When installing global modules, Yarn tries to create .cmd file in wrong directory #2192
Comments
|
If you work at FB you can repro this with a loaner Windows laptop. |
|
This is an issue with all global installs on windows in my experience. #1324 (comment) is the effect and the solution. I noted that the path generated in the |
|
Really bizarre, it's trying to write the file to C:\Program Files\Nodejs instead of in %LocalAppData% (C:\Users\gaearon\AppData\Local\ in your case). I remember seeing another issue about this. You can't write to C:\Program Files without escalating the process to admin rights, so it's the wrong place to put these files. From memory, they should actually be ending up in %LocalAppData%\Yarn\ |
Daniel15
changed the title
|
The same with react-native yarn global add react-native-cliwith react-native --versionand I get "$basedir/../../Users/juvasquezg/AppData/Local/Yarn/config/global/node_modules/.bin/react-native.cmd" "$@" the system cannot find the path specifiedGo to C:\Program Files\nodejs and I saw:
The fix is to delete react-native.cmd and rename react-native.cmd.cmd to react-native.cmd The Solution #1324 (comment) |
|
I've noticed that installing a global package works when using Powershell instead of Cmd. Binaries are saved on The only problem I noticed is that the Windows Installer sets the wrong PATH to This could be easily addressed by fixing the PATH in the Windows Installer and adding a note for Windows usage in the docs stating that it's only compatible with PowerShell. Is the Windows Installer in a different repo? I wouldn't mind sending a PR with these changes. |
|
@juvasquezg I don't have yarn installed on my system and I get the same error when running create-react-app to create a boilerplate app. when running the create-react-app command on a cmd window, the windows disappears when the command fails. I only see the error when I run the command in powershell. I see the create-react-app command is looking for some command file in a yarn directory which does not exit since yarn is not installed on my system. |
I think this is because you previously installed |
|
done; don't work |
|
What do you get if you run |
|
Dan;
this is what I've got from the powershell command:
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\SPEXP> get-command create-react-app
CommandType Name Version Source
----------- ---- ------- ------
Application create-react-app.cmd 0.0.0.0 C:\Program Files\nodejs\create-react-a...
this shows the app is installed properly, I think..
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 12:02 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
What do you get if you run Get-Command create-react-app?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr-Z6tBfYubl4KCsLViZK_rhW9KF5ks5rexivgaJpZM4LH0dc>.
|
|
This looks like it doesn't point to Yarn directory anymore. |
|
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
Cannot load PSReadline module. Console is running without PSReadline.
PS C:\Users\SPEXP> create-react-app a0
C:\Users\SPEXP>"$basedir/../../Users/Carlos/AppData/Local/Yarn/config/global/node_modules/.bin/create-react-app.cmd" "$@"
The system cannot find the path specified.
C:\Users\SPEXP>exit $?
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 12:49 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
This looks like it doesn't point to Yarn directory anymore.
So what exactly gets printed when you run create-react-app myapp?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwry8A9c_XQ6joaF9bhC6wwaqG13Fzks5reyOvgaJpZM4LH0dc>.
|
|
Okay, maybe this command actually contains the path inside. Our goal is to break |
|
sure;
Path: C:\Users\SPEXP\AppData\Roaming\npm-cache\create-react-app\1.0.4
Directory-content of => C:\Users\SPEXP\AppData\Roaming\npm-cache\create-react-app\1.0.4
this where I can see the installed version 1.0.4 is located.
it is also located in the administrator's account
Directory-content of => C:\Users\admin\AppData\Roaming\npm-cache\create-react-app\1.0.4
I cleaned all of the system and user directories of any traces of either the create-react-app or of yarn....
hope this helps...
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 2:45 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
Okay, maybe this command actually contains the path inside.
Can you figure out where create-react-app is currently located, and then delete the command?
Our goal is to break create-react-app completely so that it doesn't try to run the Yarn version.
