Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 410012

Summary: npm and node in orionode vs orion
Product: [ECD] Orion Reporter: Adrian Aichner <adrian.aichner>
Component: ServerAssignee: Project Inbox <orion.server-inbox>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: ken_walker, mamacdon
Version: 3.0   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Adrian Aichner CLA 2013-06-05 20:42:16 EDT 
Should there be a Shell component to report bugs like this one against?

I am describing current status of org.eclipse.orion.server and org.eclipse.orion.client master branch.

1.
Both orion and orionode have Shell command npm

However, while the orionode npm command feature set seems close to external shell npm usage, it looks quite different in orion:

help npm
npm

Synopsis:  npm [output]
Description:
Commands for interacting with node npm
Sub-Commands:
npm install: npm install  help npm install
npm shrinkwrap: npm shrinkwrap  help npm shrinkwrap

2.
Only orionode has a node command, even though the command could be useful in orion as well, e.g. to start an orionode server when working on orion development itself.

3.
the node command in orionode differs from external shell node command line usage.

Instead it redefines the featureset to managing node apps in general:

Sub-Commands:
node debug: Runs a Node.js application with a given debug port number. Use different port numbers if you debug more than one apps. Use the debug URL from the command response, in a webkit browser to start debug.  help node debug
node list: Lists the running Node.js apps.  help node list
node start: Runs a Node.js application.  help node start
node stop: Stops a running Node.js app.  help node stop

I think this is a major violation of the principle of least surprise.

If it does something else than external shell node command line it should also be called something else, like "apps" or something better.

I realize this is not an ideal focused bug report but I wanted to map out the scope of the general issue I am seeing.
Comment 1 Ken Walker CLA 2013-06-06 01:14:00 EDT 
The difference is due to the multi-user nature of the Java Server vs. a single user Node.js server.  Supporting all the commands of npm on the Java server seemed like providing too much flexibility in what a user could do.

We have not enabled this capability on Orionhub for example due to the fact that we haven't isolated npm in a sandbox for individual users accounts.  The npm install command can run arbitrary javascript code so it's seen as a security risk. Allowing apps to run arbitrary node apps on OrionHub is also disabled for the same reason.

We're looking at ways to isolate both types of applications (node/npm) but this will not make it into our 3.0 release.

It is a server issue (not just shell) so this is the appropriate component.

As far as (3) it's a good point.  We're not committed to the commands we've chosen so it's something to look at.
Comment 2 John Arthorne CLA 2015-05-05 14:37:26 EDT 
Closing as part of a mass clean up of inactive bugs. Please reopen if this problem still occurs or is relevant to you. For more details see:

https://dev.eclipse.org/mhonarc/lists/orion-dev/msg03444.html