Post-installed binary losing executable permissions on reinstall

[colincasey]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

Store

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

• Create a new folder
• Add the following Dockerfile

FROM node:20-alpine

RUN apk add --no-cache bash jq \
    && npm install -g pnpm

COPY package.json docker-entrypoint.sh /home/node/app/

RUN chown -R node:node /home/node/app/ \
    && chmod +x /home/node/app/docker-entrypoint.sh 

USER node

WORKDIR /home/node/app/

ENTRYPOINT ["/home/node/app/docker-entrypoint.sh"]

• Add the following package.json

{
  "name": "eaccess-test",
  "private": "true",
  "dependencies": {
    "@sentry/cli": "1.77.3"
  }
}

• Add the following docker-entrypoint.sh

#!/usr/bin/env bash
echo "- Setup"
echo 
echo "Setting umask 0077"
umask 0077
echo "Using pnpm $(pnpm --version)"
echo "Configuring store to be $HOME/store"
pnpm config set store-dir "$HOME/store"

echo
echo "- Install from fresh store"
echo
pnpm install
echo 
echo "==================================="
echo "Version from executable:"
node_modules/.pnpm/@sentry+cli@1.77.3/node_modules/@sentry/cli/sentry-cli --version
ls -ld node_modules/.pnpm/@sentry+cli@1.77.3/node_modules/@sentry/cli/sentry-cli
echo "(binary has executable permissions)"

echo
echo "- Removing node_modules..."
rm -rf node_modules
echo

echo "- Install from populated store"
echo
pnpm install
echo 
echo "============================================="
echo "Version from executable:"
node_modules/.pnpm/@sentry+cli@1.77.3/node_modules/@sentry/cli/sentry-cli --version
ls -ld node_modules/.pnpm/@sentry+cli@1.77.3/node_modules/@sentry/cli/sentry-cli
echo "(binary does not have executable permissions)"

echo 
find "$HOME/store" -type f -name "*.json" | while read -r index_file
do 
    if [[ "$(jq -r '.name' "$index_file")" == "@sentry/cli" ]]; then
        echo "@sentry/cli mode field for binary in store: $(jq -r '.sideEffects[]."sentry-cli".mode' "$index_file")"
    fi
done

echo
echo "Starting shell"
/bin/bash

• Build and run the docker image

docker build -t pnpm-issue -f Dockerfile .
docker run --rm -it pnpm-issue

Describe the Bug

As the Node.js Language Owner at Heroku, this bug came to my attention when the following issue was filed as developers were trying to take advantage of our recent support for pnpm:
heroku/heroku-buildpack-nodejs#1247

After some investigation, what I've noticed is that this bug seems to be triggered by the following conditions:

• installing a Node.js module that fetches or configures an architecture-specific binary as part of a postinstall script
• the running process is configured with a umask of 0077

Using @sentry/cli, as in the reproduction above, what happens is:

• On the first pnpm install,
  • the store is empty so modules are fetched
  • the postinstall script for @sentry/cli executes which downloads the architecture-specific binary
  • the downloaded binary is executable
• On a second pnpm install (after the node_modules dir is removed),
  • the @sentry/cli module is restored from the store
  • the architecture-specific binary is no longer executable

Expected Behavior

I would expect that if a file is installed with executable permissions as part of a postinstall script, then when it's installed from the pnpm store it should also have executable permissions.

The sideEffects information recorded for the @sentry/cli module from above seems to indicate this as the mode stored has a value of 33216 (octal 100700).

The current workaround I've been recommending is to disable the side-effects-cache.

Which Node.js version are you using?

20.17.0

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Ubuntu 20.04, Alpine Linux v3.20

[colincasey]

Possibly related to #7746

[zkochan]

PR: #8625

[adrian-branescu]

PR: #8625

@zkochan This bug also replicates when using pnpm pack and pnpm publish.

The executable permissions are stripped away from the files included in the archive. So your fix is useful only if the package was published with npm but not pnpm.

[zkochan]

You need to use this setting: https://pnpm.io/package_json#publishconfigexecutablefiles