Then we can try reinstalling it.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr3pTPqVhAeATeR1wXGkhHyf4tO-Vks5rez7JgaJpZM4LH0dc>.
|
|
What about that |
|
BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!BINGO! BOINGO!
You've hit on something...
here's the directory contents and the contents of each of the create-react-app-files.. will delete and start all over again.
I would not even think of looking there and as you can see, THERE IS NO OTHER SUCH FILE FROM ANY OTHER INSTALL. AND THIS IS SUPPOSED TO BE A RESTRICTED FOLDER
leave it to facebook to break security WITHOUT LETTING THE USER KNOW WHAT THEY ARE DOING...
I will be raising an issue with FB, this is not right!!!!!
dir
Volume in drive C is SYSTEM-DISK
Directory of C:\Program Files\nodejs
02/08/2017 06:58 PM 446 create-react-app
02/08/2017 06:58 PM 117 create-react-app.cmd
02/08/2017 06:58 PM 106 create-react-app.cmd.cmd
01/31/2017 09:17 PM 18,514,072 node.exe
12/22/2016 06:01 PM 702 nodevars.bat
01/31/2017 08:02 PM 8,997 node_etw_provider.man
01/14/2014 11:21 PM <DIR> node_modules
12/22/2016 06:01 PM 4,974 node_perfctr_provider.man
11/16/2016 07:45 PM 867 npm
11/16/2016 07:45 PM 483 npm.cmd
9 File(s) 18,530,764 bytes
3 Dir(s) 169,940,586,496 bytes free
more create-react*
#!/bin/sh
basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
case `uname` in
*CYGWIN*) basedir=`cygpath -w "$basedir"`;;
esac
if [ -x "$basedir//bin/sh" ]; then
"$basedir//bin/sh" "$basedir/../../Users/Carlos/AppData/Local/Yarn/config/global/node_modules/.bin/create-react-app" "$@"
ret=$?
else
/bin/sh "$basedir/../../Users/Carlos/AppData/Local/Yarn/config/global/node_modules/.bin/create-react-app" "$@"
ret=$?
fi
exit $ret
"$basedir/../../Users/Carlos/AppData/Local/Yarn/config/global/node_modules/.bin/create-react-app.cmd" "$@"
exit $?
@"%~dp0\..\..\Users\Carlos\AppData\Local\Yarn\config\global\node_modules\.bin\create-react-app.cmd" %*
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 3:51 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
What about that C:\Program Files\nodejs\... path you mentioned in another issue? (I'm not sure how it finishes, but I'm assuming there's create-react-app script somewhere inside.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr2OJ39WaGA2dtS_jB5cktsvwBrIpks5re05HgaJpZM4LH0dc>.
|
|
the other wrinkle in this fiasco is that npm uninstall -g create-react-app DOES NOT CLEAN AFTER ITSELF, meaning that it leaves files all over the system. there has to be another cleaner way to create a react boilerplate scaffolding without breaking the system.
so far the issues are:
1) installs a software component without permissions on a restricted system directory creating a HUGE SECURITY RISK. WHAT IF A HACKER DECIDES TO ADD MALWARE TO THIS FILE AND INSTALL IT ON THE MAIN SYSTEM DISK.... HUGE HUGE HUGE ISSUE. THIS IS A DANGEROUS PIECE OF CR(#%#$%)P
2) DOES NOT CLEAN AFTER ITSELF leaving tons of garbage in three main areas: the user's roaming\npm-cache folder, the programs files nodejs area, and the yarn area.
somebody higher than me should raise this issue
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 3:51 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
What about that C:\Program Files\nodejs\... path you mentioned in another issue? (I'm not sure how it finishes, but I'm assuming there's create-react-app script somewhere inside.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr2OJ39WaGA2dtS_jB5cktsvwBrIpks5re05HgaJpZM4LH0dc>.
