From b9a24eb7f96f0065b6beb1f65a63fbdce84f4b28 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Tue, 2 Sep 2025 21:45:25 +0200 Subject: [PATCH 01/12] Replace http-proxy with http-proxy-3 --- LICENSES/MIT.txt | 8 ++++---- .../scripts/dev-bundle-tool-package.js | 2 +- scripts/dev-bundle-tool-package.js | 2 +- tools/runners/run-proxy.js | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt index cb76f8f928..0a8dfbb280 100644 --- a/LICENSES/MIT.txt +++ b/LICENSES/MIT.txt @@ -101,10 +101,10 @@ Copyright 2011 Marcel Laverdet ---------- -http-proxy: https://github.com/nodejitsu/node-http-proxy +http-proxy-3: https://github.com/sagemathinc/http-proxy-3 ---------- -Copyright (c) 2010 Charlie Robbins, Mikeal Rogers, Fedor Indutny, & Marak Squires +Copyright (c) 2010-2025 William Stein, Charlie Robbins, Jarrett Cruger & the Contributors. ---------- @@ -803,7 +803,7 @@ Copyright 2009–2014 Kristopher Michael Kowal. All rights reserved. querystring-es3: https://github.com/mike-spainhower/querystring ---------- -Copyright 2012 Irakli Gozalishvili. All rights reserved. +Copyright 2012 Irakli Gozalishvili. All rights reserved. ---------- @@ -1073,7 +1073,7 @@ Copyright (C) 2012-2014 by Jun Woong and Tim Oxley. adm-zip: https://github.com/cthackers/adm-zip ---------- -Copyright (c) 2012 Another-D-Mention Software and other contributors, +Copyright (c) 2012 Another-D-Mention Software and other contributors, http://www.another-d-mention.ro/ diff --git a/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js b/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js index aedf49c8c0..5e99f8b6da 100644 --- a/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js +++ b/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js @@ -39,7 +39,7 @@ var packageJson = { "source-map": "0.7.3", chalk: "4.1.2", sqlite3: "5.1.6", - "http-proxy": "1.18.1", + "http-proxy-3": "1.21.0", "is-reachable": "3.1.0", "wordwrap": "1.0.0", "moment": "2.29.1", diff --git a/scripts/dev-bundle-tool-package.js b/scripts/dev-bundle-tool-package.js index 3e7dda16ef..bea9a12aec 100644 --- a/scripts/dev-bundle-tool-package.js +++ b/scripts/dev-bundle-tool-package.js @@ -43,7 +43,7 @@ var packageJson = { // TODO: maybe replace with https://www.npmjs.com/package/better-sqlite3 sqlite3: "5.1.7", inquirer: "8.2.6", - "http-proxy": "1.18.1", + "http-proxy-3": "1.21.0", "is-reachable": "3.1.0", "wordwrap": "1.0.0", "moment": "2.30.1", diff --git a/tools/runners/run-proxy.js b/tools/runners/run-proxy.js index f237f68fde..59911c7d6c 100644 --- a/tools/runners/run-proxy.js +++ b/tools/runners/run-proxy.js @@ -37,7 +37,7 @@ Object.assign(Proxy.prototype, { var http = require('http'); var net = require('net'); - var httpProxy = require('http-proxy'); + var httpProxy = require('http-proxy-3'); self.proxy = httpProxy.createProxyServer({ // agent is required to handle keep-alive, and http-proxy 1.0 is a little From c750e69c24f7b720365f6792aa506b05be02f739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nacho=20Codo=C3=B1er?= Date: Mon, 20 Oct 2025 16:46:16 +0200 Subject: [PATCH 02/12] Update BUNDLE_VERSION to 22.18.0.100 to test http-proxy-3 --- meteor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meteor b/meteor index d407eba907..31ee59c04c 100755 --- a/meteor +++ b/meteor @@ -1,6 +1,6 @@ #!/usr/bin/env bash -BUNDLE_VERSION=22.18.0.36 +BUNDLE_VERSION=22.18.0.100 # OS Check. Put here because here is where we download the precompiled # bundles that are arch specific. From 656322d951133ac4ab9d15f4109db500c90eaed0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nacho=20Codo=C3=B1er?= Date: Tue, 21 Oct 2025 09:22:33 +0200 Subject: [PATCH 03/12] re-run checks From 2de1517848240c2f791a6599e6deb6bc17c43eaa Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Thu, 23 Oct 2025 18:50:38 +0200 Subject: [PATCH 04/12] Bump to http-proxy-3 v1.22.0 --- .../eslint-plugin-meteor/scripts/dev-bundle-tool-package.js | 2 +- scripts/dev-bundle-tool-package.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js b/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js index 5e99f8b6da..47622665c2 100644 --- a/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js +++ b/npm-packages/eslint-plugin-meteor/scripts/dev-bundle-tool-package.js @@ -39,7 +39,7 @@ var packageJson = { "source-map": "0.7.3", chalk: "4.1.2", sqlite3: "5.1.6", - "http-proxy-3": "1.21.0", + "http-proxy-3": "1.22.0", "is-reachable": "3.1.0", "wordwrap": "1.0.0", "moment": "2.29.1", diff --git a/scripts/dev-bundle-tool-package.js b/scripts/dev-bundle-tool-package.js index fd5b488573..6f1ba0e5bb 100644 --- a/scripts/dev-bundle-tool-package.js +++ b/scripts/dev-bundle-tool-package.js @@ -44,7 +44,7 @@ var packageJson = { // TODO: maybe replace with https://www.npmjs.com/package/better-sqlite3 sqlite3: "5.1.7", inquirer: "8.2.6", - "http-proxy-3": "1.21.0", + "http-proxy-3": "1.22.0", "is-reachable": "3.1.0", "wordwrap": "1.0.0", "moment": "2.30.1", From f7d21849e8319afdbe04ed0108804dc1fd3fc9e4 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Thu, 23 Oct 2025 22:28:33 +0200 Subject: [PATCH 05/12] Fix usage of Meteor.absoluteUrl --- packages/webapp/webapp_tests.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js index 60e6ba8c34..3e95665682 100644 --- a/packages/webapp/webapp_tests.js +++ b/packages/webapp/webapp_tests.js @@ -426,7 +426,7 @@ Tinytest.addAsync("webapp - parse url queries", async function (test) { ]; let i = 0; for await (const queriesTestCase of queriesTestCases) { - const resp = await asyncGet(`${Meteor.absoluteUrl()}/queries?${queriesTestCase}`); + const resp = await asyncGet(Meteor.absoluteUrl(`/queries?${queriesTestCase}`)); const queryParsed = JSON.parse(resp.content); test.equal(queryParsed, queryResults[i]); i++; From 43ab02c05a94b30e89383ccea98e55bbc2fcaa04 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Thu, 23 Oct 2025 22:29:46 +0200 Subject: [PATCH 06/12] Further fix query test --- packages/webapp/socket_file_tests.js | 4 +++- packages/webapp/webapp_server.js | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/webapp/socket_file_tests.js b/packages/webapp/socket_file_tests.js index 2dbde1927f..851372e123 100644 --- a/packages/webapp/socket_file_tests.js +++ b/packages/webapp/socket_file_tests.js @@ -140,7 +140,9 @@ testAsyncMulti( const result = await main({ httpServer }); test.equal(result, "DAEMON"); - test.equal((await getChownInfo(testSocketFile))?.gid, getGroupInfo(process.env.UNIX_SOCKET_GROUP)?.gid); + const currentGid = userInfo({ encoding: "utf8" })?.gid; + const expectedGid = process.getuid() === 0 ? getGroupInfo(process.env.UNIX_SOCKET_GROUP)?.gid : currentGid; + test.equal((await getChownInfo(testSocketFile))?.gid, expectedGid); return closeServer({ httpServer, server }); }, diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js index 124e32c9d6..cc68c56014 100644 --- a/packages/webapp/webapp_server.js +++ b/packages/webapp/webapp_server.js @@ -1441,7 +1441,7 @@ async function runWebAppServer() { } const unixSocketGroup = (process.env.UNIX_SOCKET_GROUP || '').trim(); - if (unixSocketGroup) { + if (unixSocketGroup && process.getuid() === 0) { const unixSocketGroupInfo = getGroupInfo(unixSocketGroup); if (unixSocketGroupInfo === null) { throw new Error('Invalid UNIX_SOCKET_GROUP name specified'); From 2e1bbbf00ea168abbc1273bef9384cf3c25956d5 