Unlucky Linux boxes trampled by NPM code update, patch zapped

Devs stumble into pre-release beta by using command they didn't understand

NPM – the biz behind the Node.js package management software used to wrangle JavaScript code and various related frameworks – on Thursday undid a code update less than 24 hours after it was issued because the software was messing with Linux file permissions.

The release of npm 5.7.0 on Wednesday – under the company's pre-release next distribution tag rather than its latest distribution tag – prompted reports of server crashes, application failures, and other undesirable behavior for users of some Linux distributions.

The issue was not particularly widespread. To be affected, NPM told The Register, users had to download the software using the npm update npm -g command rather than the more common npm install npm -g command.

About 4,000 individuals, or 0.6 per cent of installs, did so during the 21 hours or so that the subpar update was available.

And then those affected had to be running one of several Linux distributions and had to execute the update command with sudo, a significantly smaller subset of the susceptible group.

Nonetheless, a GitHub Issues post highlighting the mayhem made it sound like a disaster.

Developer Jared Tiala kicked the discussion off by noting the issue "seems to have completely broken my filesystem permissions and caused me to have to manually fix the permissions of critical files and folders."

Tiala pegged the problem to running the sudo command as a non-root user.

NPM via Twitter acknowledged the issue, noting, "We’ve reverted a patch that could cause ownership changes on some system files."

In its Thursday blog post, the code biz explained, "The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root in places it shouldn't, but the change was applied in places that should have used regular mkdirp. This release reverts that patch."

In a phone interview with The Register, Laurie Voss, COO and cofounder of NPM, explained the intent with the withdrawn revision was to make npm handle permissions in a safer way by moving away from mkdirp. But, he said, doing so across the entire code base turned out to be not always appropriate.

mkdirp is a Node.js version of the Unix mkdir command, which, with the -p flag, creates new directories and necessary parent directories that may not yet exist.

The Oakland-based company insists only those participating in its staggered release system would receive code with the distribution tag "next," which is intended to prevent bugs like this from affecting everyone.

Bugs of this sort might be expected from pre-release code but some users of the software contend they were unaware the release was unstable. Allegedly, email notifications went out about the update without making it adequately clear that the release wasn't cleared for public consumption.

In the litany of complaints littering the GitHub Issues thread, doubts about the consistency of NPM's distribution mechanism abound. There's also a fair amount of blaming those affected for not knowing better.

Voss said that while users should not be blamed, there is a misunderstanding of how npm update differs from npm install.

"NPM intends to change the behavior of npm update in global mode to be less confusing to users," said Voss. "It’s absolutely true that the behavior of update -g is poorly understood." ®

Similar topics

Other stories you might like

  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading

Biting the hand that feeds IT © 1998–2021