npm, a widely well-known and vastly popular package manager for the JavaScript programming language, packed with the runtime environment Node.js, that includes a command-line client (npm), packed a critical bug on it’s latest npm v5.7.0 update. This bug was found and first reported on GitHub only three hours after the update was released.
According to Jared Tiala, the software developer who reported this bug to the npm team shortly after it went live, “By running sudo npm under a non-root user (root users are not having the same effect), filesystem permissions are being heavily modified.”
“For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc, /usr, /boot, and other directories needed for running the system,” said Tiala. “It appears that the ownership is recursively changed to the user currently running npm.”
This bug seemed initially to have only affected Linux users, but some FreeBSD users have also reported being impacted by this bug. Apple’s macOS and Microsoft’s Windows users didn’t seem to be affected by it.
In the meanwhile, the npm has released npm v5.7.1 update that removes the faulty code, but most affected users will have to reinstall their systems. One GitHub user mentioned on a bug report today “This destroyed 3 production servers after a single deploy!”. Many more issues have added to the complaints, also using Twitter to describe similar issues.