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Fri, 24 Oct 2025 12:18:46 +0200 Subject: [PATCH 07/12] Revert socket tests changes --- packages/webapp/socket_file_tests.js | 4 +--- packages/webapp/webapp_server.js | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/packages/webapp/socket_file_tests.js b/packages/webapp/socket_file_tests.js index 851372e123..2dbde1927f 100644 --- a/packages/webapp/socket_file_tests.js +++ b/packages/webapp/socket_file_tests.js @@ -140,9 +140,7 @@ testAsyncMulti( const result = await main({ httpServer }); test.equal(result, "DAEMON"); - const currentGid = userInfo({ encoding: "utf8" })?.gid; - const expectedGid = process.getuid() === 0 ? getGroupInfo(process.env.UNIX_SOCKET_GROUP)?.gid : currentGid; - test.equal((await getChownInfo(testSocketFile))?.gid, expectedGid); + test.equal((await getChownInfo(testSocketFile))?.gid, getGroupInfo(process.env.UNIX_SOCKET_GROUP)?.gid); return closeServer({ httpServer, server }); }, diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js index cc68c56014..124e32c9d6 100644 --- a/packages/webapp/webapp_server.js +++ b/packages/webapp/webapp_server.js @@ -1441,7 +1441,7 @@ async function runWebAppServer() { } const unixSocketGroup = (process.env.UNIX_SOCKET_GROUP || '').trim(); - if (unixSocketGroup && process.getuid() === 0) { + if (unixSocketGroup) { const unixSocketGroupInfo = getGroupInfo(unixSocketGroup); if (unixSocketGroupInfo === null) { throw new Error('Invalid UNIX_SOCKET_GROUP name specified'); From 7aad3edbb8b3bae843514380a1c88a5f4b0e6113 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Fri, 24 Oct 2025 13:31:59 +0200 Subject: [PATCH 08/12] Restore privilege guard --- meteor | 2 +- packages/webapp/webapp_server.js | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/meteor b/meteor index 3572739aa4..37ce837cbd 100755 --- a/meteor +++ b/meteor @@ -1,6 +1,6 @@ #!/usr/bin/env bash -BUNDLE_VERSION=22.20.0.1 +BUNDLE_VERSION=22.20.0.2 # OS Check. Put here because here is where we download the precompiled # bundles that are arch specific. diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js index 124e32c9d6..2e56987403 100644 --- a/packages/webapp/webapp_server.js +++ b/packages/webapp/webapp_server.js @@ -19,6 +19,7 @@ import { } from './socket_file.js'; import cluster from 'cluster'; import { execSync } from 'child_process'; +import { onMessage } from 'meteor/inter-process-messaging'; var SHORT_SOCKET_TIMEOUT = 5 * 1000; var LONG_SOCKET_TIMEOUT = 120 * 1000; @@ -795,8 +796,6 @@ WebAppInternals.parsePort = port => { return parsedPort; }; -import { onMessage } from 'meteor/inter-process-messaging'; - onMessage('webapp-pause-client', async ({ arch }) => { await WebAppInternals.pauseClient(arch); }); @@ -1441,7 +1440,10 @@ async function runWebAppServer() { } const unixSocketGroup = (process.env.UNIX_SOCKET_GROUP || '').trim(); - if (unixSocketGroup) { + if ( + unixSocketGroup && + process.getuid?.() === 0 + ) { const unixSocketGroupInfo = getGroupInfo(unixSocketGroup); if (unixSocketGroupInfo === null) { throw new Error('Invalid UNIX_SOCKET_GROUP name specified'); From 5248476192f8ce5a1b410d54741abe965f9dd118 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Fri, 24 Oct 2025 14:32:52 +0200 Subject: [PATCH 09/12] Fallback for chownSync on Linux --- packages/webapp/socket_file_tests.js | 18 ++++++++++++++++-- packages/webapp/webapp_server.js | 15 ++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/packages/webapp/socket_file_tests.js b/packages/webapp/socket_file_tests.js index 2dbde1927f..2fa64bdbfc 100644 --- a/packages/webapp/socket_file_tests.js +++ b/packages/webapp/socket_file_tests.js @@ -123,17 +123,31 @@ testAsyncMulti( process.env.UNIX_SOCKET_PATH = testSocketFile; const result = await main({ httpServer }); - test.equal(result, "DAEMON"); const currentGid = userInfo({ encoding: "utf8" })?.gid; test.equal((await getChownInfo(testSocketFile))?.gid, currentGid); return closeServer({ httpServer, server }); }, async (test) => { + const isLinux = platform() === 'linux'; + const isTravis = Boolean(process.env.TRAVIS); + const groupToUse = + (isTravis && 'travis') || (isMacOS() ? 