Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924458 - net-libs/nodejs: Don't enable USE=npm by default
Summary: net-libs/nodejs: Don't enable USE=npm by default
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: William Hubbs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-14 07:20 UTC by Vit
Modified: 2025-02-06 12:15 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vit 2024-02-14 07:20:13 UTC
NPM package manager is installed by default with NodeJS library.

Here in  /var/db/repos/gentoo/net-libs/nodejs/nodejs-99999999.ebuild: 
IUSE="corepack cpu_flags_x86_sse2 debug doc +icu inspector lto +npm pax-kernel +snapshot +ssl +system-icu +system-ssl test"

npm should be without +

It is the only one package manager except of Gentoo Portage that is installed by default. So why?

Reproducible: Always
Comment 1 Vit 2024-02-14 07:22:31 UTC
NodeJS is required by Mozilla Firefox www-client/firefox
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-17 03:07:40 UTC
> It is the only one package manager except of Gentoo Portage that is installed by default. So why?

Discretion of the maintainer, really.

While there's some room for discussion about whether the package pulls in some extra attack surface by default, or the lack of necessity of npm, this isn't really something under the purview of Gentoo Security. Reassigning to maintainer as such.
Comment 3 Matt Turner gentoo-dev 2024-08-16 03:37:10 UTC
Disabling USE=npm (and USE=inspector, but I don't think this one is responsible) decreases the on-disk size of nodejs from ~2 GiB to ~50 MiB.

25 packages depend on nodejs, of which only 7 depend on nodejs[npm].

Common packages that depend on nodejs without npm are chromium, firefox, thunderbird, and qtwebengine.

Leaving USE=npm disabled by default in the ebuild seems like the right thing to me.
Comment 4 Larry the Git Cow gentoo-dev 2024-09-04 19:20:34 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da41d7d490560bac63fa6b2ef3cd8f447a05ebf1

commit da41d7d490560bac63fa6b2ef3cd8f447a05ebf1
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2024-09-04 19:16:31 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2024-09-04 19:16:31 +0000

    net-libs/nodejs: disable npm by default
    
    Nodejs takes up 2g with npm enabled and 50 m otherwise.
    I don't know of a reason it was enabled by default, so I'm disabling it
    to save space.
    
    Closes: https://bugs.gentoo.org/924458
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/nodejs-18.20.4.ebuild | 2 +-
 net-libs/nodejs/nodejs-20.17.0.ebuild | 2 +-
 net-libs/nodejs/nodejs-22.7.0.ebuild  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
Comment 5 Joakim Tjernlund 2024-09-04 20:41:10 UTC
I have:
net-libs/nodejs
     Available versions:  18.20.4(0/18)^t 20.15.1(0/20)^t ~20.16.0(0/20)^t ~20.17.0(0/20)^t 22.4.1-r1(0/22)^t ~22.6.0(0/22)^t ~22.7.0(0/22)^t **99999999*l^t {corepack debug doc +icu inspector lto +npm pax-kernel +snapshot +ssl +system-icu +system-ssl systemtap test CPU_FLAGS_X86="sse2"}
     Installed versions:  22.4.1-r1(0/22)^t(18:45:53 06/08/24)(icu inspector npm snapshot ssl system-icu system-ssl -corepack -debug -doc -lto -pax-kernel -test CPU_FLAGS_X86="sse2")
     Homepage:            https://nodejs.org/
     Description:         A JavaScript runtime built on Chrome's V8 JavaScript engine

and
qsize net-libs/nodejs
net-libs/nodejs: 1683 files, 504 non-files, 59.8M 

so for me npm does no seem to add a lot.
Comment 6 Matt Turner gentoo-dev 2024-09-04 21:26:52 UTC
Strange. I rechecked today, and on 22.4.1-r1 with USE=npm:

> net-libs/nodejs: 1683 files, 504 non-files, 59.7M

With USE=-npm:

> net-libs/nodejs: 115 files, 16 non-files, 51.6M
Comment 7 Benn Snyder 2025-01-04 22:29:34 UTC
This change itself is fine, but it's mildly annoying that the nodejs binpkg is now built with USE=-npm so I have to build it myself.
Comment 8 Shiba 2025-01-08 08:52:11 UTC
Please reconsider this or at least consider a binpkg with +npm. It takes 1h+ to compile nodejs on a low end PC.
Comment 9 Larry the Git Cow gentoo-dev 2025-01-13 17:10:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/binhost.git/commit/?id=0a8db1a9397868a278b13f33afa69808605a3e7b

commit 0a8db1a9397868a278b13f33afa69808605a3e7b
Author:     Eli Schwartz <eschwartz@gentoo.org>
AuthorDate: 2025-01-13 17:05:32 +0000
Commit:     Eli Schwartz <eschwartz@gentoo.org>
CommitDate: 2025-01-13 17:09:38 +0000

    build a copy of nodejs with USE=npm
    
    Some packages need this, and some *people* also need this. ;) It takes a
    while to build and seemingly at least sometimes takes quite a bit of
    space?
    
    It is installed as a dep in gnome/kde builders already. Manually install
    it with USE=npm for the server builder, for added coverage.
    
    Bug: https://bugs.gentoo.org/924458
    Closes: https://bugs.gentoo.org/948014
    Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>

 builders/dola/server-23/portage/package.use/npm     | 1 +
 builders/dola/server-23/world                       | 1 +
 builders/milou/server-23/portage/package.use/npm    | 1 +
 builders/milou/server-23/world                      | 1 +
 builders/milou/server-v3-23/portage/package.use/npm | 1 +
 builders/milou/server-v3-23/world                   | 1 +
 6 files changed, 6 insertions(+)
Comment 10 Leho Kraav (:macmaN @lkraav) 2025-02-06 11:42:41 UTC
Thanks, USE +npm binpkg is great, but I guess we don't know if there is enough demand for also USE +inspector binpkg?

(If there only was some opt-in telemetry for such..)

Inspector is the main debug tooling enabler on Node.

Remaining USE flags on net-libs/nodejs seem real local edge cases, don't see a reason to think about those much.
Comment 11 Leho Kraav (:macmaN @lkraav) 2025-02-06 12:15:02 UTC
Also, I can confirm: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da41d7d490560bac63fa6b2ef3cd8f447a05ebf1 commit message is pointing in some wrong direction - 2G install is not related to +npm (or +inspector). Fresh build right now:

```
± qlist -IU =net-libs/nodejs-20.18.1 
net-libs/nodejs cpu_flags_x86_sse2 icu inspector npm snapshot

± qsize =net-libs/nodejs-20.18.1 
net-libs/nodejs: 1677 files, 502 non-files, 48.5M
```