Permission model won't allow a child process to run npm install #59752
Description
Version
v22.19.0
Platform
Linux 8fc8db0b3aa3 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Subsystem
No response
What steps will reproduce the bug?
I'm trying to make add permission to existing node app. The app runs in a docker container and uses exec to call out to npm to install a package.
The node process is started from docker container like this:
CMD ["node", "--permission", \ "--allow-fs-read=*", \ "--allow-fs-write=*", "--allow-child-process", \ "index.js"]
Later, when the code is running, it tries to run npm install:
await exec('npm install --ignore-scripts --no-audit', {
cwd: tempDirectory,
timeout: 300000 // 5 minutes
});
The result at runtime is this:
app-1 | npm error code ERR_ACCESS_DENIED
app-1 | npm error relative symbolic link target
How often does it reproduce? Is there a required condition?
It occurs consistently, once introducing --permission
What is the expected behavior? Why is that the expected behavior?
I was hoping that --allow-fs-read=* and --allow-fs-write=* would allow the symbolic links to work
What do you see instead?
The error message:
app-1 | npm error code ERR_ACCESS_DENIED
app-1 | npm error relative symbolic link target
Additional information
No response