Security

Series of critical bugs in NPM are destroying server configurations

A new version of NPM causes file permissions to be broken under certain circumstances, breaking other applications in the process.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A bug in version 5.7.0 is breaking permissions on root files and folders when NPM is run as an administrator.
  • NPM 5.7.0 is a prerelease version, but a separate bug in the upgrade command results in systems being updated to this version.

A combination of bugs and communication failures from NPM developers has resulted in an outbreak of headaches for system administrators. In version 5.7.0, running sudo npm will result in file permissions being reset across the filesystem, breaking the operation of NPM and practically anything else that requires file permissions to work. (The same behavior does not occur when run directly as root.)

This is not where the problems start or end, however. This bug—#19883—points to this commit, "which is traversing and running chown on the wrong, often critical, filesystem files and folders." This bug was introduced in the 5.7.0 release, which based on this blog post seems to be a normal release. If you run npm update, it will install 5.7.0. There's no indication at all—not in the version string, not in the release announcement—that this is a pre-release version of NPM.

SEE: Comparison chart: Enterprise collaboration tools (Tech Pro Research)

But it is. As it happens, a separate bug—#19888—causes pre-release versions to be installed when npm update is run. While the permissions bug has been patched in 5.7.1, which you could update to by running npm update, this release also incorrectly lacks tags indicating it is not ready for production. In order to return to a safe version of npm, you should run npm install -g npm.

Adding add insult to injury, contributors are being abusive toward commenters in the bug reports. Mike Sherov, the Head of Engineering for Behance (an Adobe service), commented:

screenshot.jpg

Sherov, listed as the 19th most active contributor to NPM on GitHub, does shed light on an important issue. There's no reason for two people to carry the bulk of the weight of development on their shoulders. Alas, despite using GitHub, development is limited mostly to two people—the last time a pull request from an outsider was merged was in November. Community participation could have mitigated this issue, as this pull request noting issues with NPM's interaction with sudo in July pointed out.

Ultimately, at the root of the issue (pardon the pun) is why NPM requires sudo to begin with. This is not substantively different from opening up permissions in order to get things to just work, without a concern for security. There are ways around needing to use sudo, however.

NPM has a checkered past in terms of project leadership. In 2016, the messaging service Kik requested that developer Azer Koçulu, who had an unrelated package with the same name, change the name of his package. After declining, lawyers representing Kik contacted NPM CEO Issac Schlueter, who assigned ownership of the package to Kik. Koçulu unpublished all of his modules from NPM, among them the "left-pad" module, which had been downloaded 575,000 times in the week prior to the incident, according to ZDNet.

Users seeking a replacement for NPM would be well advised to consider Yarn.

Also see

servers.jpg
Image: iStockphoto/heizfrosch

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox