Spectacular bug appears in npm Node.js package manager


Are you a developer who uses npm as a package manager for your JavaScript or Node.js code? If so, do not upgrade to npm 5.7.0. It can’t do any good. As one user reported, “It destroyed 3 production servers after just one deployment!”

So what happened here? According to the npm GitHub bug report, “When running sudo npm under a non-root user (root users do not have the same effect) the file system permissions are heavily changed. For example if I run sudo npm –help or sudo npm update -g, both commands cause my filesystem to change ownership of directories like / etc, / usr, / boot and other directories needed to run the system. the property is recursively changed by the user who is currently running npm. “

In other words, this installation changes the ownership and permissions of the core Linux files and directories so that they crash the system. Many others report that they see the same problem on Linux on a variety of platforms, macOS and FreeBSD.

This had led to many heated conversations about the liberation. Or, was it a liberation?

Others state that if you look at the actual code you will find that the version now available is a pre-release and should not be installed. They’re right. The code indicates that 5.7.0 was not ready for release. Still, others point out that the npm blog announcing 5.7.0 certainly reads like an official release announcement.

This led to a lot of finger pointing. In the meantime, version 5.7.1 has been released, with a fix for this critical issue.

While this issue was resolved, it revealed more fundamental issues.

First, npm is an important part of Node.js and JavaScript. These, in turn, run many websites today. For all the importance of npm, the npm project only has two – count them, two – developers. This makes the project far too vulnerable to simple mistakes or even something as mundane as the two programmers sleeping when something goes wrong.

This is not the first time that npm has shown how fragile it is. Two years ago, npm broke catastrophically when a developer launched a 7-line npm program called “left-pad”, which thousands of Node.js programs needed to run. Core programs should not be run with a minimum of two core developers.

The installation routine itself is asking for trouble. As one developer on Ycomb observed, the “npm binary is executed as sudo, then uses the UID and GID of the calling user when reading the directory. I feel like yelling, that has thought that was a good idea? If I summon something as sudo, why does someone think they should try to detect this and do something about it? I want to run as l ‘sudo user defined it, not my own user, OF COURSE. “

Running any command, especially one that seriously modifies the operating system as root or administrator user, is always dangerous. To make things even more annoying, you don’t have to be the root user to install npm. There have long been several ways to install npm as a regular user. Do one of them and you will avoid blowing up your production system.

Oh, that reminds me. What are you doing to run brand new code on a production system? It’s sysadmin 101. You are not running a new version of a program on a working system. Capiche?

While the code issue was critical, what this whole episode really revealed is an open source community that needs to do a better job of managing, delivering, and using their program. In all three phases, its developers, managers and users failed. This cannot continue if npm is to continue to be an important program.

Related stories:


Comments are closed.