Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] node.js and npm on Debian?



On Tue, Feb 13, 2018 at 10:51:41AM -0800, Rich Braun wrote:
> Kent Borg <kentborg at borg.org> asks:
> > But I can't figure out how to install npm. When I search for
> > installation instructions they all seem to want me to pipe a curl
> > command into a sudo bash. Huh? That's scary as hell.
> 
> Let others do the installation for you: my go-to technology for this is
> Docker. First get docker installed
> (https://docs.docker.com/install/linux/docker-ce/debian/). Then look for the
> official containerized release of node here:
> https://hub.docker.com/r/library/node/. Choose which versions of Node and
> Debian that you want (look among the available tags); example 8.9.4 on
> stretch. To run it, really all you need to type is this:
> 
>  docker run -d --name nodejs node:latest sleep 7d
>  docker exec -it nodejs bash
> 
> You'll be at a shell prompt that includes Node.JS and npm. You can use the
> "--volume" parameter to map a working directory into the container and to map
> the modules you decide to install (/usr/local/lib/node_modules/npm), enabling
> you to edit files on your host and work with them at the container's bash
> prompt. Docker's drop-dead simple to learn, and it solves so many of these
> installation headaches.

And transfers those headaches to your security and ops teams.

There's a new RCE vulnerability against node-sprintf version
1.1.0. Where is it running? Is it safe to keep running your
containers until the weekend, or do you need to replace some
today?

You've got a display inconsistency in floating point
representation. Which of your deployed containers has it? What
libraries were they using? If it's a one-line fix, can you
insert the patched library on every container or do you need to
rebuild every container?

Your QA team tested version 10.4.2, but node:latest is pulling
in 10.4.2a since some point after your got it tested but before
you deployed. Does your deployment process guarantee the version
number that you tested is the version you deployed?

All of those problems are solved by configuration management and
deployment systems, and containers at best obfuscate them.

-dsr-



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org