Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add section about using npx with permission model #56539

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

doc: add section about using npx with permission model #56539

wants to merge 1 commit into from
+15 −0

Conversation

RafaelGSS
Copy link
Member

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Jan 9, 2025
@wraithgar
Copy link

@RafaelGSS and I tested this locally w/ both npx and npm exec. This is the preferred way to set these flags, as it works in virtually all existing versions of npm already and does exactly what we need. Future changes to these flags only requires updating the flags you set via this parameter, and no changes to npm would be needed.

@AugustinMauroy
Copy link
Member

maybe add link to npx docs for people not 100% aware of what is npx

https://docs.npmjs.com/cli/v8/commands/npx

@wraithgar
Copy link

If you link please link to the latest version, not npm 8

https://docs.npmjs.com/cli/commands/npx

@wraithgar
Copy link

Realized that this won't work for packages installed globally and for packages installed in the npx cache. The example given is for if the package is installed in the current package at cwd.

Not sure if there's a good way to document what --allow-fs-read needs to be in other cases, and why. But here's what will work:

Examples using fish shell

# installed globally
$ npm ls -g
/Users/wraithgar/.nvm/versions/node/v22.13.0/lib
├── [email protected]
$ npx --node-options="--permission --allow-fs-read=$(npm prefix -g)" json --version
json 11.0.0
written by Trent Mick
https://github.com/trentm/json
# using npx cache
$ npx --node-options="--permission --allow-fs-read=$(npm config get cache)" semver parse 1.0.0
1.0.0

This seems like a lot to try to document for this flag.

@marco-ippolito
Copy link
Member

marco-ippolito commented Jan 10, 2025
edited
Loading

Maybe we can wrap the permission model as an npx flag? As a new npx feature

@wraithgar
Copy link

I would discourage adding a new npm config for this, as it would mean it wouldn't work for existing versions of npx, and in a way that it was silently ignored so you wouldn't know it wasn't working.

Also it would mean having to keep npm in sync w/ these params if they ever changed or were added to. It would be completely decoupled from Node.js config itself, meaning someone would just have to "remember" to do it if Node.js changed.

Showing users how to set the flags in npx is the best option, as it allows them to update the flags w/o having to wait on npm to update, and already works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trivikr trivikr trivikr approved these changes

@ruyadorno ruyadorno ruyadorno approved these changes

Assignees
No one assigned
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@RafaelGSS @nodejs-github-bot @wraithgar @AugustinMauroy @marco-ippolito @ruyadorno @trivikr