Warning from npm install when called from a bash script

1

I’m writing a bash script to automate deployment to a dedicated server. I use git to push a repository bundle to the server, and then run a script from /bundle.git/hooks/post-receive.

I’m receiving the following warning, and I would like to understand why:

npm WARN saveError EACCES: permission denied, open '/var/www/meteor/tmp/package.json.2712925818'
npm WARN saveError EACCES: permission denied, open '/var/www/meteor/tmp/package-lock.json.3301524933'

I have created a non-sudo user meteor to deal with the npm process. I have added a file to /etc/sudoers.d/ that gives meteor root privileges for certain commands, without asking for a password.

Here’s a much-simplified diagramme of the file hierarchy:

tree /var/www/meteor/
├── bundle.git
│   └── hooks
│       └── post-receive
├──deploy.sh
├── raw
│   ├── package.json
│   └── public
│       └── server
... tmp ...
├── bundle
│   ├── package.json
│   └── public
│       └── server
└── archive
    ├── <previous versions of bundle>
    ...

The process is as follows:

  1. Update the raw/ directory, so that it is identical to the bundle on the development machine
  2. Create a temporary copy of raw/ as tmp
  3. Run npm install --production on this temporary copy
  4. Move the current bundle/ directory to an archive
  5. Rename tmp/ as bundle/

/var/www/meteor/bundle.git/hooks/post-receive

#!/bin/sh
GIT_WORK_TREE=/var/www/meteor/raw git checkout -f
cd ../../
sudo ./deploy.sh

/var/www/meteor/bundle.git/deploy.sh

#!/bin/sh

cp -r raw tmp

# Run npm install
ls -al tmp # for debugging
cd tmp/public/server
sudo -u meteor bash  -c 'npm install --production'

cd -
chown -R meteor:www-data tmp

# Archive the current version and replace it with the new one
DATE=`date '+%y%m%d-%H%M'`
mv bundle archive/$DATE
mv tmp bundle

Here is the output in the terminal window when hooks/post-receive is executed:

$ ./post-receive 
total 24
drwxr-xr-x 3 root       root     4096 Nov 23 09:35 .
drwxr-xr-x 7 blackslate www-data 4096 Nov 23 09:35 ..
-rw-r--r-- 1 root       root       25 Nov 23 09:35 README.md
-rw-r--r-- 1 root       root       12 Nov 23 09:35 date
-rw-r--r-- 1 root       root      187 Nov 23 09:35 package.json
drwxr-xr-x 3 root       root     4096 Nov 23 09:35 public
npm WARN saveError EACCES: permission denied, open '/var/www/meteor/tmp/package.json.2712925818'
npm WARN saveError EACCES: permission denied, open '/var/www/meteor/tmp/package-lock.json.3301524933'
up to date in 0.083s

This output shows that the files package.json.2712925818 and package-lock.json.2712925818 do not exist at the moment when npm install --production is called, so they must be created by npm install itself.

What is npm install doing with these files, and how can I arrange for npm to have permission to save changes to package.json?

Or is it enough that npm is able to read the file, so saving changes to it is irrelevant?