I've started making a habit of regularly checking npm audit on most of my projects, and if I find one of my dependencies has a vulnerability I either try to patch it for them (via pull request) or report the issue (via GitHub issue)
However I recently installed a package and noticed some really quirky behavior:
$ > npm install --save fingerprintjs2
+ fingerprintjs2#1.8.0
added 564 packages from 744 contributors and audited 4667 packages in 6.341s
found 9 vulnerabilities (2 low, 5 moderate, 2 high)
run `npm audit fix` to fix them, or `npm audit` for details
$ > npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > libcipm > npm-lifecycle > node-gyp > │
│ │ request > stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > node-gyp > request > stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-lifecycle > node-gyp > request > │
│ │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-registry-client > request > │
│ │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > request > stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-profile > make-fetch-happen > │
│ │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/607 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-profile > make-fetch-happen > │
│ │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/593 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > cli-table2 > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-audit-report > cli-table2 > │
│ │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 9 vulnerabilities (2 low, 5 moderate, 2 high) in 4667 scanned packages
9 vulnerabilities require manual review. See the full report for details.
At first glance it looks like fingerprintjs2 may have many poor dependencies, but looking closer at the specific dependencies -- all of the vulnerabilities are reported to be within npm itself!. Worse yet, they all seem to be basically the same 3 dependencies
stringstream
fingerprintjs2 > npm > libcipm > npm-lifecycle > node-gyp > request > stringstream
fingerprintjs2 > npm > node-gyp > request > stringstream
fingerprintjs2 > npm > npm-lifecycle > node-gyp > request > stringstream
fingerprintjs2 > npm > npm-registry-client > request > stringstream
fingerprintjs2 > npm > request > stringstream
http-proxy-agent
fingerprintjs2 > npm > npm-profile > make-fetch-happen > http-proxy-agent
fingerprintjs2 > npm > npm-profile > make-fetch-happen > https-proxy-agent
lodash
fingerprintjs2 > npm > cli-table2 > lodash
fingerprintjs2 > npm > npm-audit-report > cli-table2 > lodash
I didn't get this strange behavior from any of my other packages (I've installed vue, vuex, vue-router, jquery, bootstrap, fontawesome, sha1, express, gulp,.... just tons of stuff -- but I've never seen this) so I knew that it had to somehow be related to FIngerprintJS
Looking at their package.json file for a lead, they actually have no dependencies, and only a handful of devDependencies (all build tools):
{
"name": "fingerprintjs2",
"version": "1.8.0",
"description": "Modern & flexible browser fingerprinting library",
"repository": {
"type": "git",
"url": "https://github.com/Valve/fingerprintjs2.git"
},
"keywords": [
"browser",
"identification",
"fingerprint",
"fingerprinting",
"privacy"
],
"author": "Valentin Vasilyev",
"license": "MIT",
"bugs": {
"url": "https://github.com/Valve/fingerprintjs2/issues"
},
"homepage": "https://github.com/Valve/fingerprintjs2",
"main": "dist/fingerprint2.min.js",
"devDependencies": {
"gulp": "^3.9.1",
"gulp-rename": "^1.2.2",
"gulp-standard": "^10.1.1",
"gulp-uglify": "^3.0.0",
"standard": "^10.0.3"
},
"scripts": {
"test": "specs/phantomjs.runner.sh specs/spec_runner.html",
"gulp": "gulp",
"lint": "standard --fix"
},
"standard": {
"ignore": [
"specs/lib",
"specs/phantomjs-testrunner.js"
]
}
}
What is going on here?
I've tried upgrading NodeJS (now on version v10.4.0) and NPM (now on version 6.1.0) but it didn't help.
The only clue I have is the following:
$ > npm ls npm
test-audit#1.0.0 /home/sbarnett/src/test-audit
└─┬ fingerprintjs2#1.8.0
└── npm#5.10.0
For some reason FingerprintJS seems to require NPM version 5.10.0 even though I have 6.1.0 installed. I have no idea why it would require this version, though, as there's no mention in the package.json file
Update
Whatever the cause was of this strange bug, it's no longer happening when I start a new project and install fingerprintjs2 - so I believe one of the dependencies of fingerprintjs2 was updated and corrected the issue
Get into a new directly, after typing those three commands:
npm install underscore
npm install lodash
npm install express
I get a node_modules directory with many packages:
$ ls node_modules
accepts cookie-signature encodeurl forwarded lodash mime-db parseurl send underscore
array-flatten debug escape-html fresh media-typer mime-types path-to-regexp serve-static unpipe
content-disposition depd etag http-errors merge-descriptors ms proxy-addr setprototypeof utils-merge
content-type destroy express inherits methods negotiator qs statuses vary
cookie ee-first finalhandler ipaddr.js mime on-finished range-parser type-is
While using npm list, I can get a tree strcture:
$ npm list
/tmp/play/npm
├─┬ express#4.14.0
│ ├─┬ accepts#1.3.3
│ │ ├─┬ mime-types#2.1.13
│ │ │ └── mime-db#1.25.0
│ │ └── negotiator#0.6.1
│ ├── array-flatten#1.1.1
│ ├── content-disposition#0.5.1
│ ├── content-type#1.0.2
│ ├── cookie#0.3.1
│ ├── cookie-signature#1.0.6
│ ├─┬ debug#2.2.0
│ │ └── ms#0.7.1
│ ├── depd#1.1.0
│ ├── encodeurl#1.0.1
│ ├── escape-html#1.0.3
│ ├── etag#1.7.0
│ ├─┬ finalhandler#0.5.0
│ │ ├── statuses#1.3.1
│ │ └── unpipe#1.0.0
│ ├── fresh#0.3.0
│ ├── merge-descriptors#1.0.1
│ ├── methods#1.1.2
│ ├─┬ on-finished#2.3.0
│ │ └── ee-first#1.1.1
│ ├── parseurl#1.3.1
│ ├── path-to-regexp#0.1.7
│ ├─┬ proxy-addr#1.1.2
│ │ ├── forwarded#0.1.0
│ │ └── ipaddr.js#1.1.1
│ ├── qs#6.2.0
│ ├── range-parser#1.2.0
│ ├─┬ send#0.14.1
│ │ ├── destroy#1.0.4
│ │ ├─┬ http-errors#1.5.1
│ │ │ ├── inherits#2.0.3
│ │ │ └── setprototypeof#1.0.2
│ │ └── mime#1.3.4
│ ├── serve-static#1.11.1
│ ├─┬ type-is#1.6.14
│ │ └── media-typer#0.3.0
│ ├── utils-merge#1.0.0
│ └── vary#1.1.0
├── lodash#4.17.2
└── underscore#1.8.3
My question is: from all those dependencies, how does npm list know which ones are my direct dependencies such as undersocre, lodash and express?
note: I don't have a package.json file.
It builds the list on the basis of the dependencies of the modules. The dependencies of the modules are specified in the package.json of each module in the dependencies field. When you install a module npm adds some additional fields to the module's package.json and one of those is the field _requiredBy to store the dependency link in the other direction as well. If you run the npm list command it goes through all the modules and reads the _requiredBy field in package.json of each module.
If you install a module directly without saving it to your package.json, npm adds #USER to the _requiredBy field to signify that you manually installed it and it is not just a dependency of the other modules. Then npm list shows that module in the root of the tree as well.
You can use this command:
npm list --depth=0 2>/dev/null
npm list command will print to stdout all the versions of packages that are installed, as well as their dependencies, in a tree-structure.
So you have only installed three packages
npm install underscore
npm install lodash
npm install express
All other packages are dependency for express package
I'm trying to install Grunt on a local project, when running
npm install grunt-contrib-watch
results in:
sass-test username$ npm install grunt-contrib-watch --save-dev
sass-test#1.0.0 /Users/username/Documents/WEB-DEV/sass-test
└─┬ grunt-contrib-watch#1.0.0
├── async#1.5.2
├─┬ gaze#1.0.0
│ └─┬ globule#0.2.0
│ ├─┬ glob#3.2.11
│ │ ├── inherits#2.0.1
│ │ └── minimatch#0.3.0
│ ├── lodash#2.4.2
│ └─┬ minimatch#0.2.14
│ ├── lru-cache#2.7.3
│ └── sigmund#1.0.1
├── lodash#3.10.1
└─┬ tiny-lr#0.2.1
├─┬ body-parser#1.14.2
│ ├── bytes#2.2.0
│ ├── content-type#1.0.2
│ ├── depd#1.1.0
│ ├─┬ http-errors#1.3.1
│ │ └── statuses#1.3.0
│ ├── iconv-lite#0.4.13
│ ├─┬ on-finished#2.3.0
│ │ └── ee-first#1.1.1
│ ├── qs#5.2.0
│ ├─┬ raw-body#2.1.6
│ │ ├── bytes#2.3.0
│ │ └── unpipe#1.0.0
│ └─┬ type-is#1.6.13
│ ├── media-typer#0.3.0
│ └─┬ mime-types#2.1.11
│ └── mime-db#1.23.0
├─┬ debug#2.2.0
│ └── ms#0.7.1
├─┬ faye-websocket#0.10.0
│ └─┬ websocket-driver#0.6.5
│ └── websocket-extensions#0.1.1
├── livereload-js#2.2.2
├── parseurl#1.3.1
└── qs#5.1.0
Installing all of the above packages into the node_module folder while failing to install the grunt dependancy. If these packages are dependancies for some other installed module, is there a way to find out what this is?
I'm thinking I have perhaps edited the default packages config folder but I am not too confident with npm to know for sure.
does anyone have any advice?
The dependencies installed match exactly with what is shown on the NPM page. Grunt isn't listed as a dependency.
Remember that Grunt is a task runner. It could conceivably run any task that you could add to your gruntfile, but those tasks don't need to know about Grunt itself.
Just install Grunt separately and you'll be good to go.
T
hanks in advance for any help I can get.
I am trying to install packages like grunt, bower, and yeoman using nodejs and the NPM in my mac OSX 10.8's terminal.
I check node and NPM's versions to confirm they are installed correctly and have found that to be true.
However when I begin to run a command to install a package like bower, using the following:
npm install -g bower
I get various amounts of errors coming up. I am trying to avoid using the sudo command. I tried using sudo, but afterwards I would get a response "command not found." I have a feeling the packages may not be in the correct folders or directories but I am unclear on what to do next.
For your reference these are the errors I get:
npm ERR! Error: EACCES, unlink '/Users/myname/.node/lib/node_modules/bower/.editorconfig'
npm ERR! { [Error: EACCES, unlink '/Users/myname/.node/lib/node_modules/bower/.editorconfig']
npm ERR! errno: 3,
npm ERR! code: 'EACCES',
npm ERR! path: '/Users/myname/.node/lib/node_modules/bower/.editorconfig' }
npm ERR!
npm ERR! Please try running this command again as root/Administrator.
npm ERR! System Darwin 12.5.0
npm ERR! command "node" "/usr/local/bin/npm" "install" "-g" "bower"
npm ERR! cwd /Users/myname
npm ERR! node -v v0.10.32
npm ERR! npm -v 1.4.28
npm ERR! path /Users/myname/.node/lib/node_modules/bower/.editorconfig
npm ERR! code EACCES
npm ERR! errno 3
npm ERR! stack Error: EACCES, unlink '/Users/myname/.node/lib/node_modules/bower/.editorconfig'
npm ERR! error rolling back Error: EACCES, unlink '/Users/myname/.node/lib/node_modules/bower /.editorconfig'
npm ERR! error rolling back { [Error: EACCES, unlink '/Users/myname/.node/lib/node_modules/bower/.editorconfig']
npm ERR! error rolling back errno: 3,
npm ERR! error rolling back code: 'EACCES',
npm ERR! error rolling back path: '/Users/myname/.node/lib/node_modules/bower/.editorconfig' }
npm ERR! not ok code 0
For privacy, I replaced my own name with the proxy myname in the paths. Moreover, this problem persists when I try installing grunt, and yeoman.
Upon further inspection, I noticed I have two folders. One named 'users' and one name 'usr.' Within 'users', I see a folder called node_modules. However, within 'usr/local/lib/node_modules/npm/node_modules' I noticed there is no bower, grunt, or yeoman files. This is just speculation, but are the files not properly installing into the necessary folders for them to be run in npm?
Any help or input would be extremely appreciated!
UPDATE 10/10/14
For people's reference, I have tried the sudo command to see if it would work, and it displays the following:
/Users/myname/.node/bin/bower -> /Users/myname/.node/lib/node_modules/bower/bin/bower
bower#1.3.12 /Users/myname/.node/lib/node_modules/bower
├── is-root#1.0.0
├── junk#1.0.0
├── stringify-object#1.0.0
├── abbrev#1.0.5
├── chmodr#0.1.0
├── which#1.0.5
├── osenv#0.1.0
├── opn#1.0.0
├── archy#0.0.2
├── rimraf#2.2.8
├── graceful-fs#3.0.3
├── bower-logger#0.2.2
├── lru-cache#2.5.0
├── bower-endpoint-parser#0.2.2
├── lockfile#1.0.0
├── nopt#3.0.1
├── retry#0.6.0
├── tmp#0.0.23
├── q#1.0.1
├── semver#2.3.2
├── p-throttler#0.1.0 (q#0.9.7)
├── request-progress#0.3.0 (throttleit#0.0.2)
├── bower-json#0.4.0 (intersect#0.0.3, deep-extend#0.2.11, graceful-fs#2.0.3)
├── fstream#1.0.2 (inherits#2.0.1)
├── shell-quote#1.4.2 (array-filter#0.0.1, array-reduce#0.0.0, array-map#0.0.0, jsonify#0.0.0)
├── mkdirp#0.5.0 (minimist#0.0.8)
├── promptly#0.2.0 (read#1.0.5)
├── fstream-ignore#1.0.1 (inherits#2.0.1, minimatch#1.0.0)
├── chalk#0.5.0 (escape-string-regexp#1.0.2, ansi-styles#1.1.0, supports-color#0.2.0, strip- ansi#0.3.0, has-ansi#0.1.0)
├── bower-config#0.5.2 (osenv#0.0.3, graceful-fs#2.0.3, optimist#0.6.1)
├── glob#4.0.6 (inherits#2.0.1, minimatch#1.0.0, once#1.3.1)
├── tar-fs#0.5.2 (pump#0.3.5, tar-stream#0.4.7)
├── decompress-zip#0.0.8 (nopt#2.2.1, mkpath#0.1.0, touch#0.0.2, readable-stream#1.1.13, binary#0.3.0)
├── request#2.42.0 (caseless#0.6.0, json-stringify-safe#5.0.0, aws-sign2#0.5.0, forever-agent#0.5.2, stringstream#0.0.4, oauth-sign#0.4.0, tunnel-agent#0.4.0, node-uuid#1.4.1, qs#1.2.2, mime-types#1.0.2, bl#0.9.3, form-data#0.1.4, tough-cookie#0.12.1, http-signature#0.10.0, hawk#1.1.1)
├── mout#0.9.1
├── cardinal#0.4.0 (redeyed#0.4.4)
├── bower-registry-client#0.2.1 (graceful-fs#2.0.3, request-replay#0.2.0, lru-cache#2.3.1, async#0.2.10, mkdirp#0.3.5, request#2.27.0)
├── update-notifier#0.2.0 (semver-diff#0.1.0, string-length#0.1.2, latest-version#0.2.0, configstore#0.3.1)
├── inquirer#0.7.1 (figures#1.3.3, mute-stream#0.0.4, through#2.3.6, readline2#0.1.0, lodash#2.4.1, rx#2.3.12, cli-color#0.3.2)
├── handlebars#2.0.0 (optimist#0.3.7, uglify-js#2.3.6)
└── insight#0.4.3 (object-assign#1.0.0, async#0.9.0, chalk#0.5.1, os-name#1.0.1, lodash.debounce#2.4.1, tough-cookie#0.12.1, configstore#0.3.1, inquirer#0.6.0)
================================
However, the above is not a proper solution. When I try running a check to see if bower is installed like by typing bower -v or bower --version or any other bower command, I get "command not found." What is going on?
UPDATE 10/11/14
So nothing I have tried so far has given me the ability to run the command 'npm install -g bower.'
