npm 6.9.1 is broken due to .git folder in published tarball

Running npm install npm@6.9.1 -g; npm install npm@6.9.0 -g fails.

You can upgrade to latest npm but you cannot downgrade.

This is due to

npm ERR! EISGIT

If you run npm pack npm to download the tarball and unpack it you fill find ./.git/logs in there.

This is probably a linux related issue.

I’m running in to the same issue.
After npm install -g npm@latest … any subsequent attempts to re-install npm (downgrade) will fail

[2019-06-27T18:17:33.971Z] + npm install -g npm@latest

[2019-06-27T18:17:38.093Z] npm ERR! path /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm

[2019-06-27T18:17:38.093Z] npm ERR! code EISGIT

[2019-06-27T18:17:38.093Z] npm ERR! git /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm: Appears to be a git repo or submodule.

[2019-06-27T18:17:38.093Z] npm ERR! git     /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm

[2019-06-27T18:17:38.093Z] npm ERR! git Refusing to remove it. Update manually,

[2019-06-27T18:17:38.093Z] npm ERR! git or move it out of the way first.

This bug is amazing =D (forgive me, I’ve always been weirdly excited about twisty corner cases!) npm publish ignores .git folders by default but forces all files named readme to be included… And that forced include overrides the exclude. And then there was once a remote branch named readme… and that goes in the .git folder, gets included in the publish, which then permanently borks your npm install, because of EISGIT, which in turn is a restriction that’s afaik entirely vestigial, copied forward from earlier versions of npm without clear insight into why you’d want that restriction in the first place.

I suspect this potential was introduced with the tar rewrite. It never happened before, because no one publishing before had a git repo with a remote ref like that, either through luck, or by following the setup guide which recommends using a separate copy of the repo for publication.

This is gonna be brutal to fix though, 'cause there’s no facility for the existing version to fix itself in this scenario. Would have to fallback to some npx-able thing that removes the .git folder, and communicating that is gonna be rough.

6 Likes

Pack issue previously reported here: `npm pack` includes items from `.git` folder if there is a branch called `readme` (regression in 6.9.0)

1 Like

https://github.com/npm/cli/pull/204 should fix this. I’ll be throwing out a new release soon without the .git.

6.9.2 has been published. As Rebecca said, you’ll likely need to uninstall npm manually (or at least rimraf the .git directory inside it), but things should be good going forward. We are discussing whether to unpublish 6.9.1 as well, but this should stop any further accidents.

3 Likes

This is not just a bug due to a readme branch

See fake-s3@1.0.2 which contains a .git folder with a single file index.

There is another root cause for publishing .git directory.

And again tape-cluser@3.2.0 which also has a .git directory with just the index in it.

I think that’s due to this: https://github.com/Raynos/tape-cluster/blob/master/package.json#L8

So I’ll consider that a separate bug. Should definitely file a bug in npm-packlist for this, though.

Just to clarify; main: 'index' will include any file called index recursively, including dotfiles into the tarball ? including .git/index

If it was main: 'index.js' this would not be an issue unless I had .git/index.js in my .git folder for some unknown reason.

yup, that’s what I’m saying. I think we only recently started making sure main was included in the tarball, but I can’t find that commit right now.

you should be able to test this with npm pack --dry-run

Can confirm with npm pack --dry-run that setting it to index.js resolves the issue; can also confirm that changing main in a completely unrelated project to index adds .git/index to npm pack --dry-run

1 Like

Can you file an issue about this in https://github.com/npm/npm-packlist/issues?

2 Likes