Node.js stack refactoring (#4255)

* Create node.profile * Create node-gyp.profile * refactor npm as redirect * Create npx.profile * Create nvm.profile * Create semver.profile * refactor yarn as redirect * collect node.js stack configuration in common profile * add ~/.nvm to node section * account for node-gyp python dependency * read-only ~/.nvm for node.js stack * blacklist ~/.nvm for node.js stack * move env var comment cfr. profile.template * Delete node-gyp.profile node-gyp is a shell script with a node shebang. We've got that covered via node.profile. * Delete npx.profile npx is a shell script with a node shebang. We've got that covered via node.profile. * Delete semver.profile semver is a shell script that calls node. We've got that covered via node.profile. * add node and nvm to new profiles section
2026-05-15 14:16:14 -06:00 · 2021-05-08 15:27:30 +00:00 · 2021-05-08 15:27:30 +00:00 · 699a803f17
commit 699a803f17
parent 684347c967
10 changed files with 77 additions and 43 deletions
--- a/README.md
+++ b/README.md
@ -336,4 +336,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c
 sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
 ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
 pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
-neochat
+neochat, node, nvm
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@ -15,6 +15,7 @@ noblacklist ${HOME}/.java
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
 noblacklist ${HOME}/.yarn
 noblacklist ${HOME}/.yarn-config
 noblacklist ${HOME}/.yarncache
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@ -4,3 +4,7 @@ include allow-nodejs.local

 noblacklist ${PATH}/node
 noblacklist /usr/include/node
+
+# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@ -338,6 +338,7 @@ read-only ${HOME}/dotfiles
 read-only ${HOME}/.gem
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
+read-only ${HOME}/.nvm
 read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@ -816,6 +816,7 @@ blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
 blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
+blacklist ${HOME}/.nvm
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
 blacklist ${HOME}/.opencity
--- a/etc/profile-m-z/node.profile
+++ b/etc/profile-m-z/node.profile
@ -0,0 +1,11 @@
+# Firejail profile for node
+# Description: Evented I/O for V8 javascript
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include node.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@ -10,6 +10,20 @@ include nodejs-common.local
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}

+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+ignore read-only ${HOME}/.nvm
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 ignore noexec ${HOME}

 include allow-bin-sh.inc
@ -21,6 +35,32 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc

+# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
+# and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkdir ${HOME}/.npm-packages
+#mkfile ${HOME}/.npmrc
+#mkdir ${HOME}/.nvm
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npm-packages
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/.nvm
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/doc/node
+whitelist /usr/share/nvm
+whitelist /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@ -46,10 +86,11 @@ shell none

 disable-mnt
 private-dev
-# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
-# May need to be commented out in order to enable debugging with some IDEs
-private-tmp
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+#private-tmp

 dbus-user none
 dbus-system none
+
+# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
+#env GATSBY_TELEMETRY_DISABLED=1
--- a/etc/profile-m-z/npm.profile
+++ b/etc/profile-m-z/npm.profile
@ -7,23 +7,5 @@ include npm.local
 # Persistent global definitions
 include globals.local

-ignore read-only ${HOME}/.npm-packages
-ignore read-only ${HOME}/.npmrc
-
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-
-# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
-# and add the next lines to your npm.local.
-#mkdir ${HOME}/.node-gyp
-#mkdir ${HOME}/.npm
-#mkfile ${HOME}/.npmrc
-#whitelist ${HOME}/.node-gyp
-#whitelist ${HOME}/.npm
-#whitelist ${HOME}/.npmrc
-#whitelist ${HOME}/Projects
-#include whitelist-common.inc
-
 # Redirect
 include nodejs-common.profile
--- a/etc/profile-m-z/nvm.profile
+++ b/etc/profile-m-z/nvm.profile
@ -0,0 +1,13 @@
+# Firejail profile for nvm
+# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nvm.local
+# Persistent global definitions
+include globals.local
+
+ignore noroot
+
+# Redirect
+include nodejs-common.profile
--- a/etc/profile-m-z/yarn.profile
+++ b/etc/profile-m-z/yarn.profile
@ -6,25 +6,5 @@ include yarn.local
 # Persistent global definitions
 include globals.local

-ignore read-only ${HOME}/.yarnrc
-
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
-
-# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and
-# add the next lines to you yarn.local.
-#mkdir ${HOME}/.yarn
-#mkdir ${HOME}/.yarn-config
-#mkdir ${HOME}/.yarncache
-#mkfile ${HOME}/.yarnrc
-#whitelist ${HOME}/.yarn
-#whitelist ${HOME}/.yarn-config
-#whitelist ${HOME}/.yarncache
-#whitelist ${HOME}/.yarnrc
-#whitelist ${HOME}/Projects
-#include whitelist-common.inc
-
 # Redirect
 include nodejs-common.profile