NPM 6.9.1 is broken due to .git folder in published tarball

Raynos (Jake Verbaten) 27 June 2019 20:17#1

Running npm install [email protected] -g; npm install [email protected] -g fails.

You can upgrade to latest npm but you cannot downgrade.

This is due to

npm ERR! EISGIT

If you run npm pack npm to download the tarball and unpack it you fill find ./.git/logs in there.

This is probably a linux related issue.

morifucs (Maurie Williams) 27 June 2019 18:22#2

[2019-06-27T18:17:33.971Z] + npm install -g npm@latest

[2019-06-27T18:17:38.093Z] npm ERR! path /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm

[2019-06-27T18:17:38.093Z] npm ERR! code EISGIT

[2019-06-27T18:17:38.093Z] npm ERR! git /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm: Appears to be a git repo or submodule.

[2019-06-27T18:17:38.093Z] npm ERR! git     /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm

[2019-06-27T18:17:38.093Z] npm ERR! git Refusing to remove it. Update manually,

[2019-06-27T18:17:38.093Z] npm ERR! git or move it out of the way first.

iarna (Rebecca Turner) 27 June 2019 19:20#3

This bug is amazing =D (forgive me, I’ve always been weirdly excited about twisty corner cases!) npm publish ignores .git folders by default but forces all files named readme to be included… And that forced include overrides the exclude. And then there was once a remote branch named readme… and that goes in the .git folder, gets included in the publish, which then permanently borks your npm install, because of EISGIT, which in turn is a restriction that’s afaik entirely vestigial, copied forward from earlier versions of npm without clear insight into why you’d want that restriction in the first place.

I suspect this potential was introduced with the tar rewrite. It never happened before, because no one publishing before had a git repo with a remote ref like that, either through luck, or by following the setup guide which recommends using a separate copy of the repo for publication.

This is gonna be brutal to fix though, 'cause there’s no facility for the existing version to fix itself in this scenario. Would have to fallback to some npx-able thing that removes the .git folder, and communicating that is gonna be rough.

Raynos (Jake Verbaten) 27 June 2019 20:10#7

This is not just a bug due to a readme branch

See [email protected] which contains a .git folder with a single file index.

There is another root cause for publishing .git directory.

zkat (Kat Marchán) 27 June 2019 20:15#9

I think that’s due to this: https://github.com/Raynos/tape-cluster/blob/master/package.json#L8

So I’ll consider that a separate bug. Should definitely file a bug in npm-packlist for this, though.

Raynos (Jake Verbaten) 27 June 2019 20:17#10

Just to clarify; main: 'index' will include any file called index recursively, including dotfiles into the tarball ? including .git/index

If it was main: 'index.js' this would not be an issue unless I had .git/index.js in my .git folder for some unknown reason.