|
|
Dan;
removing the create(crap) files from the NODEJS WINDOWS SYSTEM FOLDER RESOLVES THE ISSUE. this is a HUGE problem... those files should not be there, they should be in the user's app area and not in the system area.................. ESPECIALLY WHEN THE INSTALL PUTS THESE FILE WITHOUT ANY WARNING NOR DOES IT REQUEST PERMISSION WHEN THEY ARE INSTALLED EVEN THOUGH THE ACCOUNT BEING USED TO INSTALL THESE FILES IS A NON-ADMIN ACCOUNT AND WITHOUT PERMISSION TO TOUCH/INSTALL/DELETE/REMOVE/ADD ANYTHING TO THE SYSTEM FILES.
what is the process of fixing this???????
I'll inform Microsoft about this issue to see if they can put their wight behind this HUGE SECURITY ISSUE.
Thanks for your help! great move on your question suggestion.
LuisCarlos Rodriguez
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 3:51 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
What about that C:\Program Files\nodejs\... path you mentioned in another issue? (I'm not sure how it finishes, but I'm assuming there's create-react-app script somewhere inside.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr2OJ39WaGA2dtS_jB5cktsvwBrIpks5re05HgaJpZM4LH0dc>.
|
|
and one more thing Dan;
Yarn DID not have to be uninstalled. all it did was to add the link to find the create-react files inside the create-react-app command files. just remove these files from the NODEJS directory and you are all set to go and re-install the boilerplate modules.....
hope this helps somebody else! and IT AIN'T WINDOWS FAULT!
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 3:51 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
What about that C:\Program Files\nodejs\... path you mentioned in another issue? (I'm not sure how it finishes, but I'm assuming there's create-react-app script somewhere inside.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr2OJ39WaGA2dtS_jB5cktsvwBrIpks5re05HgaJpZM4LH0dc>.
|
|
the message wasn't meant to be a rant but since I couldn't mark the text as bold, then I had not choice to to cap the statement. if it is a to point out a big security rick by a tool that clearly breaks security unlike any other tool, open source or not, then so be it.... I'm sure that if Microsoft were to break system security like this tool does, everybody would be up in arms.....
the fact is, the create-react-app breaks security in a HUGE way unlike any other tool and the only thing it does is create a folder structure.... give me a break....
if anybody got offended, well they should, security is a big issue.... end of story... and furthermore, I resolved the issue.... so you can put my RESOLVED ISSUE in the back of your line.
…________________________________
From: Mikeysauce <[email protected]>
Sent: Tuesday, February 21, 2017 5:03 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
All the caps and ranting comes across as extremely entitled. These tools are free and there is a right way and a wrong way to bring issues to the attention of the maintainers. I don't speak for anyone else, but if this were me I would be more inclined to put your specific problems to the back of the list based on how you're coming across.
I was one of the people with this very problem(if you scroll up a little bit) and found that subsequent releases of yarn fixed the problem entirely for me, in combination with cleaning out my nodejs folder before upgrading my yarn to remove the remnants and defective files.
I apologise to the maintainers if this post is inappropriate.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr8VunpHiHe9DOuERiv1b3CRR2_Ssks5re19OgaJpZM4LH0dc>.
|
|
Well, the whole permise of npm ecosystem is you don't really know what you're installing. It's by design, and Yarn does not change this behavior by default since most users consider installing arbitrary packages a feature. The reason it didn't clean up after itself is the bug described in the very beginning of this issue. That is not intentional, and you’re welcome to help fix it if you want to. It’s an open source project after all. |
|
Dan,
"Well, the whole permise of npm ecosystem is you don't really know what you're installing<https://www.kb.cert.org/CERT_WEB/services/vul-notes.nsf/6eacfaeab94596f5852569290066a50b/018dbb99def6980185257f820013f175/$FILE/npmwormdisclosure.pdf>. It's by design, and Yarn does not change this behavior by default since most users consider installing arbitrary packages a feature.
