Node executable path always prepended to PATH when running a package.json script #5935
Comments
ghost
assigned 
jasongrout
changed the title
jasongrout
changed the title
jasongrout
changed the title
|
see also #5874 |
|
Thanks for the reference. That definitely seems like the same issue. |
|
FYI, I think the node logic for auto-prepending the path is here: https://github.com/npm/npm/blob/4c65cd952bc8627811735bea76b9b110cc4fc80e/node_modules/npm-lifecycle/index.js#L163 |
|
I'll fix this for the 1.9.0. The goal of the faulty code is to force scripts executed through Yarn to use the same Yarn & npm than the ones currently executing Yarn - hijacking the PATH and affecting other binaries is an unfortunate side effects of the current implementation :( |
|
Thanks! |
|
@arcanis - We are trying to decide between downgrading yarn to avoid this bug, or waiting for the fix in 1.9.0. Do you happen to have any updates or timelines for a fix in 1.9.0? |
Fixes jupyterlab#4793 This avoids the bug in yarn noted at yarnpkg/yarn#5935, where a system path can override local paths. This bug can break executing commands from yarn in pipenv environments, for example.
|
I've been burnt by this trying to run @jasongrout Consider the following workaround:
#!/usr/bin/env bash
set -eu
s_path=$(printf "%s" "$PATH" | tr : \\n)
_IFS=$IFS
IFS=$'\n'
a_path=($s_path)
IFS=$_IFS
usr_bin=$(dirname -- "$(which node)")
n_usr_bin=$(egrep "^$usr_bin$" <(printf "%s" "$s_path") | wc -l)
r=()
for (( i = 0; i < ${#a_path[@]}; i++ )); do
if [ "${a_path[$i]}" = "$usr_bin" ] && (( n_usr_bin > 1 )); then
(( n_usr_bin-- ))
else
r+=("${a_path[$i]}")
fi
done
PATH=$(
for p in ${r[@]+"${r[@]}"}; do
printf "%s\n" "$p"
done | paste -sd:
)
"$@"Then, in "cmd1": "./fix-path.sh bin/rails test:system",
"cmd2": "./fix-path.sh bash -c 'echo $PATH' | tr : \\\\n" |
@jasongrout Hard to tell, I'm working on a large feature I really want to push in the 1.9.0 (and that includes the fix for this problem - which is a bit intricate so I'd prefer to avoid backporting it). I have hopes that I'll be able to publish it in a week or two. |
|
Great, thanks for the update!
…On Fri, Jun 29, 2018, 08:10 Maël Nison ***@***.***> wrote:
We are trying to decide between downgrading yarn to avoid this bug, or
waiting for the fix in 1.9.0. Do you happen to have any updates or
timelines for a fix in 1.9.0?
@jasongrout <https://github.com/jasongrout> Hard to tell, I'm working on
a large feature I really want to push in the 1.9.0 (and that includes the
fix for this problem - which is a bit intricate so I'd prefer to avoid
backporting it). I have hopes that I'll be able to publish it in a week or
two.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5935 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AALwZvKY4QrolwjSfaXDcNC3xlWNeEkBks5uBkN2gaJpZM4Ublla>
.
|
|
@arcanis - I see yarn 1.9.0 was just released. Just curious, was a fix for this merged in 1.9.0? |
|
Unfortunately no, my feature isn't stable enough to have made the cut, and I don't have much time at the moment to work on a backport of this specific issue. That said, if you're willing to work on a fix, we can merge it sooner (in short, what I do is: in |
|
Thanks for the update. I can't work on this in the next week, but if it's still open after that, I'll see about giving it a shot. |
|
(as an update, it's not looking like I have very much available time to work on this, so anyone watching this: please go ahead and don't wait for me) |
|
Here's a very rough look at what I think you folks are saying (probably wrong): the tests do pass locally (on linux), but I don't think it's taking any effect right now, and haven't quite figured out how to test it. |
Fixes yarnpkg#5935 yarnpkg#6178 is a partial fix for yarnpkg#5935. This adds the following: 1. Don’t prepend the path *after* the local directories. 2. Only prepend the path if the node binary found by searching the environment path is different from our executable path (including if no node is found in the path). This takes care of cases where another node binary precedes our node executable in the path.
Do you want to request a feature or report a bug?
Feature
What is the current behavior?
There is no way to eliminate the explicit prepending of the node executable directory to the PATH environment variable when running package.json scripts.
Npm has a
--scripts-prepend-node-pathcli switch and config option, which defaults to auto, which only prepends the node executable directory to the path if it is not in the path. Also, setting the option (i.e., totrue) prepends the node executable path just before the existing PATH, but after all of the local.bindirectories. See https://docs.npmjs.com/cli/run-script.Yarn, on the other hand, always prepends the node executable path (
yarn/src/util/execute-lifecycle-script.js
Lines 145 to 147 in ae2de7b
.bindirectories) if the--scripts-prepend-node-pathswitch is given (yarn/src/util/execute-lifecycle-script.js
Lines 177 to 179 in ae2de7b
Yarn's behavior is problematic. For example, if node is installed at the system level (e.g.,
/usr/bin), this effectively prepends/usr/binto the path with no recourse, which completely inverts and breaks a normal PATH ordering of having local directories override the global/usr/bindirectory. We saw this break a package.json script that called out to python, for example (it can break python virtual environments). You can also imagine many other situations when inverting the PATH priority like this can break things.Furthermore, the behavior introduced in #5787 seems problematic, in that the global node path now overrides any local
.bindirectories prepended to the path, directly contradicting the npm behavior (but having the same option name).What is the expected behavior?
I think npm's behavior here makes sense:
.bindirectories, etc (i.e., do the intelligent prepending atyarn/src/util/execute-lifecycle-script.js
Lines 145 to 147 in ae2de7b
yarn/src/util/execute-lifecycle-script.js
Lines 177 to 179 in ae2de7b
--scripts-prepend-node-pathCC @ivanov
Please mention your node.js, yarn and operating system version.
yarn 1.7.0
node 8.11.2
npm 5.6.0
macOS 10.13
The text was updated successfully, but these errors were encountered: