A new version of NPM causes file permissions to be broken under certain circumstances, breaking other applications in the process.

A combination of bugs and communication failures from NPM developers has resulted in an outbreak of headaches for system administrators. In version 5.7.0, running sudo npm will result in file permissions being reset across the filesystem, breaking the operation of NPM and practically anything else that requires file permissions to work. (The same behavior does not occur when run directly as root.)

This is not where the problems start or end, however. This bug—#19883—points to this commit, “which is traversing and running chown on the wrong, often critical, filesystem files and folders.” This bug was introduced in the 5.7.0 release, which based on this blog post seems to be a normal release. If you run npm update, it will install 5.7.0. There’s no indication at all—not in the version string, not in the release announcement—that this is a pre-release version of NPM.

But it is. As it happens, a separate bug—#19888—causes pre-release versions to be installed when npm update is run. While the permissions bug has been patched in 5.7.1, which you could update to by running npm update, this release also incorrectly lacks tags indicating it is not ready for production. In order to return to a safe version of npm, you should run npm install -g npm.

Sherov, listed as the 19th most active contributor to NPM on GitHub, does shed light on an important issue. There’s no reason for two people to carry the bulk of the weight of development on their shoulders. Alas, despite using GitHub, development is limited mostly to two people—the last time a pull request from an outsider was merged was in November. Community participation could have mitigated this issue, as this pull request noting issues with NPM’s interaction with sudo in July pointed out.

Ultimately, at the root of the issue (pardon the pun) is why NPM requires sudo to begin with. This is not substantively different from opening up permissions in order to get things to just work, without a concern for security. There are ways around needing to use sudo, however.

NPM has a checkered past in terms of project leadership. In 2016, the messaging service Kikrequested that developer Azer Koçulu, who had an unrelated package with the same name, change the name of his package. After declining, lawyers representing Kik contacted NPM CEO Issac Schlueter, who assigned ownership of the package to Kik. Koçulu unpublished all of his modules from NPM, among them the “left-pad” module, which had been downloaded 575,000 times in the week prior to the incident, according to ZDNet.