fix: handle malformed npm packages gracefully in extract action

.aspect/rules/external_repository_action_cache/npm_translate_lock_LTE4Nzc1MDcwNjU=

@@ -2,26 +2,26 @@
 # Input hashes for repository rule npm_translate_lock(name = "npm", pnpm_lock = "@@//:pnpm-lock.yaml").
 # This file should be checked into version control along with the pnpm-lock.yaml file.
 .npmrc=-2065072158
-pnpm-lock.yaml=-481966245
+pnpm-lock.yaml=-1309835144
 examples/npm_deps/patches/meaning-of-life@1.0.0-pnpm.patch=-442666336
 package.json=-275319675
 pnpm-workspace.yaml=-1178830835
 examples/js_binary/package.json=-41174383
+examples/linked_empty_node_modules/package.json=-1039372825
 examples/macro/package.json=857146175
 examples/npm_deps/package.json=-1377141392
 examples/npm_package/libs/lib_a/package.json=-1377103079
 examples/npm_package/packages/pkg_a/package.json=1006424040
 examples/npm_package/packages/pkg_b/package.json=1041247977
 examples/webpack_cli/package.json=1911342006
 js/private/coverage/bundle/package.json=-1543718929
+js/private/image/package.json=-1260474848
+js/private/test/image/package.json=-687546763
+js/private/test/js_run_devserver/package.json=-260856079
 js/private/worker/src/package.json=1608383745
-npm/private/test/package.json=1756993924
+npm/private/test/package.json=600650131
 npm/private/test/vendored/lodash-4.17.21.tgz=-1206623349
 npm/private/test/npm_package/package.json=-1991705133
 npm/private/test/vendored/is-odd/package.json=1041695223
 npm/private/test/vendored/semver-max/package.json=578664053
-examples/linked_empty_node_modules/package.json=-1039372825
 examples/npm_package/packages/pkg_d/package.json=1110895851
-js/private/image/package.json=-1260474848
-js/private/test/image/package.json=-687546763
-js/private/test/js_run_devserver/package.json=-260856079

npm/private/npm_package_store.bzl

@@ -205,25 +205,20 @@ def _npm_package_store_impl(ctx):
         else:
             package_store_directory = ctx.actions.declare_directory(package_store_directory_path)
             if utils.is_tarball_extension(src.extension):
-                # npm packages are always published with one top-level directory inside the tarball, tho the name is not predictable
-                # we can use the --strip-components 1 argument with tar to strip one directory level
-                args = ctx.actions.args()
-                args.add("--extract")
-                args.add("--no-same-owner")
-                args.add("--no-same-permissions")
-                args.add("--strip-components")
-                args.add(str(1))
-                args.add("--file")
-                args.add(src.path)
-                args.add("--directory")
-                args.add(package_store_directory.path)
-
+                # npm packages are always published with one top-level directory inside the tarball,
+                # tho the name is not predictable we can use the --strip-components 1 argument with
+                # tar to strip one directory level. Some packages have directory permissions missing
+                # executable which make the directories not listable (pngjs@5.0.0 for example). Run
+                # `chmod -R a+X` to fix up these packages (https://stackoverflow.com/a/14634721).
+                # See https://github.com/aspect-build/rules_js/issues/1637 for more info.
                 bsdtar = ctx.toolchains["@aspect_bazel_lib//lib:tar_toolchain_type"]
-                ctx.actions.run(
-                    executable = bsdtar.tarinfo.binary,
+                ctx.actions.run_shell(
+                    tools = [bsdtar.tarinfo.binary],
                     inputs = depset(direct = [src], transitive = [bsdtar.default.files]),
                     outputs = [package_store_directory],
-                    arguments = [args],
+                    command = bsdtar.tarinfo.binary.path + " --extract --no-same-owner --no-same-permissions --strip-components 1 --file " +
+                              src.path + " --directory " +
+                              package_store_directory.path + " && chmod -R a+X " + package_store_directory.path,
                     mnemonic = "NpmPackageExtract",
                     progress_message = "Extracting npm package {}@{}".format(package, version),
                 )

npm/private/npm_translate_lock_generate.bzl

@@ -88,8 +88,7 @@ def generate_repository_files(rctx, pnpm_lock_label, importers, packages, patche
 
     link_packages = [helpers.link_package(root_package, import_path) for import_path in importers.keys()]
 
-    defs_bzl_header = ["""# buildifier: disable=bzl-visibility
-load("@aspect_rules_js//js:defs.bzl", _js_library = "js_library")"""]
+    defs_bzl_header = ["# buildifier: disable=bzl-visibility"]
 
     fp_links = {}
     rctx_files = {
@@ -197,10 +196,6 @@ sh_binary(
                         "deps": transitive_deps,
                     }
 
-    if fp_links:
-        defs_bzl_header.append("""load("@aspect_rules_js//npm/private:npm_link_package_store.bzl", _npm_link_package_store = "npm_link_package_store")
-load("@aspect_rules_js//npm/private:npm_package_store.bzl", _npm_package_store = "npm_package_store")""")
-
     npm_link_packages_const = """_LINK_PACKAGES = {link_packages}""".format(link_packages = str(link_packages))
 
     npm_link_targets_bzl = [
@@ -418,6 +413,11 @@ def npm_link_all_packages(name = "node_modules", imported_links = []):
 
     npm_link_targets_bzl.append("""    return link_targets""")
 
+    defs_bzl_header.append("""load("@aspect_rules_js//js:defs.bzl", _js_library = "js_library")""")
+    if fp_links:
+        defs_bzl_header.append("""load("@aspect_rules_js//npm/private:npm_link_package_store.bzl", _npm_link_package_store = "npm_link_package_store")
+load("@aspect_rules_js//npm/private:npm_package_store.bzl", _npm_package_store = "npm_package_store")""")
+
     rctx_files[rctx.attr.defs_bzl_filename] = [
         "\n".join(defs_bzl_header),
         "",

npm/private/test/package.json

@@ -25,6 +25,7 @@
         "typescript": "*",
         "unused": "latest",
         "test-npm_package": "workspace:*",
-        "webpack-bundle-analyzer": "4.5.0"
+        "webpack-bundle-analyzer": "4.5.0",
+        "pngjs": "5.0.0"
     }
 }