Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com)

Posted by msmash on Thursday February 22, 2018 @08:50AM from the beware dept.

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

5 of 256 comments (clear)

Min score:

Reason:

Sort:

I remain of the opinion... by jawtheshark · 2018-02-22 08:56 · Score: 5, Insightful

I remain of the opinion that none of those "language specifically package managers" have no place on Linux systems. They should use the operating systems package managers and tools.

--
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
1. Re:I remain of the opinion... by PPH · 2018-02-22 09:09 · Score: 4, Insightful
  
  This.
  Or nothing other than the system package manager should run as root. Create a top level sub directory and a product specific user/group. And then let it run in it's own file space as its own user. There is very little on a *NIX system that HAS to be owned by root. As long as it's readable and executable by all, that's good enough.
  
  --
  Have gnu, will travel.
Re: Rescue mode by Computershack · 2018-02-22 09:18 · Score: 4, Insightful

I'm guessing you've never run Windows 10.

--
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
Ugh by i_ate_god · 2018-02-22 09:53 · Score: 5, Insightful

1. There is no reason to run a language-specific packager as root, whether npm, pip, composer, maven, etc. Either the package manager makes packages available to the user in $HOME, or there exists some kind of virtual environment tool. Use them.
2. Why is NPM chowning anything?
3. Read the thread, the attitudes there are unfortunate to say the least. A new version of NPM is provided when using NPM to upgrade itself without any arguments, and it grabs a "pre-release" version without warning? The version number is 5.7.0, not 5.7.0-beta or 5.7.0-rc1 or whatever. The NPM people violated semver. So there was no obvious way to know this is not an official release.

--
I'm god, but it's a bit of a drag really...
Re: LOL by Anonymous Coward · 2018-02-22 13:50 · Score: 2, Insightful

I use npm daily as a non root user. People are just too lazy to take the extra 2 minutes to get it up correctly and instead just throw it to sudo. Run shit as root when there is no reason to and you're gonna have a bad time.