Out of curiosity, as I have mentioned before, I have ran the 'sudo npm install -g bower command' which appeared to install bower. However, typing any bower commands still yields 'command not found.' Upon trying sudo bower commands leads to 'command not found' as well. What I do not understand though is that when I run the command 'npm ls' to look at what the NPM has installed, I interestingly have a list of the following installed packages. You do not need to read the list as it is long, but take note of how the first item appears to be bower. If this is true, and it means that bower was in fact installed by npm, why therefore, are bower commands not working?
/Users/myname.
├─┬ bower#1.3.12
│ ├── abbrev#1.0.5
│ ├── archy#0.0.2
│ ├─┬ bower-config#0.5.2
│ │ ├── graceful-fs#2.0.3
│ │ ├─┬ optimist#0.6.1
│ │ │ ├── minimist#0.0.10
│ │ │ └── wordwrap#0.0.2
│ │ └── osenv#0.0.3
│ ├── bower-endpoint-parser#0.2.2
│ ├─┬ bower-json#0.4.0
│ │ ├── deep-extend#0.2.11
│ │ ├── graceful-fs#2.0.3
│ │ └── intersect#0.0.3
│ ├── bower-logger#0.2.2
│ ├─┬ bower-registry-client#0.2.1
│ │ ├── async#0.2.10
│ │ ├── graceful-fs#2.0.3
│ │ ├── lru-cache#2.3.1
│ │ ├── mkdirp#0.3.5
│ │ ├─┬ request#2.27.0
│ │ │ ├── aws-sign#0.3.0
│ │ │ ├── cookie-jar#0.3.0
│ │ │ ├── forever-agent#0.5.2
│ │ │ ├─┬ form-data#0.1.4
│ │ │ │ ├── async#0.9.0
│ │ │ │ └─┬ combined-stream#0.0.5
│ │ │ │ └── delayed-stream#0.0.5
│ │ │ ├─┬ hawk#1.0.0
│ │ │ │ ├── boom#0.4.2
│ │ │ │ ├── cryptiles#0.2.2
│ │ │ │ ├── hoek#0.9.1
│ │ │ │ └── sntp#0.2.4
│ │ │ ├─┬ http-signature#0.10.0
│ │ │ │ ├── asn1#0.1.11
│ │ │ │ ├── assert-plus#0.1.2
│ │ │ │ └── ctype#0.5.2
│ │ │ ├── json-stringify-safe#5.0.0
│ │ │ ├── mime#1.2.11
│ │ │ ├── node-uuid#1.4.1
│ │ │ ├── oauth-sign#0.3.0
│ │ │ ├── qs#0.6.6
│ │ │ └── tunnel-agent#0.3.0
│ │ └── request-replay#0.2.0
│ ├─┬ cardinal#0.4.0
│ │ └─┬ redeyed#0.4.4
│ │ └── esprima#1.0.4
│ ├─┬ chalk#0.5.0
│ │ ├── ansi-styles#1.1.0
│ │ ├── escape-string-regexp#1.0.2
│ │ ├─┬ has-ansi#0.1.0
│ │ │ └── ansi-regex#0.2.1
│ │ ├─┬ strip-ansi#0.3.0
│ │ │ └── ansi-regex#0.2.1
│ │ └── supports-color#0.2.0
│ ├── chmodr#0.1.0
│ ├─┬ decompress-zip#0.0.8
│ │ ├─┬ binary#0.3.0
│ │ │ ├── buffers#0.1.1
│ │ │ └─┬ chainsaw#0.1.0
│ │ │ └── traverse#0.3.9
│ │ ├── mkpath#0.1.0
│ │ ├── nopt#2.2.1
│ │ ├─┬ readable-stream#1.1.13
│ │ │ ├── core-util-is#1.0.1
│ │ │ ├── inherits#2.0.1
│ │ │ ├── isarray#0.0.1
│ │ │ └── string_decoder#0.10.31
│ │ └─┬ touch#0.0.2
│ │ └── nopt#1.0.10
│ ├─┬ fstream#1.0.2
│ │ └── inherits#2.0.1
│ ├─┬ fstream-ignore#1.0.1
│ │ ├── inherits#2.0.1
│ │ └─┬ minimatch#1.0.0
│ │ └── sigmund#1.0.0
│ ├─┬ glob#4.0.6
│ │ ├── inherits#2.0.1
│ │ ├─┬ minimatch#1.0.0
│ │ │ └── sigmund#1.0.0
│ │ └─┬ once#1.3.1
│ │ └── wrappy#1.0.1
│ ├── graceful-fs#3.0.3
│ ├─┬ handlebars#2.0.0
│ │ ├─┬ optimist#0.3.7
│ │ │ └── wordwrap#0.0.2
│ │ └─┬ uglify-js#2.3.6
│ │ ├── async#0.2.10
│ │ └─┬ source-map#0.1.40
│ │ └── amdefine#0.1.0
│ ├─┬ inquirer#0.7.1
│ │ ├─┬ cli-color#0.3.2
│ │ │ ├── d#0.1.1
│ │ │ ├─┬ es5-ext#0.10.4
│ │ │ │ ├── es6-iterator#0.1.1
│ │ │ │ └── es6-symbol#0.1.1
│ │ │ ├─┬ memoizee#0.3.8
│ │ │ │ ├─┬ es6-weak-map#0.1.2
│ │ │ │ │ ├── es6-iterator#0.1.1
│ │ │ │ │ └── es6-symbol#0.1.1
│ │ │ │ ├── event-emitter#0.3.1
│ │ │ │ ├── lru-queue#0.1.0
│ │ │ │ └── next-tick#0.2.2
│ │ │ └─┬ timers-ext#0.1.0