I hate to disagree with you, the problem is not yarn, the problem is the installer used by create-react-app. yarn does not install any thing on the system folder program files without permission, but create-react-app does and if yarn is installed, then what the create-react-app does is to inject the yarn link into its own batch files. yarn is completely unaware of the issue. and another thing when yarn is installed, it is installed in the programs files system folder after asking for permissions. if yarn, a facebook module, can as for permission, why cant the create-react-app do the same. also yarn is install in ONLY ONE place, the create-react-app is installed in two places, on the administrator's folder and the user's folder in addition to putting crap on the nodejs folder, what the hell, makes create-react-so special... it's supposed to be a boilerplate utility for crying out loud.
what makes me very concerned is that the programs file folder is a SYSTEMS folder and it's supposed to be a read only folder meaning you only install anything on system folders that need to go there after requesting and getting permission from the system admin. when that is violated, then the security of the system in at a very high risk of being caputed..... these files are being installed in our systems without our permission and without our knowing even when the account DOES NOT have administrator privileges as mine does not. you give me a piece of windows software that goes on a mac the same way, non-existent!!!!!!
of over 200 npm installs on my system not one has placed anything on a system folder without permission,not one until this create crap.... and I wonder why?
if you take a look at what is installed is two batch files that once placed on a system folder, they can execute anything on the system including viruses. I know that these software components are normally written for apple systems and windows is just an afterthought... and off-course any thing to damage a windows system is just OK I guess.
"Well, the whole permise of npm ecosystem is you don't really know what you're installing<https://www.kb.cert.org/CERT_WEB/services/vul-notes.nsf/6eacfaeab94596f5852569290066a50b/018dbb99def6980185257f820013f175/$FILE/npmwormdisclosure.pdf>. It's by design, and Yarn does not change this behavior by default since most users consider installing arbitrary packages a feature.
I don't believe this statement and think that if that were true, all releases would happen in days not months or years as is the case with the opensource. don't get me wrong, I think the Eco system is fantastic and all of us are grateful for its existence but when a poor module places our systems and our livelihood in danger from viruses and malware, then it is our responsibility to call out the software designer even it is FACEBOOK. Heck, every-time Microsoft does it, they get sued for millions.
I do thank you for your help and support. I hope that just as you are instructing me on how the opensource works, you also go back to the powers that be at FACEBOOK and raise this security issue as well. I know I will!
Regards,
LuisCarlos Rodriguez
Microsoft SharePoint MCP / architect
…________________________________
From: Dan Abramov <[email protected]>
Sent: Tuesday, February 21, 2017 10:21 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
Well, the whole permise of npm ecosystem is you don't really know what you're installing<https://www.kb.cert.org/CERT_WEB/services/vul-notes.nsf/6eacfaeab94596f5852569290066a50b/018dbb99def6980185257f820013f175/$FILE/npmwormdisclosure.pdf>. It's by design, and Yarn does not change this behavior by default since most users consider installing arbitrary packages a feature.
The reason it didn't clean up after itself is the bug described in the very beginning of this issue. That is not intentional, and you’re welcome to help fix it if you want to. It’s an open source project after all.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwrz1lMfFzIpf1vdqNvrVkOG3ou69lks5re6nTgaJpZM4LH0dc>.
