Install npm on DXR admin node

RESOLVED FIXED

Status

Infrastructure & Operations
WebOps: Other
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: erik, Assigned: solarce)

Tracking

Details

(Whiteboard: [change - configuration])

(Reporter)

Description

4 years ago
We have some upcoming large npm dependencies I'd like to avoid checking into the source tree. Can we install npm on dxradm.private.phx1.mozilla.com?

I spoke with Kendall on IRC earlier about this, and he wasn't sure of RHEL's support for npm, but a yum search on the processor box shows 1.3.6 available. That should do.

I'll then use npm-shrinkwrap and write a little hashing validation tool to make sure we're getting the same versions of things each time.
(Reporter)

Comment 1

4 years ago
Actually, there's this lousy "scripts" directive that allows for arbitrary code execution at install time: https://npmjs.org/doc/misc/npm-scripts.html. So mere post-installation hash validation won't work. However, npm caches all downloaded packages in ~/.npm, so we're actually vulnerable to malicious package sources only the first time we fetch them. From then on, everything just comes off the local disk, and nothing even hits the network.

Updated

4 years ago
Whiteboard: [change - configuration]
(Assignee)

Updated

4 years ago
Assignee: server-ops-webops → bburton
(Assignee)

Comment 2

4 years ago
npm has been installed via puppet

[root@dxradm.private.phx1 yum.repos.d]# npm --version
1.3.6
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.