Should npm run as unprivileged setuid?

(Jim) #1

There is an anomaly on OS-X, where running sudo npm install -g qxcompiler has some kind of issue with a package. When I filed it, it was mentioned to not use sudo due to the risks pointed out in https://medium.com/@ExplosionPills/dont-use-sudo-with-npm-still-66e609f5f92
This had me concerned as I can understand the point of security but it also creates an issue on multiuser environments where each user will gobble up disk space installing redundant packages.
It would seem appropriate that npm itself be run setuid as an unprivileged user but allow global installation to common directories users can use features and libraries from.