|
You can file a new issue in this project, and describe the problem (i.e. "Yarn shouldn't require permissions for installing packages on Windows"). If npm behaves differently, the Yarn behavior could either be an oversight, or it could be a deliberate decision (e.g. to fix some other problem). I hope this helps! |
Nothing makes it special, it's just an npm package. Your complaint is about how Yarn and npm install packages. It may be a bug in Yarn, or it may be something else. It's definitely not related to Create React App in any way because it has no control over the installation process, and doesn't get any special treatment from either Yarn or npm. |
|
@dcu-sharepoint, please avoid using excessive capital letters. You can make text bold if you write your comments on GitHub rather than via email :)
@dcu-sharepoint - There's no way to bypass Windows' directory permissions... It's likely that the Node.js directory is writable for your user or something similar, or you're running your command prompt as administrator. Alternatively, UAC File Virtualization (eg. https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681) could be kicking in and the files may actually be going to
@gaearon - It's a pretty bad design choice IMO, and I'm hoping that we get proper integrity verification for packages in the future. People tend to go for convenience rather than security, which isn't always the best tradeoff. This is one of the major reasons why every installation method for Yarn (tarball/installer, Debian/Ubuntu package, Windows installer) has integrity verification of some sort. The tarball and Debian package are signed using GPG< and the Windows installer has an Authenticode signature. |
|
Thanks Dan;
somehow you did not seem to get the message: YARN is not the problems, CREATE-REACT-APP IS..., nuff said..
Thank you again,
…________________________________
From: Dan Abramov <[email protected]>
Sent: Wednesday, February 22, 2017 12:17 AM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Comment
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
the create-react-app is installed in two places, on the administrator's folder and the user's folder in addition to putting crap on the nodejs folder, what the hell, makes create-react-so special... it's supposed to be a boilerplate utility for crying out loud.
Nothing makes it special, it's just an npm package. Your complaint is about how Yarn and npm install packages. It may be a bug in Yarn, or it may be something else. It's definitely not related to Create React App in any way because it has no control over the installation process, and doesn't get any special treatment from either Yarn or npm.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr1JGnUKj1W2hTraQl3JkXoQpqgegks5re8TkgaJpZM4LH0dc>.
|
|
bold was not available as an option on an email message which is what I answered to...
Thanks
…________________________________
From: Daniel Lo Nigro <[email protected]>
Sent: Wednesday, February 22, 2017 12:17 AM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
@dcu-sharepoint<https://github.com/dcu-sharepoint>, please avoid using excessive capital letters. You can make text bold if you write your comments on GitHub rather than via email :)
ESPECIALLY WHEN THE INSTALL PUTS THESE FILE WITHOUT ANY WARNING NOR DOES IT REQUEST PERMISSION WHEN THEY ARE INSTALLED EVEN THOUGH THE ACCOUNT BEING USED TO INSTALL THESE FILES IS A NON-ADMIN ACCOUNT AND WITHOUT PERMISSION TO TOUCH/INSTALL/DELETE/REMOVE/ADD ANYTHING TO THE SYSTEM FILES.
@dcu-sharepoint<https://github.com/dcu-sharepoint> - There's no way to bypass Windows' directory permissions... It's likely that the Node.js directory is writable for your user or something similar, or you're running your command prompt as administrator. Alternatively, UAC File Virtualization (eg. https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681) could be kicking in and the files may actually be going to %LocalAppData%\VirtualStore\Program Files (x86).
It's by design, and Yarn does not change this behavior by default since most users consider installing arbitrary packages a feature.
@gaearon<https://github.com/gaearon> - It's a pretty bad design choice IMO, and I'm hoping that we get proper integrity verification for packages in the future. People tend to go for convenience rather than security, which isn't always the best tradeoff. This is one of the major reasons why every installation method for Yarn (tarball/installer, Debian/Ubuntu package, Windows installer) has integrity verification of some sort. The tarball and Debian package are signed using GPG< and the Windows installer has an Authenticode signature.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr40rC8jnWMvJc4EMFPVQ94j9MlbRks5re8T-gaJpZM4LH0dc>.
|
|
Daniel;
somehow you guys are reading what you want to read. re-read the so-called RANT and you will see (if you want to or care to) that I stated multiple times that YARN is not the problem, create-react-app is, and it installed batch files in a system directory, end of story...
