NPM Update Crashes Linux Systems and in some cases forces re-installation

NPM Update Crashes Linux Systems and in some cases forces re-installation

A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot.   Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0 which has been deemed a software buggy release.

The bug was first reported by users and following that the NPM development team released a quick patch NPM v5.7.1 that fixes the glitch.  FreeBSD users have also reported being impacted by the bug. Mac and Windows users didn’t experience any issues. The problem did not affect every Linux user.

Running the npm update commands as root doesn’t result in npm trying to reassign root ownership to all files, so the issue appears to affect only npm update operations prefixed by a sudo command.

Npm is the de-facto package manager for all small, medium, and large-scale JavaScript project. Npm is packed with Node.js, and is also the largest package manager on the Internet, hosting libraries and plugins for Node.js, Ember, jQuery, Bootstrap, React, Angular, and many other JavaScript frameworks. npm makes it easy for JavaScript developers to share and reuse code, and makes it easy to update the code that you’re sharing.

Which brings up the serious issue of testing releases prior to going to the public.  This was a pretty bad bug that would affect a lot of servers, so in hindsight you do hope NPM learned their lesson but this is not the only company that doesn’t really perform heavy QA testing.