can't import from npm in the Web IDE

[gavinking]

I just get an "Internal Server Error".

@quintesse WDYT, could we fix this?

[quintesse]

I'm looking into this. I guess it has to do with NPM trying to install the modules to a place it has no write rights to.

[jvasileff]

I don't know much about npm (post install scripts, etc), but is this any easy way to run arbitrary code on the server?

[lucaswerkmeister]

Sounds like it, see npm-scripts(7). “Scripts are run by passing the line as a script argument to sh.” However, there is an --ignore-scripts option to npm install, so perhaps that’s enough to protect us?

[quintesse]

@lucaswerkmeister I don't see that option --ignore-scripts mentioned?

[quintesse]

Oh wow, it seems any unknown command line parameter is automatically interpreted as setting a config option

[lucaswerkmeister]

I can see it in the npm-install manpage on Node 6.8.1 (Arch), but not on 0.10.29 (Debian Jessie). Which version is running in production?

[quintesse]

Yay! Finally got this to work. Unfortunately it needed a change in the JS compiler so this is for 1.3.2 when it is released.

@chochos you probably need to take a look at the change I made to make sure it's all correct.

[gavinking]

Great!

[quintesse]

Well, to be honest I'm not sure if this is going to work 100%. The module I tested (node-uuid) works, but it's deprecated in favor of uuid and that one doesn't work. Possibly because the latter is a multi-file module while the former is just a single file.

[quintesse]

Yeah, that's the problem and all the solution people talk about are tools like Browserify to turn everything into a single file.