Major npm flaw crashes Linux Systems, force users to reinstall

crashes Linux Systems

According to the npm bug report on GitHub, npm user Crunkle noted that npm 5.7.0 completely corrupted his file system permissions, making it necessary for him to manually patch permissions for major documents and folders.

This issue has been happening ever since 5.7.0 was released a few hours ago. It seems to have completely broken my filesystem permissions and caused me to have to manually fix the permissions of critical files and folders. I believe that it is related to the commit 94227e1 which is traversing and running chown on the wrong, often critical, filesystem files and folders.

By running sudo npm under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified. For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc/usr/boot, and other directories needed for running the system. It appears that the ownership is recursively changed to the user currently running npm.

I found that a selection of directories in / were owned by a non-root user after running sudo npm and many binaries in /usr/bin stopped working as their permissions were changed. People experiencing this bug will likely have to fully reinstall their system due to this update.

Another user, juggy, said that a single npm 5.7.0 deployment destroyed 3 running servers. Redboltz, a Linux AMI user at AWS EC2, also said he could not execute the sudo directive after deploying npm 5.7.0 and had to rebuild the EC2 instance.

Node Package Manager (npm), is the package manager for the JavaScript programming language and the default package manager for Node.js. Provide libraries and plug-ins for Node.js, Ember, jQuery, Bootstrap, React, Angular, and many other JavaScript frameworks.

Change the document permissions may cause the program or system to crash, or even unable to boot.

npm, Inc. has released npm v5.7.1, a version that removes the buggy code.