[FR]: Preventing input leakage via global caches

[Silic0nS0ldier]

What is the current behavior?

Environment variables such as npm_config_cache are unset, leading packages such as sharp to write to and read from locations outside of Bazel.

If sufficiently strict sandboxing is use this can lead to errors such as the following (execution of action is on EngFlow).

$ bazel build //:.aspect_rules_js/node_modules/[email protected]/lc
[truncated]
sharp: Installation error: EACCES: permission denied, mkdir '/home/engflow/.npm'
[truncated]

Describe the feature

My suggestion is to add an environment variable npm_config_cache=/tmp/.npm-cache (or something like that) to align more closely with the environment package managers supply to lifecycle hooks. Consensus here should make it more likely for lifecycle hooks of third-party packages to be hermetic out-of-the-box.

The suggestion of using /tmp (specifically, the configured canonical temporary directory) is because sandbox implementations are generally aware of it (read and write allowed, supplies an empty directory for consistency, automatic cleanup after).

npm_config_cache is suggested because the sharp package prefers this in its install lifecycle script. There are likely other environment variables that make sense to set.

It is expected that lifecycle_hooks_envs would override the defaults being proposed here.