From 75e92a350549ca42c5666ec387a25a65740ed556 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 13 May 2025 14:13:01 -0500
Subject: [PATCH] Don't use permission flag on npx

---
 src/shadow/npm/bin.mts | 50 ++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/src/shadow/npm/bin.mts b/src/shadow/npm/bin.mts
index 7231abb6..f47abe2d 100755
--- a/src/shadow/npm/bin.mts
+++ b/src/shadow/npm/bin.mts
@@ -28,30 +28,32 @@ export default async function shadowBin(
   const nodeOptionsArg = rawBinArgs.findLast(isNodeOptionsFlag)
   const progressArg = rawBinArgs.findLast(isProgressFlag) !== '--no-progress'
   const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)
-  // Lazily access constants.SUPPORTS_NODE_PERMISSION_FLAG.
-  const permArgs = constants.SUPPORTS_NODE_PERMISSION_FLAG
-    ? await (async () => {
-        const cwd = process.cwd()
-        const globalPrefix = (
-          await spawn('npm', ['prefix', '-g'], { cwd })
-        ).stdout.trim()
-        const npmCachePath = (
-          await spawn('npm', ['config', 'get', 'cache'], { cwd })
-        ).stdout.trim()
-        return [
-          '--permission',
-          // '--allow-child-process',
-          // '--allow-addons',
-          // '--allow-wasi',
-          // Allow all reads because npm walks up directories looking for config
-          // and package.json files.
-          '--allow-fs-read=*',
-          `--allow-fs-write=${cwd}/*`,
-          `--allow-fs-write=${globalPrefix}/*`,
-          `--allow-fs-write=${npmCachePath}/*`
-        ]
-      })()
-    : []
+  const permArgs =
+    binName === 'npx' &&
+    // Lazily access constants.SUPPORTS_NODE_PERMISSION_FLAG.
+    constants.SUPPORTS_NODE_PERMISSION_FLAG
+      ? await (async () => {
+          const cwd = process.cwd()
+          const globalPrefix = (
+            await spawn('npm', ['prefix', '-g'], { cwd })
+          ).stdout.trim()
+          const npmCachePath = (
+            await spawn('npm', ['config', 'get', 'cache'], { cwd })
+          ).stdout.trim()
+          return [
+            '--permission',
+            '--allow-child-process',
+            // '--allow-addons',
+            // '--allow-wasi',
+            // Allow all reads because npm walks up directories looking for config
+            // and package.json files.
+            '--allow-fs-read=*',
+            `--allow-fs-write=${cwd}/*`,
+            `--allow-fs-write=${globalPrefix}/*`,
+            `--allow-fs-write=${npmCachePath}/*`
+          ]
+        })()
+      : []
   const useDebug = isDebug()
   const useNodeOptions = nodeOptionsArg || permArgs.length
   const isSilent = !useDebug && !binArgs.some(isLoglevelFlag)