│ │ │ └── next-tick#0.2.2
│ │ ├── figures#1.3.3
│ │ ├── lodash#2.4.1
│ │ ├── mute-stream#0.0.4
│ │ ├─┬ readline2#0.1.0
│ │ │ └─┬ chalk#0.4.0
│ │ │ ├── ansi-styles#1.0.0
│ │ │ ├── has-color#0.1.7
│ │ │ └── strip-ansi#0.1.1
│ │ ├── rx#2.3.12
│ │ └── through#2.3.6
│ ├─┬ insight#0.4.3
│ │ ├── async#0.9.0
│ │ ├─┬ chalk#0.5.1
│ │ │ ├── ansi-styles#1.1.0
│ │ │ ├── escape-string-regexp#1.0.2
│ │ │ ├─┬ has-ansi#0.1.0
│ │ │ │ └── ansi-regex#0.2.1
│ │ │ ├─┬ strip-ansi#0.3.0
│ │ │ │ └── ansi-regex#0.2.1
│ │ │ └── supports-color#0.2.0
│ │ ├─┬ configstore#0.3.1
│ │ │ ├─┬ js-yaml#3.0.2
│ │ │ │ ├─┬ argparse#0.1.15
│ │ │ │ │ ├── underscore#1.4.4
│ │ │ │ │ └── underscore.string#2.3.3
│ │ │ │ └── esprima#1.0.4
│ │ │ ├── object-assign#0.3.1
│ │ │ └── uuid#1.4.2
│ │ ├─┬ inquirer#0.6.0
│ │ │ ├─┬ cli-color#0.3.2
│ │ │ │ ├── d#0.1.1
│ │ │ │ ├─┬ es5-ext#0.10.4
│ │ │ │ │ ├── es6-iterator#0.1.1
│ │ │ │ │ └── es6-symbol#0.1.1
│ │ │ │ ├─┬ memoizee#0.3.8
│ │ │ │ │ ├─┬ es6-weak-map#0.1.2
│ │ │ │ │ │ ├── es6-iterator#0.1.1
│ │ │ │ │ │ └── es6-symbol#0.1.1
│ │ │ │ │ ├── event-emitter#0.3.1
│ │ │ │ │ ├── lru-queue#0.1.0
│ │ │ │ │ └── next-tick#0.2.2
│ │ │ │ └─┬ timers-ext#0.1.0
│ │ │ │ └── next-tick#0.2.2
│ │ │ ├── lodash#2.4.1
│ │ │ ├── mute-stream#0.0.4
│ │ │ ├─┬ readline2#0.1.0
│ │ │ │ └─┬ chalk#0.4.0
│ │ │ │ ├── ansi-styles#1.0.0
│ │ │ │ ├── has-color#0.1.7
│ │ │ │ └── strip-ansi#0.1.1
│ │ │ ├── rx#2.3.12
│ │ │ └── through#2.3.6
│ │ ├─┬ lodash.debounce#2.4.1
│ │ │ ├── lodash.isfunction#2.4.1
│ │ │ ├─┬ lodash.isobject#2.4.1
│ │ │ │ └── lodash._objecttypes#2.4.1
│ │ │ └─┬ lodash.now#2.4.1
│ │ │ └── lodash._isnative#2.4.1
│ │ ├── object-assign#1.0.0
│ │ ├─┬ os-name#1.0.1
│ │ │ ├── minimist#1.1.0
│ │ │ └── osx-release#1.0.0
│ │ └─┬ tough-cookie#0.12.1
│ │ └── punycode#1.3.1
│ ├── is-root#1.0.0
│ ├── junk#1.0.0
│ ├── lockfile#1.0.0
│ ├── lru-cache#2.5.0
│ ├─┬ mkdirp#0.5.0
│ │ └── minimist#0.0.8
│ ├── mout#0.9.1
│ ├── nopt#3.0.1
│ ├── opn#1.0.0
│ ├── osenv#0.1.0
│ ├─┬ p-throttler#0.1.0
│ │ └── q#0.9.7
│ ├─┬ promptly#0.2.0
│ │ └─┬ read#1.0.5
│ │ └── mute-stream#0.0.4
│ ├── q#1.0.1
│ ├─┬ request#2.42.0
│ │ ├── aws-sign2#0.5.0
│ │ ├─┬ bl#0.9.3
│ │ │ └─┬ readable-stream#1.0.33-1
│ │ │ ├── core-util-is#1.0.1
│ │ │ ├── inherits#2.0.1
│ │ │ ├── isarray#0.0.1
│ │ │ └── string_decoder#0.10.31
│ │ ├── caseless#0.6.0
│ │ ├── forever-agent#0.5.2
│ │ ├─┬ form-data#0.1.4
│ │ │ ├── async#0.9.0
│ │ │ ├─┬ combined-stream#0.0.5
│ │ │ │ └── delayed-stream#0.0.5
│ │ │ └── mime#1.2.11
│ │ ├─┬ hawk#1.1.1
│ │ │ ├── boom#0.4.2
│ │ │ ├── cryptiles#0.2.2
│ │ │ ├── hoek#0.9.1
│ │ │ └── sntp#0.2.4
│ │ ├─┬ http-signature#0.10.0
│ │ │ ├── asn1#0.1.11
│ │ │ ├── assert-plus#0.1.2
│ │ │ └── ctype#0.5.2
│ │ ├── json-stringify-safe#5.0.0
│ │ ├── mime-types#1.0.2
│ │ ├── node-uuid#1.4.1
│ │ ├── oauth-sign#0.4.0
│ │ ├── qs#1.2.2
│ │ ├── stringstream#0.0.4
│ │ ├─┬ tough-cookie#0.12.1
│ │ │ └── punycode#1.3.1
│ │ └── tunnel-agent#0.4.0
│ ├─┬ request-progress#0.3.0
│ │ └── throttleit#0.0.2
│ ├── retry#0.6.0
