yarn installs binaries for dependencies after a global add

Created on 5 Jul 2017  路  6Comments  路  Source: yarnpkg/yarn

Yarn

 位 ~ > yarn --version
0.27.5

Install nodemon

nodemon dependence on [email protected] and touch overrides the system touch command

 位 ~ > which nodemon
/Users/fundon/.nvm/versions/node/v8.1.3/bin/nodemon
 位 ~ > which touch
/Users/fundon/.nvm/versions/node/v8.1.3/bin/touch

# fish-shell
 位 ~ > yarn global bin
/Users/fundon/.nvm/versions/node/v8.1.3/bin
 位 ~ > echo $PATH
/Users/fundon/.nvm/versions/node/v8.1.3/bin /Users/fundon/.yarn/bin /Users/fundon/.config/yarn/global/node_modules/.bin /Users/fundon/.cargo/bin /Users/fundon/Dev/goroot/bin /Users/fundon/Library/Android/sdk/tools /Users/fundon/Library/Android/sdk/platform-tools /usr/local/bin /usr/bin /bin /usr/sbin /sbin

Problem

See https://github.com/isaacs/node-touch/blob/v1.0.0/bin/touch.js#L30

 位 ~ > brew update
/usr/local/Homebrew/Library/Taps/michaeldfallen/homebrew-formula/.git/FETCH_HEAD Stats {
  dev: 16777222,
  mode: 33188,
  nlink: 1,
  uid: 501,
  gid: 80,
  rdev: 0,
  blksize: 4096,
  ino: 1099076,
  size: 104,
  blocks: 8,
  atimeMs: 1499220846000,
  mtimeMs: 1499220846000,
  ctimeMs: 1499220846000,
  birthtimeMs: 1487724022000,
  atime: 2017-07-05T02:14:06.000Z,
  mtime: 2017-07-05T02:14:06.000Z,
  ctime: 2017-07-05T02:14:06.000Z,
  birthtime: 2017-02-22T00:40:22.000Z }
/usr/local/Homebrew/Library/Taps/caskroom/homebrew-cask/.git/FETCH_HEAD Stats {
  dev: 16777222,
  mode: 33188,
  nlink: 1,
high-priority triaged
Source
picture fundon
👍4

Most helpful comment

I think the issue is that they installed nodemon globally which in turn installed node-touch. Since they didn't explicitely installed node-touch globally, it probably shouldn't override the native touch command.

picture arcanis on 5 Jul 2017
👍2

All 6 comments

I'm not sure if yarn is at fault here. If there's a module named rm with a binary, named rm and if you install it globally, it would override the native rm command too.

This seems more like an issue with the package and global installation. What do you think @fundon?

BYK picture BYK on 5 Jul 2017

I think the issue is that they installed nodemon globally which in turn installed node-touch. Since they didn't explicitely installed node-touch globally, it probably shouldn't override the native touch command.

arcanis picture arcanis on 5 Jul 2017
👍2

@arcanis good point. I'll try to look into this.

BYK picture BYK on 5 Jul 2017

@BYK , As @arcanis says, those dependencies should not be global installation(yarn global bin) and override the native commands.

fundon picture fundon on 6 Jul 2017

Related: https://github.com/ember-cli/ember-cli/issues/7312

This allows for a security vulnerability since unexpected global binaries are added without direct user knowledge and creates essentially something analogous to an phishing attack for system executables.

rtablada picture rtablada on 30 Aug 2017

Will be fixed in the next release, scheduled pretty soon.

arcanis picture arcanis on 30 Aug 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ocolot picture ocolot  路  3Comments
torifat picture torifat  路  3Comments
NonPolynomial picture NonPolynomial  路  3Comments
MunifTanjim picture MunifTanjim  路  3Comments
FLGMwt picture FLGMwt  路  3Comments