[Pkg-zsh-devel] Fwd: [PATCH] Prevent npm completion from spamming update notifications
Daniel Shahaf
danielsh at apache.org
Sat Nov 10 01:33:44 GMT 2018
Forwarding from upstream. This is about a privacy breach in npm. I had
a quick look at the sid package of 'npm' and I don't see the phone-home
being disabled through debian/patches/, nor an open bug, but the version
number contains +ds and I am unsure whether the phone-home has been
removed through repackaging. (I can't figure out whether options.callback
would be non-null in node_modules/update-notifier/index.js.)
I assume this would be worth a bug report if the behaviour hasn't been
disabled by repackaging, but I don't use npm myself; does anyone
else here use npm and would like to follow up?
There's a related policy bug, #726998. (I ran into it years ago; it's
possible that a more closely related one might have been filed since then.)
Cheers,
Daniel
dana wrote on Fri, 09 Nov 2018 06:26 -0600:
> Newer versions of npm (and maybe older ones? but i never encountered it until
> now) check for updates whenever you run literally any sub-command, including the
> one that handles completion, and if it thinks it has something important to tell
> you about that it spams the screen with colourful ASCII-art boxes of nonsense
>
> Fortunately the spam only makes its way to the screen once per session, since
> every time after that _npm_completion redirects it to /dev/null. But the npm
> call in _npm_completion is still wasting time on the update check/notification
> even when it's not showing the result. So i offer two possible fixes:
>
> 1. A conservative one that suppresses the visible spam but leaves the time-
> wasting checks
>
> 2. A more complete but possibly questionable one that monkey-patches their
> _npm_completion to avoid the time-wasting checks
>
> Is the second one too weird to ship with the shell?
>
> (Both patches also change the type call to a $commands check)
>
> dana
>
>
> ### CONSERVATIVE PATCH ###
> diff --git a/Completion/Unix/Command/_npm b/Completion/Unix/Command/_npm
> index f5493a321..d069fc107 100644
> --- a/Completion/Unix/Command/_npm
> +++ b/Completion/Unix/Command/_npm
> @@ -2,8 +2,8 @@
>
> # Node Package Manager completion, letting npm do all the completion work
>
> -if type npm > /dev/null; then
> - eval "$(npm completion)"
> +if (( $+commands[npm] )); then
> + eval "$(NPM_CONFIG_UPDATE_NOTIFIER=false npm completion)"
>
> _npm_completion "$@"
> fi
>
>
> ### FUNNY PATCH ####
> diff --git a/Completion/Unix/Command/_npm b/Completion/Unix/Command/_npm
> index f5493a321..c05f61c51 100644
> --- a/Completion/Unix/Command/_npm
> +++ b/Completion/Unix/Command/_npm
> @@ -2,8 +2,13 @@
>
> # Node Package Manager completion, letting npm do all the completion work
>
> -if type npm > /dev/null; then
> - eval "$(npm completion)"
> +if (( $+commands[npm] )); then
> + eval "$(NPM_CONFIG_UPDATE_NOTIFIER=false npm completion)"
> + # Monkey-patch their function to prevent update checks
> + functions[_npm_completion]="
> + local -x NPM_CONFIG_UPDATE_NOTIFIER=false;
> + ${functions[_npm_completion]}
> + "
>
> _npm_completion "$@"
> fi
>
>
More information about the Pkg-zsh-devel
mailing list