Upgrading with 0.161.1 i get an error obviously related to new security in 0.161.0.
But despite reading and trying to understand the advice in the release doc, I just fail to understand what i have to do (in security.node permission I guess)
Any hint or advice welcome.
PS : hugo server doesn’t show this error, confirming relation with postcss process
panic: POSTCSS: failed to transform "/css/style.css" (text/css): Error: Access to this API has been restricted. Use --allow-fs-read to manage permissions.
at Object.existsSync (node:fs:286:18)
at isFile (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/browserslist/node.js:38:19)
at /Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/browserslist/node.js:317:11
at eachParent (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/browserslist/node.js:49:18)
at Object.findConfig (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/browserslist/node.js:305:20)
at browserslist.loadConfig (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/browserslist/node.js:223:37)
at browserslist (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/browserslist/index.js:411:31)
at Browsers.parse (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/autoprefixer/lib/browsers.js:54:12)
at new Browsers (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/autoprefixer/lib/browsers.js:42:26)
at loadPrefixes (/Users/didiergeorgieff/Documents/Git/osteo-timer/node_modules/autoprefixer/lib/autoprefixer.js:113:20) {
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemRead',
resource: '/Users/didiergeorgieff/Documents/Git/package.json'
}
And I finally just got it working with this command (and the 2 modified files upper):
NODE_OPTIONS="--permission --allow-fs-read=/Users/didiergeorgieff/Documents/Git/osteo-timer --allow-fs-read=/Users/didiergeorgieff/Documents/Git" hugo server
But I am wondering if it is a dirty hack of will be our future ?
ANd also i hve to figure how to industrilize it for Netlify.
Yes. Thanks. This is the cleanest quick one.
I will try to make my head around this and post something if relevant. The doc is fine but not so easy to understand at first.
Anyway million thanks (again) for your incredible reactivity (and accuracy).
My best guess is that this is browserlist (used in autoprefixer); which walks up the tree (and outside of the Hugo project) to find the first browser config. I had a similar issue in a project I tested with, and if I remember correctly they have fixed this in a recent version of browserlist so it works better with Node’s permission model. Also, there should be a way to add a browserlist config to the project itself to avoid this.
I already had added a .browserslistrc 0.5% last 2 versions not dead
and done npx update-browserslist-db@latest
Mmmmm. As you ask for PostCSS this site is a old one i wanted to update.
And strangely I use “{{- $css = $css | css.PostCSS $options}}” and have no PostCSS file.
ERROR error building site: render: [en v1.0.0 guest] failed to render pages: render of “/opt/build/cache/hugo_cache/modules/filecache/modules/pkg/mod/github.com/jmooring/hugo-module-feature-test@v0.6.0/content/other-tests/postcss.md” failed: “/opt/build/cache/hugo_cache/modules/filecache/modules/pkg/mod/github.com/jmooring/hugo-module-feature-test@v0.6.0/layouts/other-tests/postcss/page.html:15:15”: execute of template failed: template: other-tests/postcss/page.html:15:15: executing “main” at <.Content>: error calling Content: POSTCSS: failed to transform “/temp/css” (application/octet-stream): Error: Access to this API has been restricted. Use --allow-fs-read to manage permissions.
I could get that working on Netlify by shifting to ESM style imports in the postcss config:
There’s a longer story here, and possibly something to be improved on in Hugo, but it’s not entirely clear to me at the moment:
Your site also works if you run hugo mod vendor and commit the source, which suggests there some Node magic walking upwards.
Your site also works if you set HUGO_CACHEDIR to e.g. */opt/build/repo/.hugo_cache"
The error points at /opt/build/cache/node_modules/autoprefixer/package.json and Hugo’s default cache dir on Netlify is /opt/build/cache/hugo_cache/ – which indicates that the overlap makes Node try to resolve inside the node_modules cache.
I have tested the PR below OK on your projected in a similar setup as Netlify. I would say that Netlify (and I also think Cloudflare) way of placing a node_modules folder at the root of the cache dir is very shaky/buggy, but I’m guessing that ship has sailed.
If you use the postcss-preset-env plugin, there is an additional error, even after converting the config to ESM:
ERROR error building site: render: [de v1.0.0 guest] failed to render pages: render of "/my/path/content/de/blog/myblog/index.md" failed: "/my/path/layouts/_default/baseof.html:35:42": execute of template failed: template: single.html:35:42: executing "single.html" at <$style.RelPermalink>: error calling RelPermalink: POSTCSS: failed to transform "/styles/index.css" (text/css):
Error: Access to this API has been restricted. Use --allow-fs-read to manage permissions.
at Object.existsSync (node:fs:289:18)
at isFile (/my/path/node_modules/browserslist/node.js:42:19)
at /my/path/node_modules/browserslist/node.js:200:16
at eachParent (/my/path/node_modules/browserslist/node.js:53:18)
at Object.getStat (/my/path/node_modules/browserslist/node.js:198:15)
at Object.browserslist [as default] (/my/path/node_modules/browserslist/index.js:439:19)
at plugin (/my/path/node_modules/postcss-preset-env/dist/index.js:437:61)
at file:///my/path/postcss.config.mjs?t=1782769228990:12:9
at ModuleJob.run (node:internal/modules/esm/module_job:413:25)
at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:660:26) {
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemRead',
resource: '/my/browserslist-stats.json'
}