Question

119

NodeJS unsafe-perm not working on package.json

rated 0 times [ 120] [ 1] / answers: 1 / hits: 19090 / 9 Years ago, fri, february 27, 2015, 12:00:00

I'm trying to run a npm install command with a preinstall script at my package.json. I know it's antipattern but I need to run some scripts as root.

It's working fine by adding a .npmrc file containing unsafe-perm = true to my root directory. But it's not working by add a config property in my package.json file:

   {

     name: foo,

     version: 1.4.4,

     config: {

        unsafe-perm:true

     },

     scripts :  { 

        preinstall : npm install -g bower

     }

   }

   // It is not working

According with NPM config docs it's ok adding this property in my package file. I want to understand why it's not working.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

tayla

Add To Favorites

Follow

Total Points: 681

Total Questions: 102

Total Answers: 108

Location: Marshall Islands

Member since Tue, Sep 21, 2021

3 Years ago

tayla questions

1 Problem embedding tiktok video into angular 7

Fri, Mar 5, 21, 00:00, 3 Years ago

1 Lodash - How to merge two arrays of objects based on key?

Wed, Oct 28, 20, 00:00, 4 Years ago

1 Horizontal scroll bar is appearing after using slick slider in the webpage

Wed, Oct 21, 20, 00:00, 4 Years ago

1 Jest: `querySelector` returns null in test of a ReactJS component

Sat, Jul 4, 20, 00:00, 4 Years ago

1 setTimeout with Promises

Thu, Apr 9, 20, 00:00, 4 Years ago

View All

answered 9 Years ago simone · Accepted Answer

When you add that property, you are adding it to the environment of your script with the prefix npm_config_package:

$ cat package.json

{

 config: { unsafe-perm: true }

}

$ npm run env | grep perm

$ npm run env | grep perm

npm_package_config_unsafe_perm=true

npm_config_unsafe_perm=true

$ sudo npm run env | grep perm

npm_package_config_unsafe_perm=true

npm_config_unsafe_perm=

$

This is for security reasons, sort of. It would not be good for an arbitrary package from the npm registry to allow you to change npm's config settings (e.g., what if it set prefix to /etc and installed a file named passwd)

However you can still get around it by setting the environment variable in on your script line (this will not work on Windows):

$ cat package.json 

{

  config: { unsafe-perm: true },

  scripts: { foo: npm_config_unsafe_perm=true env }

 }

$ npm run foo | grep unsafe_perm

npm_config_unsafe_perm=true

npm_package_config_unsafe_perm=true

npm_lifecycle_script=npm_config_unsafe_perm=true env

npm_package_scripts_foo=npm_config_unsafe_perm=true env

$ sudo npm run foo | grep unsafe_perm

npm_config_unsafe_perm=true

npm_package_config_unsafe_perm=true

npm_lifecycle_script=npm_config_unsafe_perm=true env

npm_package_scripts_foo=npm_config_unsafe_perm=true env

$

This may be a bug in npm though, so I would recommend not relying on this behavior. Can you get away with using a different user than root?

Source: Tested with [email protected] on OSX. I am a support volunteer on the npm issue tracker, https://github.com/npm/npm/issues.