Run npm as superuser, it isn't a good idea? - node.js

I'm getting errors with npm while trying to install/update packages without SU permissions on Linux.
The easy way to solve the problem is execute sudo npm install <package>, but I'm not sure if it is a good idea.
Best way is to become the owner of .npm folder, as I found into StackOverflow's questions and blog posts.
My question is: why run npm as SU it isn't a good idea?

Running npm as a super user has a risk of running some untrusted code as a super user which can potentially mess with your entire system. Running npm as an unprivileged user has a risk of running that code with less privileges and it won't be able to mess with the entire system - just with your own files (which can be equally bad, depending on how you look at it).
What I often do and recommend is to install Node in your home directory instead of globally on the system if it's your own computer. That way you don't have to run with sudo or su for npm or even for make install of Node itself.
I run a lot of versions of Node that I compile from sources sometimes with different switches and the convention that I use is to install Node in versioned directories, either globally in /opt (but then you need sudo) or locally in my home directory in ~/opt.
I do it like this:
wget https://nodejs.org/dist/v7.1.0/node-v7.1.0.tar.gz
tar xzvf node-v7.1.0.tar.gz
cd node-v7.1.0
./configure --prefix=$HOME/opt/node-v7.1.0
make && make test && make install
Then I create a symlink ~/opt/node pointing to ~/opt/node-v7.1.0 and I have:
PATH="$HOME/opt/node/bin:$PATH"
in my .profile or .bashrc.
That way I don't have to run as super user for installing Node or for running npm.
As a bonus I can quickly switch my default Node version just by changing the symlink, and at any time I can run any other version if I change the PATH or run Node with a full path like ~/opt/node-v7.0.0/bin/node.
I explained that installation process in more detail in my other answers:
node 5.5.0 already installed but node -v fetches with “v4.2.1” on OS X & homebrew?
NodeJS API with external deps in other language
I don't want to go into too much detail here since this answer is about why running npm as a superuser is not a good idea - this installation process is just one solution to not have to run npm as a superuser.
Other options of setting your npm permissions to avoid running as a superuser are described in Fixing npm permissions in npm docs (thanks to RyanZim for pointing it out in the comments).

Related

Command is not found when ran with sudo

I am trying to change the version of nodejs using cmd n installed globally by yarn. Neither yarn is detected by sudo nor n.
Please help me to fix this:
When running the n command to change node version, it shows permission is denied by many files to be written by n
Two approaches to avoid permission issues without requiring use of sudo when running n:
install and run Node.js from your home folder using N_PREFIX and PATH (see also n-install which automates this)
if it is your personal computer, take ownership of the folders used with default install location of /usr/local
See the project README for more: https://github.com/tj/n
(Disclaimer: I am the maintainer of n.)

node user directory leading to command not found

I suipidly ran this script to stop having to use sudo on npm -g commands and now my node_modules are located at:
/Users/myusername/.npm-packages/lib/node_modules
when trying to run a commands i.e yo bower i get -bash: bower: command not found
Do I need to link this directory to the usr/bin?
In trying to sort this out I have run lots of commands and created symbolic links, I feel like my system is a real mess and I cannot really see what is going on? Help to ensure my system is clean would be really helpful.
Generally, it's a good idea to ensure that you do not need admin rights to run npm commands. The problem you're having, is that the directory where npm now installs its commmands (/Users/myusername/.npm-packges/bin) is not in your PATH. Your PATH is a list of directories where your shell searches for the commands you type.
You can add the directory to your path by adding the following line to the .bashrc file in your home directory (create it if it doesn't exist).
export PATH="${PATH}:/Users/myusername/.npm-packages/bin"
Open a new terminal, and bower should work again.
As an additional tip, I believe you're running on OS X? When installing Node.js using Homebrew, it is automatically installed in a proper way (no sudo needed to install packages globally and they will just work). Next time you're installing Node.js (or something else), Homebrew might be worth a try.