…________________________________
From: Daniel Lo Nigro <[email protected]>
Sent: Wednesday, February 22, 2017 12:17 AM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
@dcu-sharepoint<https://github.com/dcu-sharepoint>, please avoid using excessive capital letters. You can make text bold if you write your comments on GitHub rather than via email :)
ESPECIALLY WHEN THE INSTALL PUTS THESE FILE WITHOUT ANY WARNING NOR DOES IT REQUEST PERMISSION WHEN THEY ARE INSTALLED EVEN THOUGH THE ACCOUNT BEING USED TO INSTALL THESE FILES IS A NON-ADMIN ACCOUNT AND WITHOUT PERMISSION TO TOUCH/INSTALL/DELETE/REMOVE/ADD ANYTHING TO THE SYSTEM FILES.
@dcu-sharepoint<https://github.com/dcu-sharepoint> - There's no way to bypass Windows' directory permissions... It's likely that the Node.js directory is writable for your user or something similar, or you're running your command prompt as administrator. Alternatively, UAC File Virtualization (eg. https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681) could be kicking in and the files may actually be going to %LocalAppData%\VirtualStore\Program Files (x86).
It's by design, and Yarn does not change this behavior by default since most users consider installing arbitrary packages a feature.
@gaearon<https://github.com/gaearon> - It's a pretty bad design choice IMO, and I'm hoping that we get proper integrity verification for packages in the future. People tend to go for convenience rather than security, which isn't always the best tradeoff. This is one of the major reasons why every installation method for Yarn (tarball/installer, Debian/Ubuntu package, Windows installer) has integrity verification of some sort. The tarball and Debian package are signed using GPG< and the Windows installer has an Authenticode signature.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr40rC8jnWMvJc4EMFPVQ94j9MlbRks5re8T-gaJpZM4LH0dc>.
|
|
@dcu-sharepoint Sorry but what you’re claiming is just incorrect. Whatever the problem is, it’s entirely unrelated to |
|
the way to correct me is for you to get a windows 10 system an install the create module. I had a friend try it and he was able to confirm my SO-CALLED claim.
otherwise, otherwise to continue is FUTILE as the saying goes.....
anywho: thanks a bunch; it's been fun.... I've got it working and for what the create-react-app, it's not worth the fight if you are not even willing to listen much less do anything about it....
let this be the end of it.
…________________________________
From: Dan Abramov <[email protected]>
Sent: Wednesday, February 22, 2017 12:08 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
@dcu-sharepoint<https://github.com/dcu-sharepoint> Sorry but what you’re claiming is just incorrect. Whatever the problem is, it’s entirely unrelated to create-react-app because it’s just an npm package and has zero control over how it gets installed.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwrxUNDJ_IZMH1HIEHzly6XwICVCIjks5rfGuVgaJpZM4LH0dc>.
|
|
I will try to reproduce the issue, I'm not disputing it exists (we are discussing it in an open issue about this exact problem after all 😉 ). All I’m saying is that your diagnosis is incorrect:
This is not a Create React App problem because it doesn’t manage its own installation. It is a Yarn bug, which is why we are discussing it in the Yarn repo. |
|
Dan,
I appreciate your wisdom. however, yarn IS NOT installed on the system i'm working with now, it's never been installed and now while this issue is outstanding, it never will be installed in this system. so my question is how is it possible for yarn to come from the ether and install a couple of batch files for a single application on my window system where it's never been installed?
Anywho: you do your thing, I need to move and continue with my thing....
Again, thank you for your great efforts. if you need anything from, please do not hesitate to ask and I'll be more than happy to comply.
LuisCarlos
…________________________________
From: Dan Abramov <[email protected]>
Sent: Thursday, February 23, 2017 2:47 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
I will try to reproduce the issue, I'm not disputing it exists (we are discussing it in an open issue about this exact problem after all 😉 ).
