We have some upcoming large npm dependencies I'd like to avoid checking into the source tree. Can we install npm on dxradm.private.phx1.mozilla.com? I spoke with Kendall on IRC earlier about this, and he wasn't sure of RHEL's support for npm, but a yum search on the processor box shows 1.3.6 available. That should do. I'll then use npm-shrinkwrap and write a little hashing validation tool to make sure we're getting the same versions of things each time.
Actually, there's this lousy "scripts" directive that allows for arbitrary code execution at install time: https://npmjs.org/doc/misc/npm-scripts.html. So mere post-installation hash validation won't work. However, npm caches all downloaded packages in ~/.npm, so we're actually vulnerable to malicious package sources only the first time we fetch them. From then on, everything just comes off the local disk, and nothing even hits the network.
npm has been installed via puppet [firstname.lastname@example.org yum.repos.d]# npm --version 1.3.6