doc: add section about using npx with permission model #56539
Conversation
|
Review requested:
|
|
@RafaelGSS and I tested this locally w/ both |
|
maybe add link to |
|
If you link please link to the latest version, not npm 8 |
|
Realized that this won't work for packages installed globally and for packages installed in the npx cache. The example given is for if the package is installed in the current package at cwd. Not sure if there's a good way to document what Examples using fish shell # installed globally
$ npm ls -g
/Users/wraithgar/.nvm/versions/node/v22.13.0/lib
├── [email protected]
$ npx --node-options="--permission --allow-fs-read=$(npm prefix -g)" json --version
json 11.0.0
written by Trent Mick
https://github.com/trentm/json# using npx cache
$ npx --node-options="--permission --allow-fs-read=$(npm config get cache)" semver parse 1.0.0
1.0.0This seems like a lot to try to document for this flag. |
|
Maybe we can wrap the permission model as an npx flag? As a new npx feature |
|
I would discourage adding a new npm config for this, as it would mean it wouldn't work for existing versions of npx, and in a way that it was silently ignored so you wouldn't know it wasn't working. Also it would mean having to keep npm in sync w/ these params if they ever changed or were added to. It would be completely decoupled from Node.js config itself, meaning someone would just have to "remember" to do it if Node.js changed. Showing users how to set the flags in npx is the best option, as it allows them to update the flags w/o having to wait on npm to update, and already works. |
RafaelGSS
force-pushed
the
mention-npx-node-options
branch
from
93ea0ab to
1105023
Compare
If you add a command line flag to npx, in a version that does not support it, it should should throw an unrecognized flag, I'd not expect |
We are working towards having npm do this, unfortunately because it doesn't do that now nobody using npx today would get an error. npm 12 (and npx by extension) should throw on unknown config. |
|
To be honest, I think documenting it is the best approach we could do to users, they will be 100% aware of paths they are giving access to, and it does make total sense for me having to give access explicitly to npx cache folder for instance. In the case of shebang, it goes a bit out of permission model scope, this is more unix path resolution, I don't think we should do something to make it "easier". This is a standard pattern. |
I see then it makes totally sense! Thanks |
RafaelGSS
force-pushed
the
mention-npx-node-options
branch
from
1105023 to
b8b9f9c
Compare
Co-Authored-By: Gar <[email protected]> Signed-off-by: RafaelGSS <[email protected]>
RafaelGSS
force-pushed
the
mention-npx-node-options
branch
from
b8b9f9c to
0f25b8e
Compare
RafaelGSS
added
the
author ready
jasnell
added
the
commit-queue
nodejs-github-bot
added
commit-queue-failed
Commit Queue failed- Loading data for nodejs/node/pull/56539 ✔ Done loading data for nodejs/node/pull/56539 ----------------------------------- PR info ------------------------------------ Title doc: add section about using npx with permission model (#56539) Author Rafael Gonzaga <[email protected]> (@RafaelGSS) Branch RafaelGSS:mention-npx-node-options -> nodejs:main Labels doc, author ready Commits 1 - doc: add section about using npx with permission model Committers 1 - RafaelGSS <[email protected]> PR-URL: https://github.com/nodejs/node/pull/56539 Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Ruy Adorno <[email protected]> ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/56539 Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Ruy Adorno <[email protected]> -------------------------------------------------------------------------------- ⚠ Commits were pushed since the last approving review: ⚠ - doc: add section about using npx with permission model ℹ This PR was created on Thu, 09 Jan 2025 21:49:15 GMT ✔ Approvals: 2 ✔ - Trivikram Kamat (@trivikr): https://github.com/nodejs/node/pull/56539#pullrequestreview-2541035334 ✔ - Ruy Adorno (@ruyadorno) (TSC): https://github.com/nodejs/node/pull/56539#pullrequestreview-2541159264 ✔ Last GitHub CI successful ℹ Green GitHub CI is sufficient -------------------------------------------------------------------------------- ✔ Aborted `git node land` session in /home/runner/work/node/node/.ncuhttps://github.com/nodejs/node/actions/runs/12727899336 |
marco-ippolito
removed
the
commit-queue-failed
marco-ippolito
added
the
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in b22c3d3 |
Co-Authored-By: Gar <[email protected]> Signed-off-by: RafaelGSS <[email protected]> PR-URL: #56539 Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Ruy Adorno <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Co-Authored-By: Gar <[email protected]> Signed-off-by: RafaelGSS <[email protected]> PR-URL: nodejs#56539 Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Ruy Adorno <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
cc: @wraithgar