[Pkg-zsh-devel] Fwd: [PATCH] Prevent npm completion from spamming update notifications

Sat Nov 10 01:33:44 GMT 2018

Forwarding from upstream.  This is about a privacy breach in npm.  I had
a quick look at the sid package of 'npm' and I don't see the phone-home
being disabled through debian/patches/, nor an open bug, but the version
number contains +ds and I am unsure whether the phone-home has been
removed through repackaging.  (I can't figure out whether options.callback
would be non-null in node_modules/update-notifier/index.js.)

I assume this would be worth a bug report if the behaviour hasn't been
disabled by repackaging, but I don't use npm myself; does anyone
else here use npm and would like to follow up?

There's a related policy bug, #726998.  (I ran into it years ago; it's
possible that a more closely related one might have been filed since then.)

Cheers,

Daniel

dana wrote on Fri, 09 Nov 2018 06:26 -0600:
> Newer versions of npm (and maybe older ones? but i never encountered it until
> now) check for updates whenever you run literally any sub-command, including the
> one that handles completion, and if it thinks it has something important to tell
> you about that it spams the screen with colourful ASCII-art boxes of nonsense
> 
> Fortunately the spam only makes its way to the screen once per session, since
> every time after that _npm_completion redirects it to /dev/null. But the npm
> call in _npm_completion is still wasting time on the update check/notification
> even when it's not showing the result. So i offer two possible fixes:
> 
> 1. A conservative one that suppresses the visible spam but leaves the time-
>    wasting checks
> 
> 2. A more complete but possibly questionable one that monkey-patches their
>    _npm_completion to avoid the time-wasting checks
> 
> Is the second one too weird to ship with the shell?
> 
> (Both patches also change the type call to a $commands check)
> 
> dana
> 
> 
> ### CONSERVATIVE PATCH ###
> diff --git a/Completion/Unix/Command/_npm b/Completion/Unix/Command/_npm
> index f5493a321..d069fc107 100644
> --- a/Completion/Unix/Command/_npm
> +++ b/Completion/Unix/Command/_npm
> @@ -2,8 +2,8 @@
>  
>  # Node Package Manager completion, letting npm do all the completion work
>  
> -if type npm > /dev/null; then
> -  eval "$(npm completion)"
> +if (( $+commands[npm] )); then
> +  eval "$(NPM_CONFIG_UPDATE_NOTIFIER=false npm completion)"
>  
>    _npm_completion "$@"
>  fi
> 
> 
> ### FUNNY PATCH ####
> diff --git a/Completion/Unix/Command/_npm b/Completion/Unix/Command/_npm
> index f5493a321..c05f61c51 100644
> --- a/Completion/Unix/Command/_npm
> +++ b/Completion/Unix/Command/_npm
> @@ -2,8 +2,13 @@
>  
>  # Node Package Manager completion, letting npm do all the completion work
>  
> -if type npm > /dev/null; then
> -  eval "$(npm completion)"
> +if (( $+commands[npm] )); then
> +  eval "$(NPM_CONFIG_UPDATE_NOTIFIER=false npm completion)"
> +  # Monkey-patch their function to prevent update checks
> +  functions[_npm_completion]="
> +    local -x NPM_CONFIG_UPDATE_NOTIFIER=false;
> +    ${functions[_npm_completion]}
> +  "
>  
>    _npm_completion "$@"
>  fi
> 
> 