Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com)

Posted by msmash on from the beware dept.

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

6 of 256 comments (clear)

  1. LOL by ArchieBunker · · Score: 5, Funny

    A shitscript package manager that does a chmod of /etc and /boot? This thing had to have been written by that Poettering asshole.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:LOL by Anonymous Coward · · Score: 5, Funny

      Do you guys really need to inject your rightwing politics into literally EVERY story????

      It's a memorial to the language which attempted to shatter the glass ceiling but was stopped by the patriarchy.

  2. I remain of the opinion... by jawtheshark · · Score: 5, Insightful

    I remain of the opinion that none of those "language specifically package managers" have no place on Linux systems. They should use the operating systems package managers and tools.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    1. Re:I remain of the opinion... by BlueLightning · · Score: 5, Informative

      I'd recommend watching this talk:

          https://www.youtube.com/watch?...

      or if you prefer, the excellent-as-usual LWN summary:

          https://lwn.net/Articles/71231...

      I don't like the language-specific package manager situation either, but the way these languages split things up does not lend itself well to the distro packaging model either unfortunately.

  3. Re:Rescue mode by Dracos · · Score: 5, Interesting

    The people most likely to be using npm, and an apparently untested bleeding-edge version of it that gets pushed out automagically (there's a separate bug that pushed out 5.7.0 prematurely), deserve this rancid dog food. This is incontrovertible proof that the JS community lacks competence and leadership.

  4. Ugh by i_ate_god · · Score: 5, Insightful

    1. There is no reason to run a language-specific packager as root, whether npm, pip, composer, maven, etc. Either the package manager makes packages available to the user in $HOME, or there exists some kind of virtual environment tool. Use them.
    2. Why is NPM chowning anything?
    3. Read the thread, the attitudes there are unfortunate to say the least. A new version of NPM is provided when using NPM to upgrade itself without any arguments, and it grabs a "pre-release" version without warning? The version number is 5.7.0, not 5.7.0-beta or 5.7.0-rc1 or whatever. The NPM people violated semver. So there was no obvious way to know this is not an official release.

    --
    I'm god, but it's a bit of a drag really...