() will actually write a file into the
cache index, but has no way to accept an option so that its call to
entry-index.js will write the index with the appropriate uid/gid.
Little ownership bugs were all over the place, and tricky to trace
through. (Why should make-fetch-happen even care about accepting or
passing uids and gids? It's an http library.)

This change allows us to keep the cache from having mixed ownership in
any situation.

Of course, this does mean that if you have a root-owned but
user-writable folder (for example, /tmp), then the cache will try to
chown everything to root.

The solution is for the user to create a folder, make it user-owned, and
use that, rather than relying on cacache to create the root cache folder.

If we decide to restore the uid/gid opts, and use ownership inferrence
only when uid/gid are unset, then take care to also make rm take an
option object, and pass it through to entry-index.js.

BREAKING CHANGE: the uid gid options are no longer respected or necessary. As of this change, cacache will always match the cache contents to the ownership of the cache directory (or its parent directory), regardless of what the caller passes in. Reasoning: The number one reason to use a uid or gid option was to keep root-owned files from causing problems in the cache. In npm's case, this meant that CLI's ./lib/command.js had to work out the appropriate uid and gid, then pass it to the libnpmcommand module, which had to in turn pass the uid and gid to npm-registry-fetch, which then passed it to make-fetch-happen, which passed it to cacache. (For package fetching, pacote would be in that mix as well.) Added to that, `cacache.rm()` will actually _write_ a file into the cache index, but has no way to accept an option so that its call to entry-index.js will write the index with the appropriate uid/gid. Little ownership bugs were all over the place, and tricky to trace through. (Why should make-fetch-happen even care about accepting or passing uids and gids? It's an http library.) This change allows us to keep the cache from having mixed ownership in any situation. Of course, this _does_ mean that if you have a root-owned but user-writable folder (for example, `/tmp`), then the cache will try to chown everything to root. The solution is for the user to create a folder, make it user-owned, and use that, rather than relying on cacache to create the root cache folder. If we decide to restore the uid/gid opts, and use ownership inferrence only when uid/gid are unset, then take care to also make rm take an option object, and pass it through to entry-index.js.

isaacs self-assigned this Jul 15, 2019

isaacs force-pushed the infer-uid-gid branch from 64fb8a7 to ac84d14 Compare July 15, 2019 20:12

isaacs merged commit ac84d14 into latest Jul 15, 2019

isaacs mentioned this pull request Jul 25, 2019

deps: upgrade npm to 6.10.2 nodejs/node#28853

Closed

This was referenced Aug 13, 2019

[Snyk] Upgrade npm from 6.6.0 to 6.10.2 devopsred/gaia#4

Open

[Snyk] Upgrade npm from 6.10.1 to 6.10.3 tyhal/tyhal.com#104

Merged

This was referenced Aug 30, 2019

[Snyk] Upgrade npm from 6.0.0 to 6.11.1 iliutastoica/30-seconds-of-interviews#1

Open

[Snyk] Upgrade npm from 6.4.1 to 6.11.1 iliutastoica/fullstack-vue#4

Open

[Snyk] Upgrade npm from 6.10.0 to 6.11.2 sandorTuranszky/production-ready-expressjs-server#12

Merged

isaacs deleted the infer-uid-gid branch September 17, 2019 04:26

snyk-bot mentioned this pull request Sep 19, 2019

[Snyk] Upgrade npm from 6.4.1 to 6.11.3 ali8889/etherwallet#1

Open

snyk-bot mentioned this pull request Oct 1, 2019

[Snyk] Upgrade npm from 6.4.1 to 6.11.3 iliutastoica/fullstack-vue#5

Open

This was referenced Oct 26, 2019

[Snyk] Upgrade npm from 6.0.0 to 6.12.0 ajesse11x/30-seconds-of-interviews#1

Open

[Snyk] Upgrade npm from 6.2.0 to 6.12.0 restinpeaceinout/atom#28

Open

This was referenced Nov 5, 2019

[Snyk] Upgrade npm from 6.2.0 to 6.12.0 mvali95/atom#10

Open

[Snyk] Upgrade npm from 6.2.0 to 6.12.1 restinpeaceinout/atom#40

Open

snyk-bot mentioned this pull request Nov 14, 2019

[Snyk] Upgrade npm from 6.2.0 to 6.13.0 restinpeaceinout/atom#49

Open

snyk-bot mentioned this pull request Nov 25, 2019

[Snyk] Upgrade npm from 6.4.1 to 6.13.0 ali8889/etherwallet#7

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: infer uid/gid instead of accepting as options#1

feat: infer uid/gid instead of accepting as options#1
isaacs merged 1 commit intolatestfrom
infer-uid-gid

isaacs commented Jul 15, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

isaacs commented Jul 15, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant