npmã¨yarnã®è„†å¼±æ€§ã¨postinstall - Cybozu Inside Out | ã‚µã‚¤ãƒœã‚¦ã‚ºã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®ãƒ

ãƒ•ãƒãƒ³ãƒˆã‚¨ãƒ³ãƒ‰ã‚¨ã‚ã‚¹ãƒ‘ãƒ¼ãƒˆãƒãƒ¼ãƒ ã®å°æž—(@koba04)ã§ã™ã€‚

å…ˆæ—¥ã€npmã‹ã‚‰è„†å¼±æ€§ã«ã¤ã„ã¦ã®ç™ºè¡¨ãŒã‚ã‚Šã¾ã—ãŸã€‚ èª¿ã¹ã¦ã„ãä¸ã§ã„ãã¤ã‹æ€ã†ã¨ã“ã‚ãŒã‚ã£ãŸã®ã§è§£èª¬ã‚‚å…¼ãã¦æ›¸ã„ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚

The npm Blog — Binary Planting with the npm CLI

npmã®åˆ©ç”¨è€…ã¨ã—ã¦ã‚„ã‚‹ã¹ãã“ã¨ã¯ã€

npmã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’6.13.4ä»¥ä¸Šã«ã‚ã’ã‚‹
yarnã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’1.21.1ä»¥ä¸Šã«ã‚ã’ã‚‹

ã§ã™ã€‚ npmã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒ6.13.4ã«ãªã£ãŸNodeã‚‚v8, v10, v12, v13ç³»ã§ãã‚Œãžã‚Œãƒªãƒªãƒ¼ã‚¹ã•ã‚ŒãŸã®ã§ã€ãã¡ã‚‰ã‚’åˆ©ç”¨ã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ ï¼ˆyarnã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯åˆ¥é€”ã‚ã’ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ï¼‰ã€‚

nodejs.org

npmã«ã‚ˆã‚‹ç™ºè¡¨ã§ã¯ã€ä»Šå›žç™ºè¡¨ã•ã‚ŒãŸè„†å¼±æ€§ã¯2ä»¶ã‚ã‚‹ãŸã‚ã€ãã‚Œãžã‚Œå€‹åˆ¥ã«è€ƒãˆã¾ã™ã€‚

binã«ä»»æ„ã®ãƒ‘ã‚¹ã‚’æŒ‡å®šå‡ºæ¥ã‚‹ä»¶

npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã¯package.jsonã®binãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã«ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã“ã¨ã§ä½¿ãˆã‚‹ã‚ˆã†ã«ãªã‚‹ã‚³ãƒžãƒ³ãƒ‰ã‚’æŒ‡å®šå‡ºæ¥ã¾ã™ã€‚ ä¾‹ãˆã°ã€eslintã®å ´åˆã¯ä¸‹è¨˜ã®ã‚ˆã†ã«æŒ‡å®šã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã¨eslintã‚³ãƒžãƒ³ãƒ‰ãŒnpm-scriptsã‚„npxçµŒç”±ã§åˆ©ç”¨å¯èƒ½ã«ãªã‚Šã¾ã™ã€‚

github.com

ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚°ãƒãƒ¼ãƒãƒ«ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãªã„å ´åˆã€ã“ã®ã‚³ãƒžãƒ³ãƒ‰ã¯node_modules/.binã«é…ç½®ã•ã‚Œã¾ã™ã€‚ npm-scriptsã®å®Ÿè¡Œæ™‚ã¯ã“ã“ã«PATHãŒé€šã£ã¦ã„ã‚‹ãŸã‚ã€npm-scriptsã§ã¯eslintã‚³ãƒžãƒ³ãƒ‰ã¨ã—ã¦å®Ÿè¡Œã§ãã¾ã™ã€‚

ä»Šå›žã¯è„†å¼±æ€§ã®è©±ãªã®ã§è©³ã—ãè§£èª¬ã—ã¾ã›ã‚“ãŒã€binã«èˆˆå‘³æŒã£ãŸäººã¯ä¸‹è¨˜ã®ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã‚’å‚ç…§ã—ã¦ãã ã•ã„ã€‚

docs.npmjs.com

ä»Šå›žã®è„†å¼±æ€§ã¯ã“ã“ã®ã‚³ãƒžãƒ³ãƒ‰åã®éƒ¨åˆ†ã«ã€../../cdãªã©ã¨æŒ‡å®šã—ãŸã‚‰â€¦ï¼Ÿã¨ã„ã†è©±ã§ã™ã€‚ ç¾çŠ¶ã§ã¯ç‰¹ã«ã‚³ãƒžãƒ³ãƒ‰åã«å¯¾ã™ã‚‹ãƒã‚§ãƒƒã‚¯ãŒè¡Œã‚ã‚Œã¦ã„ãªã‹ã£ãŸãŸã‚ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã ã‘ã§ä»»æ„ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ç½®ãæ›ãˆã‚‹ã“ã¨ãŒå¯èƒ½ã§ã‚ã‚Šã€ã“ã‚ŒãŒè„†å¼±æ€§ã§ã‚ã‚‹ã¨åˆ¤å®šã•ã‚Œã¾ã—ãŸã€‚

npmã§ã¯ã€ã“ã®è¾ºã‚Šã®commitã§ä¿®æ£ã•ã‚Œã¦ã„ã¾ã™ï¼ˆå†…éƒ¨ã§åˆ©ç”¨ã—ã¦ã„ã‚‹åˆ¥ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã®ä¿®æ£ï¼‰

github.com

yarnã§ã¯ã€ã“ã®è¾ºã‚Šã®commitã§ä¿®æ£ã•ã‚Œã¦ã„ã¾ã™

github.com

ã“ã®è„†å¼±æ€§ã¯ã€å«ä¾å˜ã®ã‚ˆã†ãªé–‹ç™ºè€…è‡ªèº«ãŒæ˜Žç¤ºçš„ã«æŒ‡å®šã›ãšã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚Œã‚‹ä¾å˜ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‹ã‚‰ã§ã‚‚æ‚ªç”¨å¯èƒ½ãªãŸã‚ã€å¯¾å¿œã™ã¹ãã§ã™ã€‚

ã‚°ãƒãƒ¼ãƒãƒ«ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒåˆ¥ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’ä¸Šæ›¸ãã§ãã‚‹ä»¶

npmã¯ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆãƒãƒ¼ã‚«ãƒ«ã«ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã ã‘ã§ãªã--global(-g)ãƒ•ãƒ©ã‚°ã‚’ä½¿ã†ã“ã¨ã§ã‚°ãƒãƒ¼ãƒãƒ«ã«ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã§ãã¾ã™ã€‚ yarnã®å ´åˆã¯ã€globalã‚³ãƒžãƒ³ãƒ‰ã‚’åˆ©ç”¨ã—ã¾ã™ã€‚

ã‚°ãƒãƒ¼ãƒãƒ«ã«ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸå ´åˆã€ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒæä¾›ã™ã‚‹ã‚³ãƒžãƒ³ãƒ‰ã®ã‚·ãƒ³ãƒœãƒªãƒƒã‚¯ãƒªãƒ³ã‚¯ãŒ/usr/local/binä»¥ä¸‹ã«ä½œæˆã•ã‚Œã¾ã™ï¼ˆä½œæˆã•ã‚Œã‚‹å ´æ‰€ã¯å®Ÿè¡Œç’°å¢ƒã«ã‚ˆã‚Šç•°ãªã‚Šã¾ã™ï¼‰ã€‚ /usr/local/binã¨ã„ãˆã°ã€ä»–ã«ã‚‚Homebrewãªã©ã§ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã®ã‚³ãƒžãƒ³ãƒ‰ã‚‚é…ç½®ã•ã‚Œã‚‹å ´æ‰€ã§ã™ã€‚

ã“ã®è„†å¼±æ€§ã¯ã€ã‚°ãƒãƒ¼ãƒãƒ«ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚ŒãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒã€binã«æŒ‡å®šã—ã¦ã„ã‚‹ã‚³ãƒžãƒ³ãƒ‰ã«ã‚ˆã£ã¦ã™ã§ã«ã‚ã‚‹åˆ¥ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’ä¸Šæ›¸ãã§ãã‚‹ã¨ã„ã†ã‚‚ã®ã§ã™ã€‚ ä¾‹ãˆã°jqã‚’Homebrewã‹ä½•ã‹ã§ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ã¦ã„ã‚‹çŠ¶æ…‹ã§ã€æ‚ªæ„ã®ã‚ã‚‹npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚°ãƒãƒ¼ãƒãƒ«ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸå ´åˆã€ãã®binãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã«"jq" : "evil.js"ã®ã‚ˆã†ã«æ›¸ã‹ã‚Œã¦ã„ã‚‹ã¨ã€jqã‚³ãƒžãƒ³ãƒ‰ãŒä¸Šæ›¸ãã•ã‚Œã¦ã—ã¾ã†ã¨ã„ã†ã“ã¨ã§ã™ã€‚

ã‚°ãƒãƒ¼ãƒãƒ«ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã“ã¨è‡ªä½“ãŒãã‚“ãªã«å¤šããªã„ã®ã¨ã€ã‚ˆãã‚ã‹ã‚‰ãªã„npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚°ãƒãƒ¼ãƒãƒ«ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã“ã¨ã¯ã»ã¨ã‚“ã©ãªã„ã¨æ€ã†ã®ã§ã€1ã¤ã‚ã®ã‚‚ã®ã«æ¯”ã¹ã‚‹ã¨æ·±åˆ»åº¦ã¯ä½Žã„ã‹ãªã¨æ€ã„ã¾ã™ã€‚

npmã§ã¯ã€ã“ã®è¾ºã‚Šã®commitã§ä¿®æ£ã—ã¦ã„ã¾ã™ã€‚

github.com

å¯¾å¿œæ–¹æ³•ã¨ã—ã¦ã¯ã€ã™ã§ã«ã‚³ãƒžãƒ³ãƒ‰ãŒå˜åœ¨ã™ã‚‹å ´åˆã€ã‚·ãƒ³ãƒœãƒªãƒƒã‚¯ãƒªãƒ³ã‚¯å…ˆãŒä»Šã‹ã‚‰ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ã‚ˆã†ã¨ã—ã¦ã„ã‚‹ã‚‚ã®ã¨åŒã˜ã‹ã©ã†ã‹ç¢ºèªã—ã¦ã„ã¾ã™ã€‚

yarnã§ã¯ã€ã“ã‚Œã«å¯¾ã™ã‚‹ä¿®æ£ã¯ã¾ã è¡Œã‚ã‚Œã¦ã„ã¾ã›ã‚“ã€‚ ãªã®ã§ã€ä¸‹è¨˜ã®issueã§ã©ã†ã™ã‚‹ã®ã‹èžã„ã¦ã¿ã¾ã—ãŸã€‚

github.com

ä¸Šè¨˜ã®Issueã«ã‚ˆã‚‹ã¨ã€yarnã§ã¯ä»Šå›žã®ä»¶ã‚’ä¸‹è¨˜ã®3ã¤ã«åˆ†ã‘ã¦è€ƒãˆã¦ã„ã¾ã™ã€‚

Binary planting
Out-of-tree execution
Binary overlap

Binary plantingã¯1ã¤ç›®ã«ç´¹ä»‹ã—ãŸè„†å¼±æ€§ã§ã€å‰è¿°ã—ãŸé€šã‚Šyarnã¯1.21.1ã§ä¿®æ£æ¸ˆã¿ã§ã™ã€‚

Out-of-tree executionã¯ã€binãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã®ã‚³ãƒžãƒ³ãƒ‰åã®éƒ¨åˆ†ã§ã¯ãªãã€ãƒ•ã‚¡ã‚¤ãƒ«ãƒ‘ã‚¹ã‚’æŒ‡å®šã™ã‚‹å´ã«/home/foo/bar ã®ã‚ˆã†ã«æŒ‡å®šã™ã‚‹ã“ã¨ã§ä»»æ„ã®ãƒã‚¤ãƒ³ãƒˆã«å¯¾ã™ã‚‹ã‚·ãƒ³ãƒœãƒªãƒƒã‚¯ãƒªãƒ³ã‚¯ã‚’ä½œæˆã§ãã‚‹ã¨ã„ã†ã‚‚ã®ã§ã™ã€‚

    {
      "bin": {
        "foo": "/home/foo/bar"
      }
    }

ã“ã‚Œã«ã¤ã„ã¦ã¯ã€Binary plantingã®å¯¾å¿œã¨åŒæ™‚ã«å¯¾å¿œã•ã‚Œã¦ã„ã¾ã™ã€‚ ãŸã ã—ã“ã¡ã‚‰ã«é–¢ã—ã¦ã¯ã€è„†å¼±æ€§ã§ã¯ãªãbugfixã¨ã„ã†æ‰±ã„ã«ã—ã¦ã„ã¾ã™ã€‚

Binary overlapã¯2ã¤ç›®ã«ç´¹ä»‹ã—ãŸä»¶ã§ã‚ã‚Šã€yarnã§ã¯å¯¾å¿œã•ã‚Œã¦ã„ãªã„ã‚‚ã®ã§ã™ã€‚ å¯¾å¿œã—ãªã„ç†ç”±ã¨ã—ã¦ã¯ã€ä¸Šè¨˜ã®Issueã§ã¯ä¸‹è¨˜ã®ã‚ˆã†ã«èª¬æ˜Žã•ã‚Œã¦ã„ã¾ã™ã€‚

éŽåŽ»ã«Binary overlapã‚’æ„å›³çš„ã«ã‚„ã£ã¦ã„ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒã‚ã‚Šã€ãã®æŒ™å‹•ã«å¯¾ã—ã¦Breaking Changeã¨ãªã‚‹ãŸã‚
ã“ã‚Œã‚‰ã®ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã¯ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒæ„å›³ã—ã¦ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã§ã‚ã‚‹ãŸã‚

ãã®ãŸã‚ã€ç‰¹ã«ã‚°ãƒãƒ¼ãƒãƒ«ãªãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹å ´åˆã«ã¯ã€æ³¨æ„æ·±ãè¡Œã†å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚

ä¸Šè¨˜ã®Issueã«ã‚ˆã‚‹ã¨ã€yarnã¯v2ã§binã‚¹ã‚¯ãƒªãƒ—ãƒˆã¯Nodeã‚’é€šã˜ã¦ã®ã¿å®Ÿè¡Œå¯èƒ½ã«ã™ã‚‹ã“ã¨ã‚’è¨ˆç”»ã—ã¦ã„ã‚‹ã‚ˆã†ã§ã™ã€‚ ã“ã‚Œã«ã‚ˆã‚Šã€Nodeä¸Šã§ã‚µãƒ³ãƒ‰ãƒœãƒƒã‚¯ã‚¹ç’°å¢ƒã‚’æ§‹ç¯‰ã—ã¦ãã®ä¸Šã§å®Ÿè¡Œã•ã›ã‚‹ã“ã¨ãŒå¯èƒ½ã«ã§ãã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚ yarnã¯NodeãŒã“ã®ã‚ˆã†ãªã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã‚’å®Ÿè£…ã™ã‚‹ã“ã¨ã‚’æœŸå¾…ã—ã¦ã„ã¾ã™ã€‚

postinstallã¨install

ä»Šå›žã®è„†å¼±æ€§ã«ã¤ã„ã¦ã¯ã“ã“ã¾ã§ã§ã™ãŒã€å‰è¿°ã—ãŸIssueã§ã¯postinstallã®å±é™ºæ€§ã«ã¤ã„ã¦ã‚‚è¨€åŠã•ã‚Œã¦ã„ã¾ã™ã€‚

npmã§ã¯ã€publishã‚„packãªã©ã€ä»»æ„ã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§å‘¼ã°ã‚Œã‚‹scriptã‚’npm-scriptsã¨ã—ã¦ç™»éŒ²å‡ºæ¥ã‚‹ä»•çµ„ã¿ãŒã‚ã‚Šã¾ã™ã€‚ ã©ã®ã‚ˆã†ãªscriptã‚’ç™»éŒ²å‡ºæ¥ã‚‹ã®ã‹ã¯ä¸‹è¨˜ã®ãƒšãƒ¼ã‚¸ã‚ˆã‚Šç¢ºèªå¯èƒ½ã§ã™ã€‚

docs.npmjs.com

ãã®ä¸ã«ã€installã¨postinstallãŒã‚ã‚Šã¾ã™ã€‚ ã“ã‚Œã‚‰ã¯åˆ©ç”¨è€…ãŒãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹éš›ã«å®Ÿè¡Œã•ã‚Œã‚‹ã‚¹ã‚¯ãƒªãƒ—ãƒˆã§ã™ã€‚ ã¤ã¾ã‚Šã€ãŸã npm installã™ã‚‹ã ã‘ã§ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã«å¯¾ã—ã¦ä»»æ„ã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆå®Ÿè¡Œã‚’è¨±å¯ã—ã¦ã„ã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã€‚ ãã®ãŸã‚ã€çµæžœçš„ã«æ‚ªæ„ã®ã‚ã‚‹ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒä¾å˜é–¢ä¿‚ã«å«ã¾ã‚Œã¦ã—ã¾ã£ãŸå ´åˆã«ã¯ã€npm installã™ã‚‹ã ã‘ã§æ‚ªæ„ã®ã‚ã‚‹ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’å®Ÿè¡Œã•ã‚Œã¦ã—ã¾ã„ã¾ã™ã€‚

ã¤ã¾ã‚Šã€ä»Šå›žã®ã‚ˆã†ãªè„†å¼±æ€§ã‚’åˆ©ç”¨ã›ãšã¨ã‚‚æ‚ªæ„ã®ã‚ã‚‹ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã¯ã†ã¾ãä¾å˜é–¢ä¿‚ã«å«ã¾ã‚Œã‚‹ã“ã¨ã«æˆåŠŸã™ã‚Œã°ä»»æ„ã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’ãƒ¦ãƒ¼ã‚¶ãƒ¼ç’°å¢ƒã§å®Ÿè¡Œã§ãã¾ã™ã€‚ â€¦ã€‚

ãã®ãŸã‚ã®å¯¾ç–ã¨ã—ã¦ã€npm-scriptsã®å®Ÿè¡Œã‚’ã—ãªã„ãŸã‚ã®--ignore-scriptsã¨ã„ã†ã‚ªãƒ—ã‚·ãƒ§ãƒ³ãŒã‚ã‚Šã¾ã™ã€‚

docs.npmjs.com

ã“ã‚Œã‚’åˆ©ç”¨ã™ã‚‹ã“ã¨ã§ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«æ™‚ã«ä»»æ„ã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆã®å®Ÿè¡Œã‚’æ‹’å¦ã™ã‚‹ã“ã¨ãŒå¯èƒ½ã§ã™ã€‚ ãŸã ã€ã“ã‚Œã‚’ä½¿ã†ãŸã‚ã«ã¯ãªãœinstallã‚„postinstallãŒä½¿ã‚ã‚Œã¦ã„ã‚‹ã®ã‹ã‚’ç†è§£ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ ç¾çŠ¶ã€ä¸‹è¨˜ã®2ç‚¹ã®ç”¨é€”ã§åˆ©ç”¨ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šã„ã¨æ€ã„ã¾ã™ã€‚

ãƒ¦ãƒ¼ã‚¶ãƒ¼ç’°å¢ƒã«å¿œã˜ãŸå‡¦ç†
- C, C++ãªã©ã®ã‚³ãƒ¼ãƒ‰ã‚’å«ã‚“ã ãƒã‚¤ãƒ†ã‚£ãƒ–ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã®ãƒ“ãƒ«ãƒ‰
- ç’°å¢ƒã«å¿œã˜ãŸãƒã‚¤ãƒŠãƒªã®ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰
Fundingã®ãŠé¡˜ã„

1ã®ã‚±ãƒ¼ã‚¹ã§è¨€ãˆã°ã€fseventsã‚„puppeteerãªã©ãŒã‚ˆãç›®ã«ã‚±ãƒ¼ã‚¹ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ã€‚ ãŸã ã€fseventsã«é–¢ã—ã¦ã¯ä¸‹è¨˜ã®PRã§installã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’å®Ÿè¡Œã—ãªã„ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹ã®ã§ã€æœ€æ–°ç‰ˆã ã¨ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã‚¹ã‚¯ãƒªãƒ—ãƒˆã¯å®Ÿè¡Œã•ã‚Œã¾ã›ã‚“ã€‚

github.com

puppeteerã§ã¯ä¸‹è¨˜ã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆã§chromiumã®ãƒã‚¤ãƒŠãƒªã‚’ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã—ã¾ã™ã€‚

github.com

2.ã®ã‚±ãƒ¼ã‚¹ã¯ã€æœ€è¿‘npm installã‚„npm ciã®éš›ã«å¤§é‡ã®fundingã®ãŠé¡˜ã„ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’ç›®ã«ã™ã‚‹ã“ã¨ãŒã‚ã‚‹ã®ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ï¼Ÿ ã“ã‚Œã¯ã€å¤šãã®å ´åˆpostinstallã‚’ä½¿ã£ã¦console.logã§ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’å‡ºåŠ›ã™ã‚‹ã“ã¨ã§å®Ÿç¾ã•ã‚Œã¦ã„ã¾ã™ã€‚

ã§ã¯ã“ã‚Œã‚‰ã‚’ãªãã™ã“ã¨ãŒå‡ºæ¥ã‚‹ã®ã‹ã¨ã„ã†ã“ã¨ã§ã™ãŒã€ã¾ãš2ã®ã‚±ãƒ¼ã‚¹ã«ã¤ã„ã¦ã¯è¨€ãˆã°ã€npm v6.13ã‹ã‚‰ã‚µãƒãƒ¼ãƒˆã•ã‚Œã¦ã„ã‚‹fundingã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã‚’ä½¿ã†ã“ã¨ã§ã€npm fundã‚³ãƒžãƒ³ãƒ‰ã§å‡ºåŠ›ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚

The npm Blog — Updates to Community, Docs & more...

npm installã§ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸæ™‚ã«npm fundã«å¯¾å¿œã—ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒä¾å˜ã«ã‚ã‚‹ã¨ã€ä¸‹è¨˜ã®ã‚ˆã†ãªå½¢ã§å‡ºåŠ›ã•ã‚Œã¾ã™ã€‚

:
added 15 packages from 17 contributors and audited 15 packages in 1.574s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

npm fundã‚’å®Ÿè¡Œã™ã‚‹ã¨ä¸‹è¨˜ã®ã‚ˆã†ãªå½¢ã§å‡ºåŠ›ã•ã‚Œã¾ã™ã€‚

% npm fund
[email protected]
â””â”€â”¬ [email protected]
  â”œâ”€â”€ type: charity
  â”œâ”€â”€ url: https://www.justgiving.com/refugee-support-europe
  â””â”€â”¬ [email protected]
    â”œâ”€â”€ type: opencollective
    â””â”€â”€ url: https://opencollective.com/core-js

ä»Šå›žã®è„†å¼±æ€§ã«ã‚ˆã‚Šã€å¤šãã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã¯npm 6.13.4ä»¥ä¸Šã‚’åˆ©ç”¨ã™ã‚‹ã‚ˆã†ã«ãªã‚‹ãŸã‚ã€npm fundã‚³ãƒžãƒ³ãƒ‰ãŒåˆ©ç”¨å¯èƒ½ã«ãªã‚Šã¾ã™ã€‚ ãã®ãŸã‚ã€postinstallã§ã¯ãªãnpm fundã‚’ä½¿ã†ãŸã‚ã®æº–å‚™ãŒæ•´ã£ãŸã¨ã‚‚è¨€ãˆã¾ã™ã€‚

yarnã¯ç¾åœ¨fundã‚³ãƒžãƒ³ãƒ‰ã‚’ã‚µãƒãƒ¼ãƒˆã—ã¦ã„ã¾ã›ã‚“ãŒã€å‰è¿°ã—ãŸIssueã«ã‚ˆã‚‹ã¨v2ã«ã¯å®Ÿè£…ã—ã¦ãƒãƒƒã‚¯ãƒãƒ¼ãƒˆã™ã‚‹ã“ã¨ãŒæ¤œè¨Žã•ã‚Œã¦ã„ã‚‹ã‚ˆã†ã§ã™ã€‚

1ã®ã‚±ãƒ¼ã‚¹ã«ã¤ã„ã¦ã¯ã€ãƒ‘ãƒ•ã‚©ãƒ¼ãƒžãƒ³ã‚¹ç›®çš„ã§C, C++ã§æ›¸ã„ã¦ã„ã‚‹å ´åˆã«ã¯ã€WebAssemblyã§ç½®ãæ›ãˆã‚‹ã“ã¨ãŒå¯èƒ½ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚ ãŸã ã€NodeãŒã‚µãƒãƒ¼ãƒˆã—ã¦ã„ãªã„ãƒã‚¤ãƒ†ã‚£ãƒ–ã®APIã‚’ä½¿ã„ãŸã„å ´åˆã«ã¯ã€ç¾æ™‚ç‚¹ã§ã¯ã¾ã ä½¿ã„ç¶šã‘ã‚‹å¿…è¦ãŒã‚ã‚Šãã†ã§ã™ã€‚ å°†æ¥çš„ã«ã¯ã“ã‚Œã«ã¤ã„ã¦ã‚‚WebAssemblyã§è§£æ±ºå‡ºæ¥ã‚‹å¯èƒ½æ€§ã¯ã‚ã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒã€‚

ãã‚‚ãã‚‚ã®ç¾çŠ¶ã¨ã—ã¦ã€ã©ã‚“ãªã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒè‡ªåˆ†ã®ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã®npm installæ™‚ã«å®Ÿè¡Œã•ã‚Œã¦ã„ã‚‹ã®ã‹æŠŠæ¡ã—ã¦ã„ã‚‹äººã¯å°‘ãªã„ã®ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ï¼Ÿ ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«æ¸ˆã¿ã®ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã§installã¾ãŸã¯postinstallã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒã‚ã‚‹ã‚‚ã®ã‚’å‡ºåŠ›ã™ã‚‹ãŸã‚ã®npm packageã‚’ä½œã£ã¦ã¿ãŸã®ã§èˆˆå‘³ã‚ã‚‹äººã¯è‡ªèº«ã®ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã§å®Ÿè¡Œã—ã¦ã¿ã¦ãã ã•ã„ã€‚

% npx install-scripts

github.com

ã“ã¡ã‚‰ã¯ç¤¾å†…ã®ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã§å®Ÿè¡Œã—ãŸçµæžœã§ã™ã€‚ ã“ã®ä¸ã§å‹•ä½œã«å¿…è¦ãªscriptã¯fseventsã¨puppeteerã ã‘ã§ã—ãŸã€‚ä»–ã¯å…¨ã¦fundingé–¢é€£ã§ã™ã€‚

    core-js
      scripts:
        postinstall: node scripts/postinstall || echo "ignore"
      paths:
        node_modules/@babel/polyfill/node_modules/core-js/package.json
        node_modules/@storybook/addon-actions/node_modules/core-js/package.json
        node_modules/@storybook/addon-knobs/node_modules/core-js/package.json
        node_modules/@storybook/addon-links/node_modules/core-js/package.json
        node_modules/@storybook/addon-viewport/node_modules/core-js/package.json
        node_modules/@storybook/addons/node_modules/core-js/package.json
        node_modules/@storybook/api/node_modules/core-js/package.json
        node_modules/@storybook/channel-postmessage/node_modules/core-js/package.json
        node_modules/@storybook/channels/node_modules/core-js/package.json
        node_modules/@storybook/client-api/node_modules/core-js/package.json
        node_modules/@storybook/client-logger/node_modules/core-js/package.json
        node_modules/@storybook/components/node_modules/core-js/package.json
        node_modules/@storybook/core/node_modules/core-js/package.json
        node_modules/@storybook/core-events/node_modules/core-js/package.json
        node_modules/@storybook/node-logger/node_modules/core-js/package.json
        node_modules/@storybook/react/node_modules/core-js/package.json
        node_modules/@storybook/router/node_modules/core-js/package.json
        node_modules/@storybook/theming/node_modules/core-js/package.json
        node_modules/@storybook/ui/node_modules/core-js/package.json
        node_modules/fetch-mock/node_modules/core-js/package.json
        node_modules/lazy-universal-dotenv/node_modules/core-js/package.json
        node_modules/simplebar/node_modules/core-js/package.json
        node_modules/wait-on/node_modules/core-js/package.json
    core-js-pure
      scripts:
        postinstall: node scripts/postinstall || echo "ignore"
      paths:
        node_modules/core-js-pure/package.json
    fetch-mock
      scripts:
        postinstall: node scripts/support-fetch-mock.js
      paths:
        node_modules/fetch-mock/package.json
    fsevents
      scripts:
        install: node install
      paths:
        node_modules/fsevents/package.json
    puppeteer
      scripts:
        install: node install.js
      paths:
        node_modules/puppeteer/package.json
    styled-components
      scripts:
        postinstall: node ./scripts/postinstall.js || exit 0
      paths:
        node_modules/styled-components/package.json

fetch-mockã¯æœ€æ–°ç‰ˆã§ã¯ã™ã§ã«fundã‚’ä½¿ã†ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™
core-jsã«ã¤ã„ã¦ã¯ã“ã¡ã‚‰ã§è°è«–ã•ã‚Œã¦ã„ã¾ã™ãŒã€ä»Šã®ã¨ã“ã‚å‰Šé™¤ã™ã‚‹äºˆå®šã¯ãªã•ãã†ã§ã™
- github.com
styled-componentsã«ã¤ã„ã¦ã¯éŽåŽ»ã«è°è«–ã•ã‚ŒãŸIssueãŒãªã‹ã£ãŸã®ã§ç¢ºèªã—ã¦ã¿ã¾ã—ãŸ
- github.com