All I’m saying is that your diagnosis is incorrect:
I stated multiple times that YARN is not the problem, create-react-app is
This is not a Create React App problem because it doesn’t manage its own installation. It is a Yarn bug, which is why we are discussing it in the Yarn repo.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwrxQeV83cGJlPNtLV5j7ohTsTRCVtks5rfeJtgaJpZM4LH0dc>.
|
I assumed it is, judging by the path you provided: |
|
Just to clarify this point:
Create React App has no installer. npm works slightly differently from how you might be used to, from example, in Windows ecosystem.
This is why you need either npm or Yarn to install So far, the problems you encountered seem to occur before running I assumed you were using Yarn to install it (with |
|
Dan,
can we start from the beginning?
1. yarn was uninstalled from windows, COMPLETELY via the windows control panel
2. create-react-app was uninstalled via the npm uninstall -g create-react-app; this does not work in any case as nothing is removed by the npm -g unsinstall leaving the create-react-app in the system, in other word the create-react-app does not clean after itself if it is removed from the system.
3. all references, folders and anything related to yarn, create-react-app has also been manually been removed.
4. the system has been rebooted.
I assumed it is, judging by the path you provided: \Users\Carlos\AppData\Local\Yarn\. This is the path used by Yarn so I assumed you had it installed. If you still have issues with Create React App that are reproducible without Yarn, please do file a new issue in Create React App repo, and I’ll be happy to take a look.
this path as provided by me was done during the beginning of my interaction with you and BEFORE I understood what was going on and any of the 4 points above had been done and before the create-react-app command files from the nodejs system folder in the program files system area were removed once I found them there.
after all of this, my team procured a different windows 10 laptop with none of this software in it, my team then installed node using the node.msi downloaded from the node site, updated npm to version 4 and then executed the npm install -g create-react-app to install the create-react-app which reproduces the problem.
my problems is the with the security issue and the disregard for putting extraneous files on system folders nili wili and without asking for permission when the component is being installed from a non-administrator account.
My team is working to figure out how the create-react-app is doing this and we've got a schedule test tomorrow morning to try to figure out exactly what is going on. I will be creating a new issue with the create-react-app repo and will keep you posted.
We now understand the reason why those two files are placed on the nodeJS folder and I will share that with you after we finish with the test in the morning.
Again, thank you for your efforts and will see on the other side of the fence....
LuisCarlos
…________________________________
From: Dan Abramov <[email protected]>
Sent: Thursday, February 23, 2017 3:34 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
however, yarn IS NOT installed on the system i'm working with now
I assumed it is, judging by the path you provided: \Users\Carlos\AppData\Local\Yarn\. This is the path used by Yarn so I assumed you had it installed. If you still have issues with Create React App that are reproducible without Yarn, please do file a new issue in Create React App repo, and I’ll be happy to take a look.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr-job_dz8-Rs-eSmBvCvac7YlxYrks5rfe1ZgaJpZM4LH0dc>.
|
|
this all will be fully explained later on today...
LuisCarlos
…________________________________
From: Dan Abramov <[email protected]>
Sent: Thursday, February 23, 2017 3:39 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
Just to clarify this point:
I hate to disagree with you, the problem is not yarn, the problem is the installer used by create-react-app.
Create React App has no installer. npm works slightly differently from how you might be used to, from example, in Windows ecosystem.
create-react-app is an npm package. It doesn’t have its own installer. It doesn’t even have any code that runs on your computer until you run create-react-app yourself. There is no post-install code in it.
This is why you need either npm or Yarn to install create-react-app. It can’t install itself, and doesn’t write any files to any system directories.
So far, the problems you encountered seem to occur before running create-react-app. You never really ran it because of the corrupted installation (and thus a wrong path). This is as much as I can diagnose from the logs you provided.
