from Hacker News

Do not use NPM 5.7

by jguimont on 2/22/18, 5:18 AM with 225 comments

• by zaarn on 2/22/18, 12:59 PM

  Excuse me, but what the fuck?

  Looks like the line responsible checks if the npm binary is run as sudo and then uses the UID and GID of the invoking user when chowning the directory. [ https://github.com/npm/npm/blob/latest/lib/utils/correct-mkd... ]

  I feel like screaming, who thought this was a good idea? If I invoke something as sudo, why does anyone think it should try to detect that and do anything about it? I want to run as the user sudo has set, not my own user, OBVIOUSLY.

  Don't try to be smart about sudo, you will break stuff.

• by lucideer on 2/22/18, 1:21 PM

  This is really horrific.

  The idea that correctMkdir() exists at all seems to me to be so wrong-headed.

  This comment from the source says a lot:

      // annoying humans and their expectations!
  

  Good UX is an important, oft-overlooked consideration, but there is definitely such a thing as taking it too far. If your humans are expecting this level of hand-holding, it's because you've trained them to expect it by pandering to them up until now. This is the kind of problem that should be handled with good, detailed, error message display when users don't get the result they expect, not "fixing" it with over-reaching magic.

  I'm not sure I'd trust anything put out by the npm team in general from hereonin if they genuinely thought creating the correct-mkdir.js file in the first place was a reasonable idea. Is it? Genuinely open to a counter-argument.

• by btown on 2/22/18, 1:28 PM

  There appear to be no unit tests for their entire lib/utils folder. Which includes things like this (misguided) chown utility. https://github.com/npm/npm/tree/release-next/test - and note the lack of testing in the commit linked in the bug report.

  I had an inkling that NPM was cancer, but not like this.

  Yarn, by contrast, has everything you would expect of a Facebook-engineered library: https://github.com/yarnpkg/yarn/tree/master/__tests__/util

  Will be closely evaluating a switch to Yarn for our live apps. This is simply sad.

• by officialchicken on 2/22/18, 7:58 PM

  It's been almost 2 years since the great left-pad debacle[0]. The last major npm issue[1] was less than 2 months ago. While the underlying npm registry security issues will remain for a while (and other languages don't seem to have these issues with their package managers), there doesn't seem like there's too much I can do other than use yarn. And hope an alternative registry will appear.

  Since I 'vote' with my code - this migration page has been helpful today - and I hope it will help others: https://yarnpkg.com/lang/en/docs/migrating-from-npm/

  It took me ~5 mins to migrate all of my code from npm to yarn. But I don't have complex CI tasks either.

  I use ncu to check updates every couple of days, sometimes more frequently. To further distance myself from npm, can anyone comment on the pros/cons of github repo paths instead of package names in package.json?

  [0] https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos

  [1] https://github.com/npm/registry/issues/255

  *edit: formatting

• by jlgaddis on 2/22/18, 4:03 PM

  I just can't feel sorry for folks when I see comments like this one:

  > This destroyed 3 production server after a single deploy!

  I do think that the developers have a duty to do some testing of their software before putting out releases/updates. However, users also have a duty to perform sufficient testing before they push new versions to their production environments.

  In my opinion, it's kinda like losing data because you didn't make and/or test your backups. It's a really crappy way to have to learn a lesson but at least they've finally learned it -- and if they haven't, well, then maybe they will the next time it happens.

• by boffinism on 2/22/18, 3:58 PM

  Good lord, when I try to follow the link I get the Unicorn error page with the message 'This page is taking way too long to load. Sorry about that. Please try refreshing and contact us if the problem persists.'

  Has this issue provoked so much outrage that GitHub can't handle the constant stream of angry emojis on the issue comment thread?

• by foepys on 2/22/18, 4:01 PM

  Apart from being a horrific bug, why are people running npm as root? Why don't they install it somewhere below $HOME and modify $PATH? npm is working fine without root permissions.

  Everything is super dangerous as root, one should avoid using root at all costs until there is no other way.

• by master-litty on 2/22/18, 6:54 PM

  http://blog.npmjs.org/post/171169301000/v571

    Thankfully, it only affected users running `npm@next`, which is part of our staggered release system
  
    #STOPUSINGPRERELEASEWITHSUDO
  

  Really now?

    #ANGRYORANGEWEBSITE #PEOPLEGOTMAD
  

  :)

• by mkj on 2/22/18, 1:30 PM

  Reminds me of a recent Yarn problem, overwriting which(1). https://github.com/yarnpkg/yarn/issues/4205

• by hysan on 2/22/18, 3:49 PM

  Doesn't really surprise me when you have other issues like this (https://github.com/npm/npm/issues/17929) that have persisted for a long time. NPM 5.x in general hasn't been very stable.

• by nwhatt on 2/22/18, 6:29 PM

  Wow the toxicity on that thread is appalling. I feel like I need to a tool when hiring people that automatically shows me their github comments with the most reactions.

• by akras14 on 2/22/18, 5:59 PM

  Wayback link, of someone has a better mirror please post: http://web.archive.org/web/20180222170341/https://github.com...

• by InclinedPlane on 2/22/18, 7:53 PM

  From: https://github.com/npm/npm/releases/tag/v5.7.1

  "Thankfully, it only affected users running npm@next, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on latest would have never seen this!"

  If you are updating to the latest pre-release of something within mere hours of it dropping and you are updating production systems (presumably that have some business value) with no previous testing then the consequences of that aren't on the devs they are 100% on you. And you don't deserve to call yourself an IT (or Ops or DevOps or what-have-you) professional, that is amateurish behavior in the extreme.

• by RX14 on 2/22/18, 5:09 PM

  My personal opinion is that the root cause of the issue is the ability of a language pacakge manager to mess with system files at all (i.e. do a global install of anything). Shards, the crystal package manager makes the sensible design decision to only install libraries into `$PWD/lib` and binaries into `$PWD/bin`. Everything is local only to your project. If you want a binary on your PATH, you can create an installation method that works for your commandline tool's specific usecase. Hopefully a distro/homebrew package.

  I wrote about this in longer form here: https://github.com/crystal-lang/crystal/pull/3328#issuecomme....

• by ishanjain28 on 2/22/18, 2:56 PM

  npm is one of the few tools that I am afraid to have on my Laptop, Because unlike most tools I have used, When npm does something wrong, It'll ruin not just itself but a lot more directories on my pc which is annoying to fix.

• by dictum on 2/22/18, 2:35 PM

  Oh well, I remember fondly that one time I had an important deadline whooshing by (with that lovely sound Douglas Adams knew) and I happened across this cute little bug:

  http://appleinsider.com/articles/09/10/12/snow_leopard_guest...

  (Yeah, it's that much-vaunted Snow Leopard.)

  I do remember scrambling to recover my backups. Back then, I didn't make full-disk backups, so I had to assemble my user folder from various places. Everything else that transpired that night and the day after remains a haze.

• by jehlakj on 2/22/18, 5:00 PM

  Why do people feel the need to update especially on production servers? Shouldn’t production servers be updated only when necessary?

• by obw on 2/22/18, 12:06 PM

  I find it interesting that nobody noticed this before public release. And apparently this version is a pre-release? But that isn't specified on the blog post?

• by dlandis on 2/22/18, 6:43 PM

  As a semi-outsider to the frontend and node development worlds, it continues to surprise me that a viable alternative to npm still hasn't come along. Not trying to pile more hate on npm, but there's been many years of complaints about instability, horrid UX, bad security model, user hostility, etc. Yarn was just a first step. If there was a system with half the features, but made sense and was secure I think the community would shift very quickly.

• by whatever_dude on 2/22/18, 8:30 PM

  I swear NPM has some absurd showstopping bug every month.

  With something that has as many people using it, it's just... I dunno, it's disheartening.

  Edit: oh well, this was a @next release only. Not as bad. Still scary.

• by homulilly on 2/22/18, 7:25 PM

  I really wish node would ship with Yarn instead of NPM. Every serious js project these days already uses it.

• by coreycoto on 2/22/18, 5:57 PM

  CI/CD does not mean deploying code to production by fetching source code from GitHub onto a server used by your customers and then compiling or downloading NPM dependencies.

  That is a recipe for disaster.

• by erulabs on 2/23/18, 11:08 AM

  Looks at correct-mkdir. Sees "cb = dezalgo(cb)". https://www.npmjs.com/package/dezalgo

  "Contain async insanity so that the dark pony lord doesn't eat souls"

  Just... What. I feel like when you need to reach for tools to "contain insanity", you might want to backup and ask someone who has written to a filesystem before... The linked blog about "preventing the release of Zalgo" and the linked https://blog.ometer.com/2011/07/24/callbacks-synchronous-and... seem completely erroneous. The entire point of callbacks is to _surrender_ control to a function - here is a piece of code to run when you are ready - now, sometime, or never, or maybe many times, as you see fit. Waiting until the next process tick seems so completely unnecessary... This strikes me heavily as "a solution in desperate search of a problem" - although I have that feeling with a _lot_ of NodeJS code I read...

  The author of the blog linked on the dezalgo project seems to, at the end of the post, imply the purpose is for performance? By deferring work until a later date?

  "The basic point here is that “async” is not some magic mustard you smear all over your API to make it fast. Asynchronous APIs do not go faster. They go slower. However, they prevent other parts of the program from having to wait for them, so overall program performance can be improved."

  Other parts of the program _other than the work we've asked it to do_? What if we're only "correctly making" one directory? So we intentionally make our code slower... So that "other code" can run? He continues:

  "This makes the API a bit trickier to use, because the caller has to know to detect the error state. If it’s very rare, then there’s a chance that they might get surprised in production the first time it fails. This is a communication problem, like most API design concerns, but if performance is critical, it may be worth the hit to avoid artificial deferrals in the common cases."

  So it's slower -and- more complicated, and we're gonna hide it behind a meme. Gotcha.

• by _Chief on 2/22/18, 6:01 PM

  I wish fixing of npm global directory permissions was part of the npm install page (https://docs.npmjs.com/getting-started/installing-node), or mentioned at least. My first few npm setups always left me in permissions hell as I'd just use the install page, ignoring the next steps.

• by ashtonian on 2/22/18, 8:02 PM

  https://www.dayssincenpmbroke.com/

  accepting PRs: https://github.com/Ashtonian/dayssincenpmbroke.com

• by x2e2l2a on 2/23/18, 7:51 PM

  A user of NPM that needs to use `sudo npm` simply did not properly install nodejs into the user directory. NPM is packaged with the node version you are running. So if you installed node with a root user or in a directory that requires root user access you will need to sudo to use `npm`. But if you properly install node under your user you will never have an issue. Anyone that does `sudo npm` did not install nodejs under their user. This may be confusing to people because a lot of tutorials tell you to use `sudo npm`. NPM is a piece of software that is consumed by millions of people and different devices. It is crazy to think there will be no side effects to how people use something where it was not designed.

• by kuon on 2/22/18, 7:00 PM

  Running npm as root is bad, either install the npm package from your distribution (apt, pacman...) or, to use `npm install -g` edit `.npmrc` add `prefix=/home/<me>/.node` in it, and add `~/.node/bin` to your path.

• by Sujan on 2/22/18, 5:58 PM

  Reading this and the comments here really makes me feel sorry for the npm people.

  If you are reading this: You are doing great work, I wish you the energy and strength to ignore the trolls.

• by tuananh on 2/23/18, 1:18 AM

  Switching to yarn is not going to fix this. However, this raise some concern about npm cli

  - we are relying on 2 people team for our applications. - maintainer doesn't seem to care much about this horrific bug: https://imgur.com/a/v4Ndb

• by johnvega on 2/22/18, 9:31 PM

  About a week ago, I attended a tech talk by a Google employee, a senior position, who said, if I remembered correctly, that their testing effort uses the most of their hardware resources at entire Google. Software testing can be difficult and challenging, but it is a critical part.

• by jxkcicickgkicu on 2/22/18, 5:36 PM

  Why would reporter run sudo npm???

• by Sujan on 2/22/18, 5:57 PM

  Title should be changed to 5.7.0 as newly released 5.7.1 fixes the bug.

• by my_ghola on 2/22/18, 8:27 PM

  I just looked at my /usr/lib/node_modules directory and it's No man's land in there and I'm on npm 5.6.0. How could this go unnoticed for so long?

• by atilkan on 3/4/18, 6:17 PM

  Destroyed my local packages. Can't resist to yarn anymore. Switched.

• by digi_owl on 2/22/18, 5:30 PM

  Remind me again why there are language specific package managers...