undefined | Better HN

0 pointsdiggan8y ago0 comments

The real fix is to not run npm with sudo. Why would you do that in the first place? npm runs install-scripts when you fetch packages, so you basically open up root access for all the packages you download.

0 comments

7 comments · 2 top-level

paulddraper8y ago· 4 in thread

How is this different than running apt or yum or pacman or most other package managers as sudo?

Somebody has to install system software.

digganOP8y ago

npm is not for managing system software and has not been developed as such. It's a javascript package manager. apt and pacman (and probably yum but never used so can't speak about it) have active maintainers for most packages and the mirrors are well taken care of.

npm is basically a giant array that anyone can add package to.

I'm using them both accordingly.

jguimont8y ago

I believe that node is installed with npm and both are installed in system directories. I think they should by default point the npm global directory to the user dir and not a system dir.

1 more reply

paulddraper8y ago

> npm is not for managing system software

Debatable but irrelevant.

I'm not saying npm is a good or bad system package manager, just that running arbitrary scripts for requested packages and their dependencies is hardly unique.

It's oblivious to single out npm as a package manager that allows you to be pwned by packages in whatever repo you pull from.

1 more reply

breatheoften8y ago

System package managers typically have a significantly stronger trust model — the packages are built and signed by a “trusted” entity who typically takes on a role in verifying that the packages they sign and distribute meet some standard of sanity.

npm gathers sources from a central registry which anyone can upload packages to — and furthermore package references don’t even have to be references to entities in the registry but can also be links to arbitrary git repos ...

Furthermore the set of dependencies to actually be downloaded is quite a bit more dynamic with npm I think because of the version compatability satisfaction algorithm employed by npm — so it’s inherently harder to statically analyze the set of packages a given npm install execution will install vs rpm/apt.

breatheoften8y ago· 1 in thread

This 1000 times. Running npm as sudo is a terrible terrible idea. I remember creating a slack channel in our team called 'never run npm with sudo' and ranting in dramatic fashion to try and overcome the effect of the printed advice which npm used to output in most failure situations to 'try re-running the command with sudo.' This tended to cause developers new to the ecosystem to re-run the command with sudo and create lots of problems for themselves -- in addition to being an extremely bad security practice.

Honestly -- I think npm should be updated to exit without doing anything if it detects its run with root privileges ...

amelius8y ago

True, but then npm can theoretically still e.g. install a keyboard logger for the current user, so you should remember to never run sudo as that user again. Of course, that's doable, but probably too much to ask from most users.

j / k navigate · click thread line to collapse

0 comments

7 comments · 2 top-level

paulddraper8y ago· 4 in thread

How is this different than running apt or yum or pacman or most other package managers as sudo?

Somebody has to install system software.

digganOP8y ago

npm is basically a giant array that anyone can add package to.

I'm using them both accordingly.

jguimont8y ago

I believe that node is installed with npm and both are installed in system directories. I think they should by default point the npm global directory to the user dir and not a system dir.

1 more reply

paulddraper8y ago

> npm is not for managing system software

Debatable but irrelevant.

I'm not saying npm is a good or bad system package manager, just that running arbitrary scripts for requested packages and their dependencies is hardly unique.

It's oblivious to single out npm as a package manager that allows you to be pwned by packages in whatever repo you pull from.

1 more reply

breatheoften8y ago

breatheoften8y ago· 1 in thread

Honestly -- I think npm should be updated to exit without doing anything if it detects its run with root privileges ...

amelius8y ago

j / k navigate · click thread line to collapse