│ ├── rimraf#2.2.8
│ ├── semver#2.3.2
│ ├─┬ shell-quote#1.4.2
│ │ ├── array-filter#0.0.1
│ │ ├── array-map#0.0.0
│ │ ├── array-reduce#0.0.0
│ │ └── jsonify#0.0.0
│ ├── stringify-object#1.0.0
│ ├─┬ tar-fs#0.5.2
│ │ ├─┬ pump#0.3.5
│ │ │ ├─┬ end-of-stream#1.0.0
│ │ │ │ └─┬ once#1.3.1
│ │ │ │ └── wrappy#1.0.1
│ │ │ └── once#1.2.0
│ │ └─┬ tar-stream#0.4.7
│ │ ├── bl#0.9.3
│ │ ├─┬ end-of-stream#1.1.0
│ │ │ └─┬ once#1.3.1
│ │ │ └── wrappy#1.0.1
│ │ ├─┬ readable-stream#1.0.33-1
│ │ │ ├── core-util-is#1.0.1
│ │ │ ├── inherits#2.0.1
│ │ │ ├── isarray#0.0.1
│ │ │ └── string_decoder#0.10.31
│ │ └── xtend#4.0.0
│ ├── tmp#0.0.23
│ ├─┬ update-notifier#0.2.0
│ │ ├─┬ configstore#0.3.1
│ │ │ ├─┬ js-yaml#3.0.2
│ │ │ │ ├─┬ argparse#0.1.15
│ │ │ │ │ ├── underscore#1.4.4
│ │ │ │ │ └── underscore.string#2.3.3
│ │ │ │ └── esprima#1.0.4
│ │ │ ├── object-assign#0.3.1
│ │ │ └── uuid#1.4.2
│ │ ├─┬ latest-version#0.2.0
│ │ │ └─┬ package-json#0.2.0
│ │ │ ├─┬ got#0.3.0
│ │ │ │ └── object-assign#0.3.1
│ │ │ └─┬ registry-url#0.1.1
│ │ │ └─┬ npmconf#2.1.1
│ │ │ ├─┬ config-chain#1.1.8
│ │ │ │ └── proto-list#1.2.3
│ │ │ ├── inherits#2.0.1
│ │ │ ├── ini#1.3.0
│ │ │ ├─┬ once#1.3.1
│ │ │ │ └── wrappy#1.0.1
│ │ │ └── uid-number#0.0.5
│ │ ├── semver-diff#0.1.0
│ │ └─┬ string-length#0.1.2
│ │ └─┬ strip-ansi#0.2.2
│ │ └── ansi-regex#0.1.0
│ └── which#1.0.5
├─┬ easyimage#1.0.3
│ └── q#1.0.1
├─┬ grunt#0.4.5
│ ├── async#0.1.22
│ ├── coffee-script#1.3.3
│ ├── colors#0.6.2
│ ├── dateformat#1.0.2-1.2.3
│ ├── eventemitter2#0.4.14
│ ├── exit#0.1.2
│ ├─┬ findup-sync#0.1.3
│ │ ├─┬ glob#3.2.11
│ │ │ ├── inherits#2.0.1
│ │ │ └─┬ minimatch#0.3.0
│ │ │ ├── lru-cache#2.5.0
│ │ │ └── sigmund#1.0.0
│ │ └── lodash#2.4.1
│ ├── getobject#0.1.0
│ ├─┬ glob#3.1.21
│ │ ├── graceful-fs#1.2.3
│ │ └── inherits#1.0.0
│ ├─┬ grunt-legacy-log#0.1.1
│ │ ├── lodash#2.4.1
│ │ └── underscore.string#2.3.3
│ ├── grunt-legacy-util#0.2.0
│ ├── hooker#0.2.3
│ ├── iconv-lite#0.2.11
│ ├─┬ js-yaml#2.0.5
│ │ ├─┬ argparse#0.1.15
│ │ │ ├── underscore#1.4.4
│ │ │ └── underscore.string#2.3.3
│ │ └── esprima#1.0.4
│ ├── lodash#0.9.2
│ ├─┬ minimatch#0.2.14
│ │ ├── lru-cache#2.5.0
│ │ └── sigmund#1.0.0
│ ├─┬ nopt#1.0.10
│ │ └── abbrev#1.0.5
│ ├── rimraf#2.2.8
│ ├── underscore.string#2.2.1
│ └── which#1.0.5
└─┬ grunt-bower-install#1.6.0
├─┬ bower-config#0.5.2
│ ├── graceful-fs#2.0.3
│ ├── mout#0.9.1
│ ├─┬ optimist#0.6.1
│ │ ├── minimist#0.0.10
│ │ └── wordwrap#0.0.2
│ └── osenv#0.0.3
└─┬ wiredep#1.5.0
├─┬ chalk#0.1.1
│ ├── ansi-styles#0.1.2
│ └── has-color#0.1.7
├─┬ glob#3.2.11
│ ├── inherits#2.0.1
│ └─┬ minimatch#0.3.0
│ ├── lru-cache#2.5.0
│ └── sigmund#1.0.0
├── lodash#1.3.1
└─┬ through2#0.4.2
├─┬ readable-stream#1.0.33-1
│ ├── core-util-is#1.0.1
│ ├── inherits#2.0.1
│ ├── isarray#0.0.1
│ └── string_decoder#0.10.31
└─┬ xtend#2.1.2
└── object-keys#0.4.0
This solved the problem for me:
sudo chown -R `whoami` ~/.node/lib/node_modules/bower/
npm install -g bower
bower -v
1.3.12
You shouldn't have to run npm install as sudo.
