Putting this here mostly as a placeholder, and I’ll probably spin it into a post in the #ideas category as well.
As mentioned in Release: email@example.com by @godmar, there are still some cases where a root-owned file ends up in the npm cache if you use
sudo. I’ve identified 3 cases now, and the fact that cache file writing is spread out is kind of not ideal (that’s the #ideas bit). For the next v6, I intend to fix this somewhat tactically, just to get around the issue, but there’s some more strategic cleanup that could be done.
- Pacote doesn’t always pass uid/gid options to
Part of this was identified in https://github.com/zkat/pacote/issues/174, but it’s fixed more thoroughly in https://github.com/npm/pacote/commit/3d08925ade56efb9b94e29ad3c882f4044c79b1d. Pacote 9.5.2 will be in the next npm v6 release.
- We also write a file to the cache for metrics, which will be root owned when run as root.
- Lastly, we write a file to the cache for debug logs, which will result in a root-owned cache folder (!!) if the cache doesn’t already exist.
Like I said above, I intend to fix this somewhat surgically with the next v6 release, but it seems like we have a need for a “create a file/folder and preserve the dir tree ownership”, which starts to feel to me like a standalone module. I’m not sure.