Skip to content

npm 5.7.0 overwrites critical Linux file permissions (!!!)

This is an important Public Service Announcement about an extremely hilarious problem with npm. But the bottom line is that you should NOT use npm v5.7.0 and probably shouldn’t use npm at all at this point.

The issue on GitHub is worth a read.

In summary:

  • When npm 5.7.0 is run with sudo as a non-root user, npm changes the ownership of critical directories like /etc and /usr.
  • This behavior was not a bug, but appears to have been deliberate (?!).
  • This behavior happens even if you run something as innocuous as sudo npm --help; it’s not limited to, say, installing a package.

If you’re wondering why someone might use a pre-release version of npm, bear in mind that:

  • 5.7.0 is a minor release, and in theory that means that there should be no major, backwards-incompatible changes.
  • Although running npm install -g npm will correctly install version 5.6.0, running npm upgrade -g npm installs the pre-release version 5.7.0 for some reason.

I would suggest that you use yarn instead, but they had a similar (and equally hilarious issue) where yarn just… overwrote which.

Man, what is the deal with JavaScript?