/to @rmg @bajtos

See TODO.txt for tracking of WIP (replaces the old gist https://gist.github.com/sam-github/8acbde690ef6b5554e91).

I think this does all the mandatory features, remaining work before release is:

• the git-related manipulations (will do in another PR)
• talk to @ritch and get his help testing the approach against a significant example repo, such as strongloop/loopback-example-full-stack (I had some difficulties with install and run, probably I'm doing it wrong).

I did

cd /tmp/
npm install statsd
cd node_modules/statsd
slc build -ibp --scripts
tar -tf ../statsd-0.7.2.tar.gz | grep build  # nothing!
find . -print | grep build  # lots!

And the packfile produced did not include node_modules/node-syslog/build/....

PR #25 adds new options to the slc build command.

At a minimum, update the command ref. Also review to see if any changes are needed in these (and child articles):

• http://docs.strongloop.com/display/SLC/Building+applications+with+slc
• http://docs.strongloop.com/display/SLC/Deployment+best+practices

NOTE: We should not make the doc changes until the change is published to npm.

I've been running into an issue where every second time I run this command slc build -ibp the npm run build command, which is automatically invoked, fails. I get the following output:

$ slc build -ibp --scripts
Running `npm install`
Running `npm run build`
Error on `npm run build`:
Failed to run `npm run build`:

> <my project>
> gulp default


Error: Cannot find module '<path_to_my_project>/node_modules/gulp/node_modules/v8flags/3.14.5.9.flags.json'

I know this looks like an issue with v8flags, but I'm not so sure that it is. When I rm -rf my node_modules and then do a fresh npm install I can invoke npm run build to my hearts content; but, when I invoke slc build -ibp, it will work only the first time.

Any thoughts??

Hello,

I'm not sure if this issue belongs here or within npm, but I'll start here and see if there is a solution within strongloop / slc.

I am using slc build --npm to package my node app into a .tgz that I can slc deploy to my production web server. This was working well when all of my dependencies were public npm modules.

Recently I've started using private npm modules that are scoped and hosted on nppmjs.org (https://www.npmjs.com/private-modules)

slc build -b appropriately adds my scoped module (e.g. @barwin/my-private-module) to the bundleDependencies array in package.json, but slc build --npm does not ultimately include the scoped module in the resulting .tgz file. All of my non-scoped (public) npm dependencies are included in the .tgz as expected. It's only an issue with the scoped modules.

I found a snippet in npm's faq about scoped dependencies:

https://docs.npmjs.com/misc/faq Unscoped packages can only depend on other unscoped packages. Scoped packages can depend on packages from their own scope, a different scope, or the public registry (unscoped).

Based on that, I tried renaming my top level project to be under the same scope as the private modules that I'm trying to bundle, but that had no effect.

Looking for any suggestions on how to accomplish this. Thanks!

Here is my app:

require('net').createServer().listen(0);

Here is what I get from slc build

Running `npm install --ignore-scripts`
Running `npm prune --production`
shell.js: internal error
Error: ENOENT, no such file or directory 'node_modules'
    at Error (native)
    at Object.fs.statSync (fs.js:801:18)
    at /usr/local/lib/node_modules/strongloop/node_modules/strong-build/node_modules/shelljs/src/find.js:42:12
    at Array.forEach (native)
    at Object._find (/usr/local/lib/node_modules/strongloop/node_modules/strong-build/node_modules/shelljs/src/find.js:39:9)
    at Object.find (/usr/local/lib/node_modules/strongloop/node_modules/strong-build/node_modules/shelljs/src/common.js:186:23)
    at Object.doNpmPack [as func] (/usr/local/lib/node_modules/strongloop/node_modules/strong-build/index.js:290:29)
    at Immediate._onImmediate (/usr/local/lib/node_modules/strongloop/node_modules/strong-build/node_modules/vasync/lib/vasync.js:213:20)
    at processImmediate [as _immediateCallback] (timers.js:358:17)

@kraman

Problem: npm run build fails on npm2 if there is no build run-script defined. Fix: Only run npm run build step if there is a build run-script defined.

The fix is easy, but I'm going to spend a few minutes trying to get CI green if I can.

The approach of using the npm pack output assumes that there is no other output from npm, which isn't true when there are build scripts.

connected to strongloop-internal/scrum-nodeops#766

replaces https://github.com/strongloop/strong-build/pull/30

Should squelch the warnings about json-file-plus being deprecated as well as reduce the number of lodash copies installed in a full strongloop installation.

• [x] failing test for verifying problem
• [ ] more complete tests
  • ensure we ignore files key in package.json
  • ensure .npmignore is ignored
  • ensure packages not listed in bundledDependencies are included
• [x] use custom tgz generator instead of npm pack
• [ ] annotate package.json with metadata about the state of the bundle

Connect to strongloop-internal/scrum-nodeops#1015

• [x] detect git repository
• [x] make --onto <branch> a modifier of --install instead of checking out branch
• [x] make --onto BRANCH default to "deploy"
• [x] when git detected, use --install --commit as default operation (implicit --onto deploy)
• [x] when committing, create branch if it doesn't exist
• [x] merge HEAD into deploy branch as separate commit before committing artifacts
• [x] skip merge if destination branch already up to date
• [x] don't commit build artifacts if they are identical to the target branch's content
• [x] update existing tests to match new behaviour
• [x] add tests to verify new behaviour

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/strong-build/pull/2 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/strong-build/1/README.md

User Comments:

Bounty URL: https://www.huntr.dev/bounties/1-npm-strong-build/

⚙️ Description *

strong-build was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior validation. After update Arbitary Code Execution is avoided

💻 Technical Description *

Shelljs is used to execute command so param is sanitized with regexp, whitelisting alphanumeric characters

🐛 Proof of Concept (PoC) *

1. Install the package
2. Check there aren't files called HACKED
3. Execute the following commands:

bin/sl-build.js --onto '";touch HACKED; #' #  Run the PoC

4. It will create a file HACKED in the working directory.

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally

Can we add a --no-optional so slc build will install dependencies with npm install --no-optional? Our company's policy doesn't allow internet access on the build server, which slows down the build a lot when it tries to install an optional dependency sl-blip. Thanks!

It seems that the .npmignore file is only observed by the --pack option, not the --commit option. I woud prefer to use git as the mechanism to store our versioned builds, but obviously the git repository for my project contains a test folder for my tests. If I add 'test' to .npmignore and pack a build into tgz then the test folder (and anything else in .npmignore) is not included... alas if I commit a build to a deployment branch and then git clone/pull from this branch on the production machine, the test folder comes along for the ride.

I suppose there is perhaps no harm in these things hanging around on the production machine, but I'd prefer that they weren't there. (This also goes for things like IDE project files which are committed to git, but I would also add to a .npmignore file to have them excluded from the package or deploy branch commit).

http://stackoverflow.com/questions/1967370/git-replacing-lf-with-crlf

core.autocrlf set to false guarantees what gets checked out is what got checked in, this is appropriate for our use case

as-is, since npm (bless it) uses UNIX conventions for most of the files it writes, including the ones from most package.tgz files from npmjs.org, the "warning: LF will be replaced by CRLF in ...." will be spewed endlessly to the screen.... for files that the user has no control over.

We have to make sure its only temporarily false, though, and not mess with the user's defaults.