This worked for me:
I basically gave my user permissions to the directory mentioned right after this -> stack Error: EACCES, unlink..., in your case it would be something like sudo chown -R USERNAME /Users/myname/.
For people who are new to this, don't forget to change USERNAME in the command above with your own, if you don't know your username, simply run whoami to get it.
After that you can install any package without the need to use sudo, npm install -g SomePackage.
Run the global (-g) installs as admin.
> sudo npm install -g bower
You got this error -
npm ERR! Please try running this command again as root/Administrator.
***** UPDATE BELOW *****
Check if it is installed and get the version
> bower -v
You might not be able to see bower now because it installed as admin. Try getting the version number by running
> sudo bower -v
You should see the version number now.
Take ownership of the package with chown
> cd /Users/<username>/.npm
> chown <username> bower*
I personally take ownership of everything in the /Users/ directory. It is your directory and not global.
> chown <username> *
***** UPDATE 2 BELOW *****
It looks like it's a PATH problem now. Do you see the npm directory in the PATH when you type
> echo $PATH
I use MacPorts so npm and node install in the /opt/local/bin and /opt/local/sbin directories. I did a quick check on the net and it looks like you need to have the following /usr/local/bin if you installed the package from the node site.
Check out this article about installing node (particularly the part about the PATH.
That link also references this article on how to modify your PATH.
Hope that helps.
I was having similar issues when trying to install bower through NPM.
I am not an expert on this but was sure it was connected to $PATH and found 2 articles which in combination fixed this for me perfectly.
The first is this gist by Dan Haerbert: https://gist.github.com/DanHerbert/9520689
Dan says
"If you're a Mac Homebrew user and you installed node via Homebrew,
there is a major philosophical issue with the way Homebrew and NPM
work together. If you install node with Homebrew and then try to do
npm update npm -g, you will see an error like this:"
The error he shows is very similar to your original error.
His solution is to re-install node but to make sure that NPM is not installed via homebrew since, as he says:
npm is its own package manager and it is therefore
better to have npm manage itself and its packages instead of letting
Homebrew do it. Also, using the Homebrew version of npm requires sudo
to install global packages. That's also a very bad idea.
He says to uninstall node and then re-install it with the following commands:
brew install node --without-npm
echo prefix=~/.node >> ~/.npmrc
curl -L https://www.npmjs.org/install.sh | sh
And then to finish up with
export PATH="$HOME/.node/bin:$PATH"
This worked for me and fixed all my issues. I was able to run 'npm install -g bower' without getting the error message.
Finally, before I did the steps above, I wanted to make sure that I had fully uninstalled node & npm. To do that, I followed the following steps from stackoverflow question 11177954, specifically from the answer by Dominic Tancredi, who says:
To recap, the best way (I've found) to completely uninstall node + npm
is to do the following:
go to /usr/local/lib and delete any node and node_modules
go to /usr/local/include and delete any node and node_modules directory
if you installed with brew install node, then run brew uninstall node in
your terminal
check your Home directory for any local or lib or include folders, and delete any node or node_modules from there
go to /usr/local/bin and delete any node executable You may need to do the
additional instructions as well:
sudo rm /usr/local/bin/npm
sudo rm /usr/local/share/man/man1/node.1
sudo rm /usr/local/lib/dtrace/node.d
sudo rm -rf ~/.npm
sudo rm -rf ~/.node-gyp
sudo rm /opt/local/bin/node
sudo rm /opt/local/include/node
sudo rm -rf /opt/local/lib/node_modules
I hope that is of help to someone :-)
I had a similar issue with my mac. I did the followings to solve the problem.
open 'Disk Utility' application
select your hard drive.
run verify disk permissions
run repair disk permissions
you need to chmod and change the file permission for all the files inside /Users//.config/configstore/
should work fine after that. Mac users may have to switch to root using su which they have to enable from system preferences before running chmod command.