yarnpkg
[Bug?]: extra `chmod` on files inside `"bin"` section of `package.json`
Self-service
- [ ] I'd be willing to implement a fix
Describe the bug
When running yarn for a project which has a file in its "bin" section of package.json, a chmod is called for some unexpected reason, even if the file is already executable. This may lead to errors such as EPERM when the user calling yarn does not have the right to call chmod. Looks like there is no way to turn this off and no obvious description of why chmod is called during yarn.
I expect chmod not to be called if file listed in "bin" is already executable.
To reproduce
General steps:
- create a project using your preferred way of doing so;
- create new JavaScript file, with any name, like
index.jsand contents like:
#!/usr/bin/env node
console.log('JavaScript!');
- add to your
package.json:
{
"bin": { "index": "index.js" }
}
- forbid access to
chmodfor your user; - run
yarn; - see
Error: EPERM: operation not permitted, chmod '/path/to/index.js'.
This bug is not reproducible with Sherlock and/or by installing my package from npm. Repro is here just for the label, real reproduction below
expect("").toEqual("this is not to reproduce using JavaScript code only");
Environment
System:
OS: Linux 5.4 Debian GNU/Linux 11 (bullseye) 11 (bullseye)
CPU: (2) x64 AMD EPYC 7B12
Binaries:
Node: 19.7.0 - /tmp/xfs-b75d51da/node
Yarn: 4.0.2 - /tmp/xfs-b75d51da/yarn
npm: 9.5.0 - /usr/local/bin/npm
Additional context
An example is given here: https://gitlab.com/kormanowsky/yarn-extra-chmod-demo/-/jobs/5952937246
You may see that index.js already has rwxrwxrwx permissions so no need for a chmod.
The user test-user running the job is not allowed to execute /bin/chmod. This is done when building a Docker image for the test, it is located here https://hub.docker.com/layers/kormanowsky/yarn-extra-chmod-demo/latest/images/sha256-cc17cf5f7a6a7a545a7bb39ec1a49e064b91771bac581707c84d6e07a5323f63?context=repo
This issue reproduces on master:
Error: expect(received).toEqual(expected) // deep equality
Expected: "this is not to reproduce using JavaScript code only"
Received: ""
at module.exports (evalmachine.<anonymous>:2:12)
at /github/workspace/.yarn/cache/@arcanis-sherlock-npm-2.0.3-558f52b79f-69609f7d06.zip/node_modules/@arcanis/sherlock/lib/executeRepro.js:57:19
at executeInTempDirectory (/github/workspace/.yarn/cache/@arcanis-sherlock-npm-2.0.3-558f52b79f-69609f7d06.zip/node_modules/@arcanis/sherlock/lib/executeRepro.js:18:22)
at executeRepro (/github/workspace/.yarn/cache/@arcanis-sherlock-npm-2.0.3-558f52b79f-69609f7d06.zip/node_modules/@arcanis/sherlock/lib/executeRepro.js:25:18)
at ExecCommand.execute (/github/workspace/.yarn/cache/@arcanis-sherlock-npm-2.0.3-558f52b79f-69609f7d06.zip/node_modules/@arcanis/sherlock/lib/commands/exec.js:26:76)
at async ExecCommand.validateAndExecute (/github/workspace/.yarn/cache/clipanion-npm-2.0.0-rc.16-b9444aaf89-312910c71e.zip/node_modules/clipanion/lib/advanced/Command.js:161:26)
at async Cli.run (/github/workspace/.yarn/cache/clipanion-npm-2.0.0-rc.16-b9444aaf89-312910c71e.zip/node_modules/clipanion/lib/advanced/Cli.js:74:24)
at async Cli.runExit (/github/workspace/.yarn/cache/clipanion-npm-2.0.0-rc.16-b9444aaf89-312910c71e.zip/node_modules/clipanion/lib/advanced/Cli.js:83:28)
It turns out that it is not a problem with yarn, because running npm install in similar environment fails with a similar error too and there are issues like this https://github.com/npm/cli/issues/2632. As advised in that issue, updating node to v22 helped to fix this