src: add env and cli option to disable global search paths#39754

zcbenz · 2021-08-13T02:17:22Z

For embedders it is usually not allowed for Node.js to search modules from global paths like $HOME/.node_modules, otherwise the behavior of the app could be changed because of a global installed module. For example, a global installed electron module should not break all require('electron') calls.

This PR adds an option to disable searching modules from global paths.

Also note that this change will have a merge conflict with #39712.

nodejs-github-bot · 2021-08-13T13:31:19Z

CI: https://ci.nodejs.org/job/node-test-pull-request/39566/

lib/internal/bootstrap/pre_execution.js

lib/internal/options.js

bmeck · 2021-08-13T16:12:24Z

i know it might be slightly out of scope, but could we add a CLI option for this or something so that stock installs could test against this behavior?

zcbenz · 2021-08-16T01:04:03Z

i know it might be slightly out of scope, but could we add a CLI option for this or something so that stock installs could test against this behavior?

I think it is a good idea, I have added --no-global-search-paths cli option in this PR.

Note that the version number in doc/api/cli.md is left as 16.?.? since I don't know what to fill.

doc/api/cli.md

src/env.cc

jasnell · 2021-08-17T17:21:54Z

Needs a rebase and a new CI run. Removing the author ready label for now.

nodejs-github-bot · 2021-09-01T12:31:32Z

CI: https://ci.nodejs.org/job/node-test-pull-request/39733/

nodejs-github-bot · 2021-09-03T14:30:33Z

CI: https://ci.nodejs.org/job/node-test-pull-request/39752/

aduh95 · 2021-09-16T22:28:40Z

@zcbenz Can you please rebase again to fix the git conflict?

nodejs-github-bot · 2021-09-17T02:51:30Z

CI: https://ci.nodejs.org/job/node-test-pull-request/39971/

src/node_options.cc

PR-URL: #39754 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]>

targos · 2021-09-18T14:02:19Z

Landed in 40c6e83...d9791d9

PR-URL: #39754 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]>

Notable changes: crypto: * (SEMVER-MINOR) add rsa-pss keygen parameters (Filip Skokan) #39927 doc: * add Ayase-252 to collaborators (Qingyu Deng) #40078 fs: * (SEMVER-MINOR) make `open` and `close` stream override optional when unused (Antoine du Hamel) #40013 http: * (SEMVER-MINOR) limit requests per connection (Artur K) #40082 src: * (SEMVER-MINOR) add --no-global-search-paths cli option (Cheng Zhao) #39754 * (SEMVER-MINOR) add option to disable global search paths (Cheng Zhao) #39754 * (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) #39926 stream: * (SEMVER-MINOR) add signal support to pipeline generators (Robert Nagy) #39067 PR-URL: TODO

PR-URL: #39754 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]>

Notable changes: crypto: * (SEMVER-MINOR) add rsa-pss keygen parameters (Filip Skokan) #39927 doc: * add Ayase-252 to collaborators (Qingyu Deng) #40078 fs: * (SEMVER-MINOR) make `open` and `close` stream override optional when unused (Antoine du Hamel) #40013 http: * (SEMVER-MINOR) limit requests per connection (Artur K) #40082 src: * (SEMVER-MINOR) add --no-global-search-paths cli option (Cheng Zhao) #39754 * (SEMVER-MINOR) add option to disable global search paths (Cheng Zhao) #39754 * (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) #39926 stream: * (SEMVER-MINOR) add signal support to pipeline generators (Robert Nagy) #39067 PR-URL: TODO

Notable changes: crypto: * (SEMVER-MINOR) add rsa-pss keygen parameters (Filip Skokan) #39927 doc: * add Ayase-252 to collaborators (Qingyu Deng) #40078 fs: * (SEMVER-MINOR) make `open` and `close` stream override optional when unused (Antoine du Hamel) #40013 http: * (SEMVER-MINOR) limit requests per connection (Artur K) #40082 src: * (SEMVER-MINOR) add --no-global-search-paths cli option (Cheng Zhao) #39754 * (SEMVER-MINOR) add option to disable global search paths (Cheng Zhao) #39754 * (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) #39926 stream: * (SEMVER-MINOR) add signal support to pipeline generators (Robert Nagy) #39067 PR-URL: #40175

ljharb · 2021-09-22T21:09:30Z

Any chance the default for this could be switched in a semver-major?

zcbenz · 2021-09-23T00:03:33Z

Any chance the default for this could be switched in a semver-major?

It will probably break utilities installed with npm i -g.

Some Linux distributions also provide packages for node modules, and they rely on global search paths to work.
https://packages.ubuntu.com/search?keywords=node&searchon=names&suite=hirsute&section=all

ljharb · 2021-09-23T03:22:23Z

Globally installed modules are pretty community-discouraged, as i think are distro-distributed npm packages, but fair callout.

nodejs/node#39754

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Aug 13, 2021

zcbenz force-pushed the no-global-search-patsh branch from 6deacca to 14b6713Compare August 13, 2021 02:27

addaleax approved these changes Aug 13, 2021
View reviewed changes

richardlau approved these changes Aug 13, 2021
View reviewed changes

targos approved these changes Aug 13, 2021
View reviewed changes

tniessen approved these changes Aug 13, 2021
View reviewed changes

addaleax added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. and removed needs-ci PRs that need a full CI run. labels Aug 13, 2021

addaleax added the embedding Issues and PRs related to embedding Node.js in another project. label Aug 13, 2021

jasnell approved these changes Aug 13, 2021
View reviewed changes

aduh95 reviewed Aug 13, 2021
View reviewed changes

lib/internal/bootstrap/pre_execution.js Outdated Show resolvedHide resolved
lib/internal/options.js Outdated Show resolvedHide resolved
lib/internal/options.js Outdated Show resolvedHide resolved

zcbenz force-pushed the no-global-search-patsh branch from 14b6713 to d3ea98bCompare August 16, 2021 01:01

zcbenz changed the title ~~src: add option to disable global search paths~~src: add env and cli option to disable global search pathsAug 16, 2021

zcbenz force-pushed the no-global-search-patsh branch from d3ea98b to b540122Compare August 16, 2021 08:01

aduh95 mentioned this pull request Aug 16, 2021
3.0.0 checks are broken? nodejs/remark-preset-lint-node#219
Closed

aduh95 reviewed Aug 16, 2021
View reviewed changes

doc/api/cli.md Outdated Show resolvedHide resolved

zcbenz force-pushed the no-global-search-patsh branch from b540122 to 3dc0320Compare August 16, 2021 11:10

addaleax reviewed Aug 16, 2021
View reviewed changes

src/env.cc Outdated Show resolvedHide resolved

zcbenz force-pushed the no-global-search-patsh branch from 3dc0320 to 7e7127dCompare August 17, 2021 01:34

jasnell removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Aug 17, 2021

fhinkel approved these changes Aug 17, 2021
View reviewed changes

zcbenz force-pushed the no-global-search-patsh branch from 7e7127d to f961b96Compare August 18, 2021 07:19

addaleax added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Sep 1, 2021

zcbenz added 2 commits September 17, 2021 09:22

src: add option to disable global search paths
efc5ddb

src: add --no-global-search-paths cli option
bc14859

zcbenz force-pushed the no-global-search-patsh branch from f961b96 to bc14859Compare September 17, 2021 00:23

gengjiawen added the request-ci Add this label to start a Jenkins CI on a PR. label Sep 17, 2021

github-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Sep 17, 2021

aduh95 reviewed Sep 17, 2021
View reviewed changes

src/node_options.ccShow resolvedHide resolved

targos added the semver-minor PRs that contain new features and should be released in the next minor version. label Sep 18, 2021

targos closed this Sep 18, 2021

BethGriggs mentioned this pull request Sep 21, 2021
v16.10.0 proposal #40175
Merged
1 task

codebytere added a commit to electron/electron that referenced this pull request Sep 23, 2021
src: add env and cli option to disable global search paths
6f5b56e
nodejs/node#39754

codebytere added a commit to electron/electron that referenced this pull request Sep 27, 2021
src: add env and cli option to disable global search paths
83c15bc
nodejs/node#39754

codebytere added a commit to electron/electron that referenced this pull request Sep 27, 2021
src: add env and cli option to disable global search paths
5dbcbcf
nodejs/node#39754

Uh oh!

src: add env and cli option to disable global search paths#39754

src: add env and cli option to disable global search paths #39754

Uh oh!

Conversation

zcbenz commented Aug 13, 2021

Uh oh!

nodejs-github-bot commented Aug 13, 2021

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bmeck commented Aug 13, 2021

Uh oh!

zcbenz commented Aug 16, 2021

Uh oh!

Uh oh!

Uh oh!

jasnell commented Aug 17, 2021

Uh oh!

nodejs-github-bot commented Sep 1, 2021

Uh oh!

nodejs-github-bot commented Sep 3, 2021

Uh oh!

aduh95 commented Sep 16, 2021

Uh oh!

nodejs-github-bot commented Sep 17, 2021

Uh oh!

Uh oh!

targos commented Sep 18, 2021

Uh oh!

ljharb commented Sep 22, 2021

Uh oh!

zcbenz commented Sep 23, 2021

Uh oh!

ljharb commented Sep 23, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants