UNPKG

serverless-artillery/root-owns-node-modules.md

Version:

2.25 kBMarkdownView Raw

1# What If `node_modules` is Owned By Root?
2
3You might be reading this because during installation you saw:
4```
5npm ERR! code EACCES
6```
7
8We hope you're just proactive!  :D :tada:
9
10/sigh
11
12`root` ownership of `node_modules` indicates a failure somewhere along your delivery chain.  Having your `node_modules` folder owned by root [is an](https://news.ycombinator.com/item?id=16438889) [anti-pattern](https://givan.se/do-not-sudo-npm/).  You should fix that!  (but don't be ashamed - we've been there) 
13
14Being opinionated aside, we want to be helpful and you're not alone.
15
16If you are using Docker, check out [Docker Installation](README.md#docker-installation).
17
18Otherwise, the maintainers of NPM have [provided a guide](https://docs.npmjs.com/getting-started/fixing-npm-permissions) on how to resolve or avoid a circumstance where this is the case.  We strongly recommend following that guidance and even more so, understanding the reason why root ownership of node_modules is broadly rejected by the community.
19
20That said, we understand that sometimes you have your context defined for you and while you will advocate for change you have to deal in the meantime.  Read on!
21
22The reason this matters in the first place is that during the post-installation step we run npm install transitively in `~/lib/lambda` to aquire function dependencies.  This means that installing using sudo would let us run our arbitrary code with `#all-the-rights!`.  Do you really trust us?  That much?  Wow.
23
24Really?  In that case you can make the risky choice (there are better options) to use `--unsafe-perm=true` during installation to allow root privileges to propogate to [our "postinstall" script](package.json).  Please approve the bank transfers.  Or... since we won't make them, please send us fungible assets via your favorite service.
25
26**If you're smarter than that**, you have the option to use the far more safe `--ignore-scripts` and follow up your installation by running `npm i` in that directory for us (thank you!).  The latter approach has the downside of potentially breaking the installation of `serverless-artillery`'s dependencies which we haven't tested to work this way and which may change in the future anyway to contain postinstall scripts.

1	# What If `node_modules` is Owned By Root?
2
3	`You might be reading this because during installation you saw:`
4	```
5	`npm ERR! code EACCES`
6	```
7
8	`We hope you're just proactive! :D :tada:`
9
10	`/sigh`
11
12	`root` ownership of `node_modules` indicates a failure somewhere along your delivery chain. Having your `node_modules` folder owned by root [is an](https://news.ycombinator.com/item?id=16438889) [anti-pattern](https://givan.se/do-not-sudo-npm/). You should fix that! (but don't be ashamed - we've been there)
13
14	`Being opinionated aside, we want to be helpful and you're not alone.`
15
16	`If you are using Docker, check out [Docker Installation](README.md#docker-installation).`
17
18	`Otherwise, the maintainers of NPM have [provided a guide](https://docs.npmjs.com/getting-started/fixing-npm-permissions) on how to resolve or avoid a circumstance where this is the case. We strongly recommend following that guidance and even more so, understanding the reason why root ownership of node_modules is broadly rejected by the community.`
19
20	`That said, we understand that sometimes you have your context defined for you and while you will advocate for change you have to deal in the meantime. Read on!`
21
22	The reason this matters in the first place is that during the post-installation step we run npm install transitively in `~/lib/lambda` to aquire function dependencies. This means that installing using sudo would let us run our arbitrary code with `#all-the-rights!`. Do you really trust us? That much? Wow.
23
24	Really? In that case you can make the risky choice (there are better options) to use `--unsafe-perm=true` during installation to allow root privileges to propogate to [our "postinstall" script](package.json). Please approve the bank transfers. Or... since we won't make them, please send us fungible assets via your favorite service.
25
26	If you're smarter than that, you have the option to use the far more safe `--ignore-scripts` and follow up your installation by running `npm i` in that directory for us (thank you!). The latter approach has the downside of potentially breaking the installation of `serverless-artillery`'s dependencies which we haven't tested to work this way and which may change in the future anyway to contain postinstall scripts.