npm minor updates - a thought


(Peter Scargill) #1

Just a thought - I’m a Raspberry Pi Node-Red user who keeps getting noidications about NPM updates and today a minor update. As usual it seems the author of the update noice assumed that everyone is ROOT.

“npm install -g npm”

I almost never use root and most node-red updates and install don’t need sudo either. This update of course failed as user Pi - adding sudo (which is not common sense to EVERYONE, trust me) in the instructions might be helpful?


(John Gee) #2

Many people think it is best practice to avoid the use of sudo to install global modules, and npm itself jumps through some hoops to try and be safer when run with sudo. Installing as root is not the expected alternative though, as it has the same security risks.

The two main approaches are:

  • install to a user local folder rather than to a system folder
  • changing ownership of the system folders to the user (e.g. Pi) so that sudo is not required

See for example: Error: while installing http-server on MacOS Mojave 10.14.2

I think this is a bigger concept to get across than in a simple upgrade message, so the messaging very deliberately leaves out mention of sudo.


(John Gee) #3

I wanted to add that I think it is a good idea to raise that novice users are not being guided enough by this messaging, thanks. (And apologies I didn’t have a suggestion to go with my not-sudo not-root explanation.)

Also I don’t know Raspberry Pi Node-Red conventions at all. (My experience is mainly Mac and Linux.)


(Frédéric Harper) #4

And I agree with this.

I also agree!

Thanks for bringing this up @scargill, I’ll see what I can do, but I can see a blog post or tutorial where we can send people to learn more about best practices and how to overcome issues without installing npm as root.


(Peter Scargill) #5

The guys at IBM who are responsible for Node-Red told me to install my Node-Red stuff as much as possible as Pi user - (their install script deliberately makes nodes local to /home/pi/.node-red belong to user Pi. and Node-Red itself is set up by Pi user. So much so that now my script for installing all manner of programs on a PI and many other machines, if there is no user called PI, creates one and uses it. My only experience of NODE is through Node-Red so I can’t contribute much to this, but as installing NODE as iser PI without SUDO produces permissions errors, I use SUDO. Thats’ my very limited experience on the matter.


(Frédéric Harper) #6

Unfortunately, I have no experience at all with Raspberry Pi Node-Red at all…