惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
博客园 - 【当耐特】
Microsoft Azure Blog
Microsoft Azure Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
Cloudbric
Cloudbric
The Register - Security
The Register - Security
小众软件
小众软件
PCI Perspectives
PCI Perspectives
G
Google Developers Blog
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
TaoSecurity Blog
TaoSecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
F
Full Disclosure
N
Netflix TechBlog - Medium
博客园_首页
Last Week in AI
Last Week in AI
A
Arctic Wolf
B
Blog RSS Feed
J
Java Code Geeks
C
Cybersecurity and Infrastructure Security Agency CISA
I
InfoQ
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
MyScale Blog
MyScale Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Jina AI
Jina AI
有赞技术团队
有赞技术团队
S
Schneier on Security
L
Lohrmann on Cybersecurity
P
Privacy & Cybersecurity Law Blog
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Security Latest
Security Latest
Vercel News
Vercel News
博客园 - 司徒正美
Webroot Blog
Webroot Blog
Hacker News: Ask HN
Hacker News: Ask HN
A
About on SuperTechFans

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Scarab Diagnostic Field Test #024 — pnpm CAFS TMPDIR Socket Budget Boundary
Scarab Systems · 2026-06-11 · via DEV Community

This field test targeted a pnpm install failure where a long pnpm-created TMPDIR path could cause lifecycle tooling to exceed the Unix socket path length limit.

The issue shape is deceptively simple:

  • pnpm install runs as root, commonly inside a container
  • pnpm sets TMPDIR inside the pnpm store
  • a git-hosted dependency runs lifecycle tooling during package preparation
  • that tooling creates an IPC socket path under TMPDIR
  • the full socket path becomes too long
  • Node reports listen EINVAL

That visible error makes the failure look like it belongs to Node, tsx, the lifecycle script, or the package being prepared.

But the bounded pnpm-side repair lives somewhere smaller.

The failure was a path-budget problem.

The public case record for this field test is available in the Scarab Field Lab:

https://github.com/scarab-systems/scarab-field-lab

Failure shape

The reported failure happened during git-hosted dependency preparation.

pnpm created a temporary package directory under its store. That directory became the TMPDIR for lifecycle tooling. A lifecycle tool then created an IPC socket path below that temp directory.

The problem is that Unix domain socket paths have a hard length limit.

So the failure was not caused by the package simply “not building.” It was not caused by a missing dependency. It was not even, in the narrow repair sense, caused by the lifecycle tool creating an IPC socket.

The lifecycle tool was doing something normal: creating a socket under TMPDIR.

The problem was that the TMPDIR path pnpm handed to that tool had already consumed too much of the available path budget.

By the time the lifecycle tool appended its own socket path, the final path crossed the limit.

The visible symptom was:

listen EINVAL

But the diagnostic boundary was:

pnpm-owned temp path length versus lifecycle-owned socket path creation.

Boundary

The boundary here is:

pnpm-owned CAFS temporary package directory naming

versus

lifecycle tooling IPC socket paths created under TMPDIR

pnpm does not own every lifecycle script.

It does not own tsx.

It does not own the Unix socket path limit.

It does not own every file or socket a package tool may create under TMPDIR.

But pnpm does own the temporary directory path it gives those tools to work inside.

That is the repair surface.

The fix is not to special-case one package. It is not to patch around tsx. It is not to redesign lifecycle execution. It is not to claim that pnpm can prevent every possible socket path overflow.

The bounded pnpm-side repair is to stop spending unnecessary path length in the CAFS temp directory basename.

That gives lifecycle tools more room to create their own paths below TMPDIR.

What changed

The repair changes CAFS temp directory creation so pnpm uses a shorter generated basename.

The old path shape used a longer generated temp suffix.

The new path shape uses Node’s native temp directory creation with a short prefix:

ts fs.mkdtemp(path.join(baseTempDir, 'tmp'))

That keeps the temp directory inside the pnpm store’s temp area while reducing the basename length.