I assumed you were using Yarn to install it (with yarn global add create-react-app) judging by your logs. If this is not the case, please explain how exactly you installed create-react-app so that I can better understand the issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr4mYUM14HnJyQwuC5OMD708ff6Pzks5rfe5ygaJpZM4LH0dc>.
|
Well, in this case it shows that this is just how |
|
In other words, you can run |
|
I believe I am having a similar issue... On windows (in git bash) I ran
Strangely enough I was able to directly run that file myself, and it did exist. (Using the exact same full path starting at I ran
So there is something happening with yarn (most likely my fault, I admit). When I tried to
Very curious... I don't know if any of this helps narrow anything down but if there's anything I can do let me know! PS: This is what I get for being too lazy to get my mac out of my bag and hook it up. |
|
Thanks Dan;
Great answer; however, passing the buck was NOT the expected answer because if that were the case other apps would do the same and not just the create-react-app... I know that windows and open source is an oxymoron and only the mac environment is the only environment where these apps should be used, I don't know.... anywho: thank you. I won't cause any more issues...
…________________________________
From: Dan Abramov <[email protected]>
Sent: Friday, February 24, 2017 7:58 AM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
after all of this, my team procured a different windows 10 laptop with none of this software in it, my team then installed node using the node.msi downloaded from the node site, updated npm to version 4 and then executed the npm install -g create-react-app to install the create-react-app which reproduces the problem.
Well, in this case it shows that this is just how npm works 😉 . You can bring up your concerns with npm in this repo: https://github.com/npm/npm.
[https://avatars0.githubusercontent.com/u/6078720?v=3&s=400]<https://github.com/npm/npm>
GitHub - npm/npm: a package manager for javascript<https://github.com/npm/npm>
github.com
npm - a package manager for javascript ... More Severe Uninstalling. Usually, the above instructions are sufficient. That will remove npm, but leave behind anything ...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwr2ZHlD9RDoW96ZPi3avVZQqOEklFks5rftPvgaJpZM4LH0dc>.
|
As I already mentioned exactly the same thing happens with any other Node module you install globally if it has a bin script. I explained this in #2192 (comment). |
|
Dan
the keyword in your statement is "if it has a bin script". Those bin scripts are normally installed in the bin folder of the node-modules/bin node area not on the nodejs windows system folder by all of the applications I've installed so far except for the create-react-app. if you need to install anything on a windows system folder, then the app should ask for permission which is not the case with the create-react-app. if the create-react-app were to do this then it would be security compliant, that is all I'm saying. the interesting thing is that if you move those two command files from the nodejs area and put them in the user's area they work just as intended because they don't require any sudo(adminstrator) privileges as far as I know.
I downloaded the create-react-app source code so I can study it and understand what is happening... right now I seem to be taking out of the wrong side of my mouth so please give some time to study the code and I will get back to you on this one....
Thanks again for your concern.... great job...
…________________________________
From: Dan Abramov <[email protected]>
Sent: Sunday, March 19, 2017 2:22 PM
To: yarnpkg/yarn
Cc: L. Carlos Rodriguez; Mention
Subject: Re: [yarnpkg/yarn] When installing global modules, Yarn tries to create .cmd file in wrong directory (#2192)
if that were the case other apps would do the same and not just the create-react-app
As I already mentioned exactly the same thing happens with any other Node module you install globally if it has a bin script. I explained this in #2192 (comment)<#2192 (comment)>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2192 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVrwrzvqL1ntJxlNhqicUSCW_uM7-Lmuks5rnXJfgaJpZM4LH0dc>.
|
|
Submitted a pull request to fix this: #3233 |
|
@bestander @Daniel15 maybe we can closw this or am i wrong? O.o |
What is the current behavior?
Yarn fails to install
create-react-app:I have no such problem with npm:
If the current behavior is a bug, please provide the steps to reproduce.
What is the expected behavior?
It gets installed.
Please mention your node.js, yarn and operating system version.
Node 6.9.2
Yarn 0.17.10
Windows 10 Enterprise 10.0.14393 Build 14393
Yarn log
https://gist.github.com/gaearon/e67437d7a4102fe696a34dec2c7fe825
The text was updated successfully, but these errors were encountered: