Follow

ATTENTION, Public Service Announcement: Do not upgrade your npm. Do not upgrade to 5.7.0, released yesterday.

It changes file permissions of /etc, /boot, /user, … when run with sudo. Avoid, duck, cover, whimper.

github.com/npm/npm/issues/1988

5.7.0 is still in the next channel, but it seems a lot of people have upgraded to it accidentally, so just take care.

@rixx I installed npm yesterday for the first time. 😨

@rixx I find it disturbing that npm does not use the proper semver for pre-releases. "5.7.0" for me means "minor release", regardless of a tag in the delivery mechanism.

@rixx
Whoa, thatʼs a big one. I remember npm messing up things before, but this one is really tragic.

@rixx this is something I was waiting to happen since devs migrated off Linuxes and their system-wide user-respecting package managers and adopted the practice of running random shit from Internet with sudo.

@rixx Wow. I'm seeing so much misinformation about this -- was this a prerelease marked as a release, or are all the victims running prerelease code in prod environments?

@mdm I did post the information that this was a pre release. A warning is still warranted, imo. People usually don't keep track of the various versioning systems projects employ, since most projects have gravitated towards semver.

@rixx The Mastodon production guide wants you to install Nodejs 6.13.0 (and npm 3.10.10). So nothing to worry when using nodejs/npm only for Mastodon.

@rixx So do they do all their testing on Windows these days?

Sign in to participate in the conversation
chaos.social

chaos.social - because anarchy is much more fun with friends.
chaos.social is a small Mastodon instance for and by the Chaos community surrounding the Chaos Computer Club. We provide a small community space - Be excellent to each other, and have a look at what that means around here.
Follow @ordnung for low-traffic instance-related updates.
The primary instance languages are German and English.