The patch also removes the path-temp dependency from @pnpm/store.create-cafs-store.

A regression test was added to prove that CAFS temp directories used during git package preparation keep a short basename.

The important part is not just that the name is shorter.

The important part is that pnpm preserves its ownership boundary:

  • keep the pnpm-controlled temp root
  • shorten the pnpm-controlled generated basename
  • leave more room for lifecycle tools below TMPDIR
  • avoid pretending to own the downstream lifecycle tool’s socket construction

That is a narrow repair.

Why the full SDS diagnose mattered

This case was opened as a full SDS field test.

SDS did not need a bespoke scoped run to find the right neighborhood.

That matters because the issue had multiple tempting surfaces:

  • git-hosted dependency preparation
  • root/container behavior
  • lifecycle scripts
  • Node IPC
  • tsx
  • pnpm store paths
  • TMPDIR
  • Unix socket limits

A human or agent could easily chase the loudest part of the stack trace.

The full diagnostic pass surfaced the runtime/temp-artifact neighborhood instead.

That is the purpose of the diagnostic layer.

Not to magically “know the fix.”

Not to invent a patch.

Not to replace maintainer review.

The useful diagnostic move was narrowing the ownership surface:

which part of this failure is pnpm’s to repair?

The answer was not “everything below the stack trace.”

The answer was the CAFS temp directory naming path.

Why this was not a lifecycle-script fix

It would be easy to frame this as a lifecycle tool failure because the crash happens while the lifecycle tool is creating an IPC socket.

But that would put the repair pressure in the wrong place.

The lifecycle tool needs a socket path. It creates that path under TMPDIR. That behavior may be entirely reasonable.

The Unix socket limit is also not negotiable from pnpm’s side.

So the question becomes:

Can pnpm reduce avoidable path length before lifecycle tools enter the picture?

Yes.

That is why shortening the CAFS temp basename is the right class of repair.

It does not make assumptions about the package. It does not depend on one lifecycle tool. It does not require pnpm to understand every downstream socket path. It simply gives the downstream process more path budget.

That is the semantic repair.

The bug is not “a tool used a socket.”

The bug is “pnpm consumed too much path budget before handing off to tools that reasonably create paths under TMPDIR.”

Validation

The repair was validated with focused and project-level pnpm checks.

The important validation point is that the regression proves the generated CAFS temp basename stays short during git package preparation.

For exact validation details, current upstream status, and the public case record, see the Field Lab:

https://github.com/scarab-systems/scarab-field-lab

Field test result

This was a clean path-budget boundary repair.

The issue reduced to:

  • pnpm creates a temporary package directory under its store
  • that directory becomes part of TMPDIR
  • lifecycle tools create additional paths below TMPDIR
  • Unix socket paths have a strict length limit
  • pnpm can shorten the part of the path it owns
  • shortening that basename leaves more room for lifecycle tools

That is the whole repair lane.

The patch does not claim to fix every possible IPC path failure. It does not claim to change Unix socket limits. It does not claim to fix tsx. It does not redesign pnpm lifecycle execution.

It fixes the pnpm-owned part of the path budget.

That is the kind of boundary Scarab/SDS is designed to surface.

Public claim

The correct claim for this field test is:

Scarab/SDS helped drive a bounded repair candidate for pnpm/pnpm#12222, where long pnpm-created TMPDIR paths could cause lifecycle tooling IPC socket paths to exceed the Unix socket path limit during git-hosted dependency preparation as root. A full SDS diagnose surfaced the runtime/temp-artifact neighborhood without requiring a bespoke scoped run. The upstream PR shortens CAFS temporary package directory names using fs.mkdtemp() with a short tmp prefix, removes path-temp from @pnpm/store.create-cafs-store, and adds regression coverage proving the generated CAFS temp basename stays short.

Disclosure: This field report was prepared with AI-assisted editing from my own field-test notes, public issue and PR records, validation summary, and repair record. The technical claims and final wording were reviewed before publication.