Details on Local Install vs. Global

To my credit on this I have been looking for instructions on the forum on how exactly to install Node-RED locally. The documentation just tells you how to do this suggestion "npm install -g --unsafe-perm node-red"
There is no information on options ... -g, is global, what is local? -L --unsafe-perm ?
If I do install locally, how is that going to be a problem when running it or modifying nodes? programs?

I am interested in security which a global install is apparently less secure.

Can someone please either show where to get this information to explain install options or explain them in the body of the forum. Perhaps even put the explanation in the Documentation.

What npm command to use to get the details from --help /? etc.
PS C:\Users[this user]> npm install -h

npm install (with no args, in package dir)
npm install [<@scope>/]
npm install [<@scope>/]@
npm install [<@scope>/]@
npm install [<@scope>/]@
npm install @npm:
npm install
npm install
npm install
npm install <git:// url>
npm install /

aliases: i, isntall, add
common options: [--save-prod|--save-dev|--save-optional] [--save-exact] [--no-save]
PS C:\Users[this user]>

The docs for the npm install command are here: https://docs.npmjs.com/cli/v6/commands/npm-install

Typically, installing a module globally makes available on you system. If the module includes executables (rather than being a pure library) it should end up on your path so you can run it from anywhere.

Installing locally (without the -g flag) means it gets installed in the current directory. Any executable does not get added to your path, but you can use npx node-red to run it... As long as you are doing that in the same directory you ran the install in.

I wouldn't say a global install is less secure. Depending on your node.js setup, a global install doesn't necessarily mean it is globally available to all users.

It will largely depend on what you're doing and how you want to install things. I know some people prefer to keep it all self contained in one directory so don't use the global option.

I always run it locally, as Nick says, the only thing you don't get is any global commands. Although node-red comes with a couple, I've never missed them :grin:

Personally, I like having everything in 1 place and being able to back everything up easily. I like the option of being able to run multiple different versions of node-red if I want to. And I like to know where things are, on Windows at least it can be quite hard to actually find something that has been globally installed by npm.

I have a repo that includes everything needed to set up node-red locally: alternate-node-red-installer

As for whether a global install is less secure. You are pushing multiple npm dependencies into global (root) space. This has the potential to open your system to code that is able to run at an elevated rights level. The risk is quite low but quite not zero.

That will depend on how you have node.js installed

For example, in my setup, 'global' is scoped to my user so nothing is ever installed as root.

And just because it's installed locally doesn't mean that a root user can't then run it and do bad things either - unless you start getting into things like containers and snap etc. And many apps (like rm on linux) are installed globally - it's the combination of permissions on the user as well as the app that all adds up.

See, that's what I like about this forum, learning something new all the time! I didn't know you could do that. Do you have a link to how to do it? I couldn't immediately find it.

Of course true but not really the issue. The issue is installing software from an external repository into the trusted context. Best practice to keep it to a minimum. Same is true for your OS installs from APT or whatever. Less is better. And yes, containers even better - but as often discussed, there is a balance.

On Windows, I use Store Apps and AppGuard to help containerise applications for example and install to a single user where possible.

But we are getting down into the weeds here. Security is only one of the reasons I personally prefer to install node-red locally and is far from the most important. I love the fact that we have the choice.

I get that, from a beginners perspective, it is easier to tell people to go a global install of node-red. But we do regularly see people get into a bit of a mess with the whole global/local issue as well as with where things are located. In my personal view, this is avoided by doing a local install. But everyone has their take on this.

In your user's ~/.npmrc add the following line prefix=${HOME}/.npm-packages

In the ~/.bash_rc add the following, to get everything in your PATH

NPM_PACKAGES="${HOME}/.npm-packages"                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                                               
PATH="$NPM_PACKAGES/bin:$PATH"                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                               
# Unset manpath so we can inherit from /etc/manpath via the `manpath` command                                                                                                                                                                                                                                                  
unset MANPATH # delete if you already modified MANPATH elsewhere in your config                                                                                                                                                                                                                                                
export MANPATH="$NPM_PACKAGES/share/man:$(manpath)" 

The .npm-packages can be an arbitrary directory.

Anyway, that should get you user-local global npm installations. :grin:

1 Like

When was the last time you managed to install anything from apt without being root ? :-). It is pretty much mandated that deb packages must not write into users space.

Yes, that's what I meant by minimising installs :slight_smile: If you don't need an application, get rid of it so that the attack surface is smaller.

All, thanks for the discussion. OK, another question for you. If I install it locally, can I run it as any other user? What caveats exist in this case?

Depends how you setup all the permissions of that user. Anything is possible, but just because you can, doesn't mean you should. What's the problem you are trying to solve?

1 Like

@knolleary,
Thanks for the quick response. The applications which typically have permissions to "install" are administrators or personal accounts which have administrator rights. Our organization does not have a single administrator account everyone in the Engineering team uses. Therefore, they have personalized accounts which are of type administrator. I installed Node-RED on a system "globally" as a test-bed which we plan to roll out to manufacturing/packaging lines which typically have a single machine user domain account that they will share. So, we are installing them with NSSM. They run on the system account at this point, but the "User" account will run the web pages associated to the running system.

So, global installed under administrator, but running as NSSM Service under "System" and "user" will run web pages.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.