NPM throws errors at traceur install on OS X

https://github.com/tejas-manohar/itnerary-civic-hacking -- I cloned this git repo down locally. Installed grunt-cli globally, and ran npm run nss (script written by author of original server template -- look in package.json, not complex) and faced numerous errors at the traceur install + git cloning. I've included the trail from terminal window in the pastebin linked below. The npm debug/error log mentioned is not present at the suggested location. npm install alone does not help the situation and returns nothing back. NodeJS v0.10.29 is installed via Node Version Manager (NVM) on OS X 10.9.3.
http://pastebin.com/UJFL3k2E
I'm not the most adept with some of the technologies discussed here. Would someone please attempt to walk me through (a) solution(s) and/or steps to get better clues? All assistance is appreciated.
There's a couple of problems going on which are causing the problems you have seen. The first of which is the command that is run when you run npm run nss, which fails for you with this:
rm: ../../app/static/js/vendor/traceur.js: No such file or directory
This is because, well, the file simply does not exist (yet). If you look at the commands which are run when you run npm run nss, you'll see that the remove file is followed by the copy file of traceur.js to that very location. So I would guess that whoever wrote the script intended for this to be run after it was initially setup, and the remove/copy would be done once the file was initially copied there. Therefore, you must first copy the traceur.js file to app/static/js/vendor before you can successfully execute npm run nss.
But then the next problem, the file should be copied from tools/traceur-compiler/bin doesn't exist either. This is because the traceur-compiler project has recently deleted this (compiled) file from their project, which you can see via this commit: https://github.com/google/traceur-compiler/commit/429c3d850dcb7636320e81fd782c61a06de0fbf1
So you need to regenerate this file, which you can do by (from the itnerary-civic-hacking root directory):
cd tools/traceur-compiler
make bin/traceur.js
cp bin/traceur.js ../../app/static/js/vendor
This will get you in the same state as if you successfully ran npm run nss.
You won't be able to re-run the npm run nss command, but you really shouldn't need to since its more of a setup command than anything (it creates a directory, clones a github repo, etc). If you wanted to update the traceur-compiler in the future (though you may never have to do this) then I would recommend running the following steps (from the itnerary-civic-hacking root directory):
cd tools/traceur-compiler
git pull origin master
npm install
make bin/traceur.js
cp bin/traceur.js ../../app/static/js/vendor

yeoman permission issue with nodejs and angular

I am trying to start an angular web app with yeoman but I get permission issue when trying to install the new generator. I can bypass and install generator with sudo but then I get the permission errors when running
**yo** angular
I deduce its because its trying to access npm modules that are global which the current user doesnt have permissions for, and I cant run Yo with sudo. I have done a lot of google searches and they all involve some type of hack with the NODE_PATH in the .bashrc or moving the node modules to the home directory. Has anyone found a simple solution for this issue.
Below is my problem in screenshots:
yo installs fine
when i try to install the generator without sudo complains..
install with sudo passes.
then finally when I try to run yo angular it breaks.. I believe its because yo runs as user and I have installed everything with sudo privileges. How can I get past this?
The reason it breaks, I guess, is because the whole directory tree was created as super-user.
The hacks you mentioned about using NODE_PATH and the home directory are not hacks. They exist for this same very reason. To tell node where to look for packages. And .bashrc is the place where you are supposed to change this kind shell variables.
Say you added ~/.node_modules to you NODE_PATH, then you can install all "global" in there. You could also change the permissions on /usr/local. But on linux world that is not recommended.
I also strongly recommend in not using global install with npm. Using -g and npm link is handy when developing but you shouldn't count on them. You can introduce subtle bugs in your code when you forget to add a package on you package.json but it is installed globally.
Instead of installing it globally, you can find all the packages executable on ./node_modules/.bin/ directory.
But lets say you don't want to be typing ./node_modules/.bin/yo all the time, you could create an alias on your .bashrc.
alias yo="$PWD/node_modules/.bin/yo"
and it would work like expected, and if there is no yo package installed, you get an error.

NodeJS and npm without sudo on CentOS

On my box I have the Node and NPM binaries installed under /opt/node/bin. And the path is added properly.
node -v
and
npm -v
work fine. When I create a file and run it with node all works as expected. However, when I run:
npm init
the program fails to write package.json because it does not have write permission. I use:
sudo npm init
I get a file with owner and group of 0 0 and so any regular users cannot modify this file. I don't want to have to chown every file node/npm generates.
Is there way to get node/npm to run as a user in the same group as my other users and have write permissions to the same directories?
You could simply chown your /opt/ directory and future calls to npm init will be owned by you. Better yet, work in your /home folder and make sure npm and node are in your $PATH. This way you don't need to worry about permissions for initializing a new node module. You will, however, need to use sudo to install packages globally. This is bad practice according to the maintainer of Nodejs:
http://howtonode.org/introduction-to-npm
I would follow along with his setup there. As he mentions, its very dangerous to give root access to a package manager.

Resources