Unlucky Linux boxes trampled by NPM code update, patch zapped

23 februari 2018

NPM – the biz behind the Node.js package management software used to wrangle JavaScript code and various related frameworks – on Thursday undid a code update less than 24 hours after it was issued because the software was messing with Linux file permissions.

The release of npm 5.7.0 on Wednesday – under the company’s pre-release next distribution tag rather than its stable distribution tag – prompted reports of server crashes, application failures, and other undesirable behavior for Linux users.

The issue was not particularly widespread. To be affected, NPM told The Register, users had to download the software using the npm update npm -g command rather than the more common npm install -g npm command.

About 4,000 individuals, or 0.6 per cent of installs, did so during the 21 hours or so that the subpar update was available.

And then those affected had to be running one of several Linux distributions and had to execute the update command with sudo, a significantly smaller subset of the susceptible group.

Nonetheless, a GitHub Issues post highlighting the mayhem made it sound like a disaster.

Developer Jared Tiala kicked the discussion off by noting the issue “seems to have completely broken my filesystem permissions and caused me to have to manually fix the permissions of critical files and folders.”

Tiala pegged the problem to running the sudo command as a non-root user.

NPM via Twitter acknowledged the issue, noting, “We’ve reverted a patch that could cause ownership changes on some system files.”

In its Thursday blog post, the code biz explained, “The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root in places it shouldn’t, but the change was applied in places that should have used regular mkdirp. This release reverts that patch.”


Bron: The Register Lees het complete artikel hier: http://go.theregister.com/i/cfa/http://www.theregister.co.uk/2018/02/23/npm_undoes_patch/

Follow us on Twitter

Tags: ,

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd met *

negen + = 15