A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot.
Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. —the buggy npm update.
Users who installed this update —mostly developers and software engineers— will likely have to reinstall their system from scratch or restore from a previous system image.
The bug was first reported a week ago but was left without an answer from npm developers. Users filed a new bug report after last night’s release, and the npm team has released npm v5.7.1, a version that removes the buggy code.
FreeBSD users have also reported being impacted by the bug. Mac and Windows users didn’t experience any issues. The problem did not affect every Linux user.
Running the npm update commands as root doesn’t result in npm trying to reassign root ownership to all files, so the issue appears to affect only npm update operations prefixed by a sudo command.
Npm is the de-facto package manager for all small, medium, and large-scale JavaScript project. Npm is packed with Node.js, and is also the largest package manager on the Internet, hosting libraries and plugins for Node.js, Ember, jQuery, Bootstrap, React, Angular, and many other JavaScript frameworks. You won’t find a JavaScript developer that doesn’t use nowadays.
Source: https://www.bleepingcomputer.com/news/linux/botched-npm-update-crashes-linux-systems-forces-users-to-reinstall/
Submitted by: Arnfried Walbrecht
Comments are closed.