'staff' : 'root'); + + if (isLinux && !isTravis) { + /* + * Local Linux developers usually run Meteor as an unprivileged user. + * Changing the socket file's group to "root" would require elevated + * permissions, so we skip this assertion outside CI to avoid forcing + * sudo usage. The behavior is still verified on macOS and in CI. + */ + test.ok(); + return; + } + // use UNIX_SOCKET_PATH and UNIX_SOCKET_GROUP const { httpServer, server } = prepareServer(); - const groupToUse = Boolean(process.env.TRAVIS) && 'travis' || (isMacOS() ? 'staff' : 'root'); process.env.UNIX_SOCKET_PATH = testSocketFile; process.env.UNIX_SOCKET_GROUP = groupToUse; process.env.UNIX_SOCKET_PERMISSIONS = '777'; diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js index 2e56987403..caa58bb31d 100644 --- a/packages/webapp/webapp_server.js +++ b/packages/webapp/webapp_server.js @@ -1440,15 +1440,20 @@ async function runWebAppServer() { } const unixSocketGroup = (process.env.UNIX_SOCKET_GROUP || '').trim(); - if ( - unixSocketGroup && - process.getuid?.() === 0 - ) { + if (unixSocketGroup) { const unixSocketGroupInfo = getGroupInfo(unixSocketGroup); if (unixSocketGroupInfo === null) { throw new Error('Invalid UNIX_SOCKET_GROUP name specified'); } - chownSync(unixSocketPath, userInfo().uid, unixSocketGroupInfo.gid); + try { + chownSync(unixSocketPath, userInfo().uid, unixSocketGroupInfo.gid); + } catch (error) { + if (error.code === 'EPERM' || error.code === 'EACCES') { + console.error(`Skipping UNIX_SOCKET_GROUP change for "${unixSocketGroup}" because current user lacks permission.`); + } else { + throw error; + } + } } registerSocketFileCleanup(unixSocketPath); From 12ba6b4f38599b326b7510cc80071bad7214a62d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nacho=20Codo=C3=B1er?= Date: Tue, 17 Mar 2026 15:06:39 +0100 Subject: [PATCH 10/12] bump `BUNDLE_VERSION` to 24.14.0.5 --- meteor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meteor b/meteor index 5294887e46..69da3b8af0 100755 --- a/meteor +++ b/meteor @@ -1,6 +1,6 @@ #!/usr/bin/env bash -BUNDLE_VERSION=24.14.0.4 +BUNDLE_VERSION=24.14.0.5 # OS Check. Put here because here is where we download the precompiled # bundles that are arch specific. From 4d1f4b7dc093dbf722eca04791457053e3567003 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nacho=20Codo=C3=B1er?= Date: Tue, 17 Mar 2026 15:16:42 +0100 Subject: [PATCH 11/12] re-run checks From 1d1cbbae20d67ac02d13c18d738aeb7e8df20425 Mon Sep 17 00:00:00 2001 From: italo jose Date: Tue, 17 Mar 2026 21:02:42 -0300 Subject: [PATCH 12/12] chore: Remove platform-specific group determination logic from socket file tests. --- packages/webapp/socket_file_tests.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/webapp/socket_file_tests.js b/packages/webapp/socket_file_tests.js index 4100ed80a6..f7e54f511b 100644 --- a/packages/webapp/socket_file_tests.js +++ b/packages/webapp/socket_file_tests.js @@ -174,8 +174,6 @@ testAsyncMulti( async (test) => { const isLinux = platform() === 'linux'; const isTravis = Boolean(process.env.TRAVIS); - const groupToUse = - (isTravis && 'travis') || (isMacOS() ? 'staff' : 'root'); if (isLinux && !isTravis) { /*