Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Yarn version, package.json bin causes warning #64

Open
Beanow opened this issue Dec 20, 2019 · 4 comments · May be fixed by #65
Open

New Yarn version, package.json bin causes warning #64

Beanow opened this issue Dec 20, 2019 · 4 comments · May be fixed by #65

Comments

@Beanow
Copy link

Beanow commented Dec 20, 2019

With the recent security changes:
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

It causes a warning

warning sha.js@2.4.11: Invalid bin entry for "sha.js" (in "sha.js").

@fanatid
Copy link
Contributor

fanatid commented Dec 20, 2019

I do not see warning...

$ npm i sha.js
npm WARN saveError ENOENT: no such file or directory, open '/home/kirill/tmp/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/home/kirill/tmp/package.json'
npm WARN tmp No description
npm WARN tmp No repository field.
npm WARN tmp No README data
npm WARN tmp No license field.

+ sha.js@2.4.11
added 3 packages from 2 contributors and audited 3 packages in 1.295s
found 0 vulnerabilities

$ npm --version
6.13.4

$ node --version
v13.5.0

@Beanow
Copy link
Author

Beanow commented Dec 20, 2019

You're right I narrowed it down to just yarn v1.21.1.

yarn cache clean
yarn add sha.js

# warning sha.js@2.4.11: Invalid bin entry for "sha.js" (in "sha.js").

When the cache isn't cleared, the warning doesn't show up next time. Even in a fresh directory.

@Beanow Beanow changed the title New NPM version, package.json bin causes warning New Yarn version, package.json bin causes warning Dec 20, 2019
@fanatid
Copy link
Contributor

fanatid commented Dec 20, 2019

So the fix will be remove bin at all or change package.json to?

"bin": {
  "shajs":"./bin.js"
},

@Beanow
Copy link
Author

Beanow commented Dec 21, 2019

I'm not certain about the fix, just happened to encounter this in the wild. It shouldn't be required by the security patch to remove it entirely though. Especially locally like we're doing here a properly formatted bin is expected to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants