NPM package manager is installed by default with NodeJS library. Here in /var/db/repos/gentoo/net-libs/nodejs/nodejs-99999999.ebuild: IUSE="corepack cpu_flags_x86_sse2 debug doc +icu inspector lto +npm pax-kernel +snapshot +ssl +system-icu +system-ssl test" npm should be without + It is the only one package manager except of Gentoo Portage that is installed by default. So why? Reproducible: Always
NodeJS is required by Mozilla Firefox www-client/firefox
> It is the only one package manager except of Gentoo Portage that is installed by default. So why? Discretion of the maintainer, really. While there's some room for discussion about whether the package pulls in some extra attack surface by default, or the lack of necessity of npm, this isn't really something under the purview of Gentoo Security. Reassigning to maintainer as such.
Disabling USE=npm (and USE=inspector, but I don't think this one is responsible) decreases the on-disk size of nodejs from ~2 GiB to ~50 MiB. 25 packages depend on nodejs, of which only 7 depend on nodejs[npm]. Common packages that depend on nodejs without npm are chromium, firefox, thunderbird, and qtwebengine. Leaving USE=npm disabled by default in the ebuild seems like the right thing to me.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da41d7d490560bac63fa6b2ef3cd8f447a05ebf1 commit da41d7d490560bac63fa6b2ef3cd8f447a05ebf1 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2024-09-04 19:16:31 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2024-09-04 19:16:31 +0000 net-libs/nodejs: disable npm by default Nodejs takes up 2g with npm enabled and 50 m otherwise. I don't know of a reason it was enabled by default, so I'm disabling it to save space. Closes: https://bugs.gentoo.org/924458 Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/nodejs-18.20.4.ebuild | 2 +- net-libs/nodejs/nodejs-20.17.0.ebuild | 2 +- net-libs/nodejs/nodejs-22.7.0.ebuild | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
I have: net-libs/nodejs Available versions: 18.20.4(0/18)^t 20.15.1(0/20)^t ~20.16.0(0/20)^t ~20.17.0(0/20)^t 22.4.1-r1(0/22)^t ~22.6.0(0/22)^t ~22.7.0(0/22)^t **99999999*l^t {corepack debug doc +icu inspector lto +npm pax-kernel +snapshot +ssl +system-icu +system-ssl systemtap test CPU_FLAGS_X86="sse2"} Installed versions: 22.4.1-r1(0/22)^t(18:45:53 06/08/24)(icu inspector npm snapshot ssl system-icu system-ssl -corepack -debug -doc -lto -pax-kernel -test CPU_FLAGS_X86="sse2") Homepage: https://nodejs.org/ Description: A JavaScript runtime built on Chrome's V8 JavaScript engine and qsize net-libs/nodejs net-libs/nodejs: 1683 files, 504 non-files, 59.8M so for me npm does no seem to add a lot.
Strange. I rechecked today, and on 22.4.1-r1 with USE=npm: > net-libs/nodejs: 1683 files, 504 non-files, 59.7M With USE=-npm: > net-libs/nodejs: 115 files, 16 non-files, 51.6M
