Renovate image contains files with extraneous UID and GID

[eocantu]

The following files in the Renovate image have a very large UID (2119470584) and GID (2042662593). This is preventing us from being able to build a docker image with this one as the parent in docker rootless mode due to limited subordinate IDs. We only started seeing this issue in the latest release (3.0.0). 2.6.0 did not have this issue.

$ ls -al /opt/buildpack/tools/lerna/6.3.0/node_modules/tmp/
total 44
drwxr-xr-x   3 root       root        4096 Jan 10 07:24 .
drwxr-xr-x 417 root       root       16384 Jan 10 07:24 ..
-rw-r--r--   1 2119470584 2042662593  1082 Jan 10 07:24 LICENSE
-rw-r--r--   1 2119470584 2042662593  9293 Jan 10 07:24 README.md
drwxr-xr-x   2 root       root        4096 Jan 10 07:24 lib
-rw-r--r--   1 2119470584 2042662593   751 Jan 10 07:24 package.json

[rarkins]

I'm pretty sure these are somehow being set by npm install itself

[viceice]

this is probably caused by npm v9, which comes with latest node lts

[eocantu]

Is this something that could be addressed in the Renovate image?

I found localstack/localstack#7626 with a similar problem and it does appear to be caused by npm v9 not changing the file permissions any more.

[viceice]

we can add a workaround inside containerbase install tool but in general it's not a renovate fault.

the workaround will also slowdown dynamic installs. 😕

[rarkins]

Can this be opted into or out of via an env variable? i.e. only do the extra work and slow down in environments where it matters

[viceice]

should be possible, please open an issue at containerbase repo to track.

[eocantu]

FYI. I opened this issue with npm and it seems there's a fix in the works: npm/cli#6173

[eocantu]

This has been fixed in npm 9.5.1.

Before 9.5.1

root@6a51ad3b2ca1:/# npm -v

9.5.0

@6a51ad3b2ca1:/tmp/test-install# npm install [email protected]

added 2 packages, and audited 3 packages in 652ms

found 0 vulnerabilities
npm notice
npm notice New patch version of npm available! 9.5.0 -> 9.5.1
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.5.1
npm notice Run npm install -g [email protected] to update!
npm notice

@6a51ad3b2ca1:/tmp/test-install# ls -al node_modules/tmp/

total 32
drwxr-xr-x 3 root root 4096 Feb 23 15:29 .
drwxr-xr-x 4 root root 4096 Feb 23 15:29 ..
-rw-r--r-- 1 2119470584 2042662593 1082 Feb 23 15:29 LICENSE
-rw-r--r-- 1 2119470584 2042662593 9293 Feb 23 15:29 README.md
drwxr-xr-x 2 root root 4096 Feb 23 15:29 lib
-rw-r--r-- 1 2119470584 2042662593 751 Feb 23 15:29 package.json

With 9.5.1

root@6a51ad3b2ca1:/tmp/test-install# npm -v

9.5.1

root@6a51ad3b2ca1:/tmp/test-install# npm install [email protected]

added 2 packages, and audited 3 packages in 425ms

found 0 vulnerabilities

root@6a51ad3b2ca1:/tmp/test-install# ls -al node_modules/tmp/
total 32
drwxr-xr-x 3 root root 4096 Feb 23 15:33 .
drwxr-xr-x 4 root root 4096 Feb 23 15:33 ..
-rw-r--r-- 1 root root 1082 Feb 23 15:33 LICENSE
-rw-r--r-- 1 root root 9293 Feb 23 15:33 README.md
drwxr-xr-x 2 root root 4096 Feb 23 15:33 lib
-rw-r--r-- 1 root root 751 Feb 23 15:33 package.json

[eocantu]

Verified this is no longer an issue in 3.1.0.