ATTENTION, Public Service Announcement: Do not upgrade your npm. Do not upgrade to 5.7.0, released yesterday.

It changes file permissions of /etc, /boot, /user, … when run with sudo. Avoid, duck, cover, whimper.

5.7.0 is still in the next channel, but it seems a lot of people have upgraded to it accidentally, so just take care.

@rixx I installed npm yesterday for the first time. 😨


To be fair, 5.7.0 is not stable, you have to actively install it as 'next' tag.

Mostly people crying about having to run a pre-release version as root...and some people hating that two queer women are running the show.

Stay classy bros

@wohali I mentioned the @next thing in the follow up, but since npm is a common tool, I'd like to think that a warning about something dangerous as changing ownership of /boot and /etc could still be communicated.

I don't see a connection between my warning and the identity of those running npm at all (which I didn't know anything about).

@rixx I find it disturbing that npm does not use the proper semver for pre-releases. "5.7.0" for me means "minor release", regardless of a tag in the delivery mechanism.

Whoa, thatʼs a big one. I remember npm messing up things before, but this one is really tragic.

@rixx this is something I was waiting to happen since devs migrated off Linuxes and their system-wide user-respecting package managers and adopted the practice of running random shit from Internet with sudo.

@rixx Wow. I'm seeing so much misinformation about this -- was this a prerelease marked as a release, or are all the victims running prerelease code in prod environments?

@mdm I did post the information that this was a pre release. A warning is still warranted, imo. People usually don't keep track of the various versioning systems projects employ, since most projects have gravitated towards semver.

@rixx The Mastodon production guide wants you to install Nodejs 6.13.0 (and npm 3.10.10). So nothing to worry when using nodejs/npm only for Mastodon.

@rixx So do they do all their testing on Windows these days?

Sign in to participate in the conversation - because anarchy is much more fun with friends. is a small Mastodon instance for and by the Chaos community surrounding the Chaos Computer Club. We provide a small community space - Be excellent to each other, and have a look at what that means around here.
Follow @ordnung for low-traffic instance-related updates.
The primary instance languages are German and English.