ä¸‹è¨˜ã®ã‚ˆã†ã«çµ„ã¿åˆã‚ã›ã‚‹ã“ã¨ã§å¿…è¦ãªã‚¹ã‚¯ãƒªãƒ—ãƒˆã®ã¿ã‚’å®Ÿè¡Œã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚

    % npm ci --ignore-scripts
    % npx install-scripts

yarnã¯postinstallã«ã¤ã„ã¦ã€æ—¢å˜ã®ã‚¨ã‚³ã‚·ã‚¹ãƒ†ãƒ ã‚’å£Šã—ã¦ã—ã¾ã†ã®ã§v2ã§å…¨ã¦ç„¡åŠ¹ã«ã™ã‚‹ã“ã¨ã¯é›£ã—ã„ã§ã™ãŒã€v3ã§ã¯è€ƒãˆã¦ã„ã‚‹ã‚ˆã†ã§ã™ã€‚ ãŸã ã—ã€ç¾æ™‚ç‚¹ã§ã‚‚æ‰‹å‹•ã§ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆç®¡ç†ã«ã‚ˆã£ã¦è¨±å¯ã•ã‚ŒãŸscriptã®ã¿å®Ÿè¡Œå¯èƒ½ã«ã™ã‚‹ã“ã¨ã¯å¯èƒ½ã ã¨ã—ã¦ã„ã¾ã™ã€‚

å®Ÿéš›ã«postinstallã€installã‚’èª¿ã¹ã¦ã¿ãŸçµæžœã¨ã—ã¦ã¯ã€ãã“ã¾ã§å¤šããªã„ãªã¨ã„ã†æ„Ÿæƒ³ã ã£ãŸã®ã§--ignore-scriptsã‚’ä½¿ã£ãŸé‹ç”¨ã™ã‚‹ã®ã‚‚å¯èƒ½ã§ã‚ã‚‹ã‚ˆã†ã«æ„Ÿã˜ã¾ã—ãŸã€‚ ãã®ãŸã‚ã«ã‚‚ã€ä»Šåº¦ã¯packageã‚’ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆã§æŒ‡å®šã—ã¦å®Ÿè¡Œã§ãã‚‹npm packageã‚’ä½œã£ã¦ã¿ã‚ˆã†ã‹ãªã¨æ€ã„ã¾ã—ãŸã€‚ ãŸã ã“ã‚Œè‡ªä½“ã¯npmè‡ªä½“ãŒå¯¾å¿œã™ã¹ãå•é¡Œã§ã‚ã‚‹ã¨æ„Ÿã˜ã‚‹ã®ã§ã€Feature Requestã‚’é€ã‚Šã¾ã—ãŸã€‚

github.com

ä»¥å‰ã«ã¯ä¸‹è¨˜ã®event-streamã«å¯¾ã™ã‚‹å•é¡ŒãŒã‚ã‚Šã¾ã—ãŸãŒã€ç¾çŠ¶ã§ã¯ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’å…¨ã¦æŠŠæ¡ã™ã‚‹ã“ã¨ã¯ç¾å®Ÿçš„ã§ã¯ã‚ã‚Šã¾ã›ã‚“ã€‚

The npm Blog — Details about the event-stream incident

ä»Šå›žã®è„†å¼±æ€§ã‚’é€šã˜ã¦ã€npmã®ç¾çŠ¶ã‚„å°†æ¥ã®æ–¹å‘æ€§ãªã©ã‚’è€ƒãˆã‚‹æ©Ÿä¼šã«ãªã‚Œã°ã„ã„ãªã¨æ€ã£ã¦ã“ã®è¨˜äº‹ã‚’æ›¸ãã¾ã—ãŸã€‚

ã‚µã‚¤ãƒœã‚¦ã‚ºã§ã¯ã€è„†å¼±æ€§ãŒã‚ã£ãŸæ™‚ã«commit logèªã‚“ã§åŽŸå› ã‚’æŽ¢æ±‚ã—ãŸããªã‚‹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚’å‹Ÿé›†ã—ã¦ã„ã¾ã™ï¼

cybozu.co.jp