⚠️ Update npm to v6.13.4

The npm team have released a new version that addresses a serious security issue. Please take a moment to update npm:

8 Likes

Just for others - I needed to use

sudo npm i npm -g

on my Pi

Also I got this strange message about minor version upgrade available but when I checked - it was duff info as it had upgraded to 6.13.4

1 Like

Doesn't npm come packaged with nodejs if one uses the pi install script for node red? When a new minor version of nodejs comes out then this will be picked up by the usual apt upgrade command. Is that not also true for npm?

Yes npm is packaged with node.js, and node.js are doing an emergency release for this issue.

But that doesn't mean you can't be proactive if you want to be and update npm as described above.

OK, understood. Thanks.

I am not sure, hence I dare to ask :smiley:

This vulnerability also applies to a nodered/node-red-1.0.3-minimal docker version? And I would have to either build my own container from scratch or wait for an update in Docker Hub?

Updating from within the running container does not work :slight_smile:

Once Node.js have done their security release we'll update the docker images. I think the node release is scheduled for Tuesday next week.

1 Like

Thanks. I am relatively new to Docker, hence appreciate your confirmation.

Just note that we generally recommend keeping the npm version to the one released with node.js to prevent any compatibility issues.

However, a security release would be the exception, especially if your device is connected to the Internet.

Who is the 'we' in that instance? The Node-RED project doesn't make any such recommendation. In fact, we'd recommend using the latest stable version of npm. They go to great lengths to keep it compatible with all actively maintained versions of node.js.

Mistype. Too used to using that at work.

I recommend it because I've had serious issues in the past having updated npm separately to node.js and I really don't want to repeat that experience personally.

npm is perhaps better at dealing with that now than they used to be but I've had other issues with npm as well so I am not 100% convinced by the care on some of their updates. Indeed, I had an ongoing discussion about a serious flaw in npx under Windows that they refused to fix even though it was a fairly easy fix.

So that is why I am extra cautious with npm updates.

Security fixes however, are generally a different matter.

Node have now released 10.18.0 and 12.14.0 that includes the fixed npm version.

We have rebuilt the Node-RED Docker images against these versions - https://hub.docker.com/r/nodered/node-red/tags

2 Likes

(Village idiot asking)

The command is run from home, .node-red or .npm?

I tried the standard Pi update script last night and it didn't seem to update node (was on 10.16.3) - should it have?

With -g standing for a global, machine wide install, it actually doesn’t matter from which directory it gets executed. Without that -g, npm will be installed/updated in the current directory, which isn’t useful for a global tool hence -g. Not a stupid question either :slight_smile:

I don't know if the NodeSource packages have been updated yet.

Yeah, well: No it doesn't work.

RasPi.

pi@BedPi:~ $ npm i npm -g
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/agent-base
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/agentkeepalive
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/aproba
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/block-stream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/bluebird
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/builtin-modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/chownr
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/cidr-regex
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/colors
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/cli-table3
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/es6-promise
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/figgy-pudding
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/fstream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/genfun
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/get-stream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/graceful-fs
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/cmd-shim
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/hosted-git-info
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/https-proxy-agent
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/ignore-walk
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/inherits
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/glob
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/is-builtin-module
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/JSONStream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/libnpmhook/node_modules/npm-registry-fetch
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/minipass/node_modules/yallist
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/minipass
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/node-gyp/node_modules/tar
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-bundled
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-packlist
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-client/node_modules/retry
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-client/node_modules/ssri
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-client
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/figgy-pudding
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/pump
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/cacache/node_modules/mississippi
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/smart-buffer
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/socks
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/socks-proxy-agent
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/ssri
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/cacache
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/make-fetch-happen
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/protoduck
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/read-cmd-shim
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/gentle-fs
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/readdir-scoped-modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/rimraf
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/semver
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/normalize-package-data
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-package-arg
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/lock-verify
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-pick-manifest
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/slash
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/read-package-json
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/smart-buffer
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/socks
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/socks-proxy-agent
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/spdx-license-ids
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/ssri
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/string_decoder
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/stringify-package
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/tar/node_modules/yallist
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/unique-filename
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/uuid
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/worker-farm
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/write-file-atomic
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/bin-links
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/yallist
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/fs-minipass
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/lru-cache
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/cacache
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/make-fetch-happen
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/libnpmhook
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-profile
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/minizlib
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/tar
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/node-gyp
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-lifecycle
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/pacote
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/byte-size
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/call-limit
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/ci-info
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/config-chain
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/is-cidr
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/libcipm
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-audit-report
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-install-checks
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/opener
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/query-string
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/read-package-tree
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/readable-stream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/sha
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/copy-concurrently/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/gauge/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/gentle-fs/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/libnpmhook/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/minipass/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/node-gyp/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-client/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/node_modules/cacache/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/tar/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/are-we-there-yet
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/concat-stream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/cross-spawn
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/duplexify
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/execa
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/flush-write-stream
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/from2
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/got
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/is-ci
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/move-concurrently
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/parallel-transform
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/run-queue
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/stream-iterate
npm WARN checkPermissions Missing write access to /usr/lib/node_modules/npm/node_modules/through2
npm ERR! path /usr/lib/node_modules/npm/node_modules/agent-base
npm ERR! code EACCES
npm ERR! errno -13
npm ERR! syscall access
npm ERR! Error: EACCES: permission denied, access '/usr/lib/node_modules/npm/node_modules/agent-base'
npm ERR!  { Error: EACCES: permission denied, access '/usr/lib/node_modules/npm/node_modules/agent-base'
npm ERR!   stack: 'Error: EACCES: permission denied, access \'/usr/lib/node_modules/npm/node_modules/agent-base\'',
npm ERR!   errno: -13,
npm ERR!   code: 'EACCES',
npm ERR!   syscall: 'access',
npm ERR!   path: '/usr/lib/node_modules/npm/node_modules/agent-base' }
npm ERR! 
npm ERR! The operation was rejected by your operating system.
npm ERR! It is likely you do not have the permissions to access this file as the current user
npm ERR! 
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator (though this is not recommended).

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/pi/.npm/_logs/2019-12-19T08_33_53_295Z-debug.log
pi@BedPi:~ $ 

So please: where do I need to do it?

I tried quickly on my NUC (Ubuntu) and it won't work in any directory:
Home,
.npm
.node-red

Doesn't work.

You will need to use sudo npm i npm -g

Shall try that.

(Dumb question)

If I need to use sudo...... Why wasn't it declared in the first post?
(I am sure the ownership problems were resolved a long time ago)

Because not everyone needs to use sudo. For example, OSX or Windows users.