[Discuss] node.js and npm on Debian?
Dan Ritter
dsr at randomstring.org
Tue Feb 13 14:06:41 EST 2018
On Tue, Feb 13, 2018 at 10:51:41AM -0800, Rich Braun wrote:
> Kent Borg <kentborg at borg.org> asks:
> > But I can't figure out how to install npm. When I search for
> > installation instructions they all seem to want me to pipe a curl
> > command into a sudo bash. Huh? That's scary as hell.
>
> Let others do the installation for you: my go-to technology for this is
> Docker. First get docker installed
> (https://docs.docker.com/install/linux/docker-ce/debian/). Then look for the
> official containerized release of node here:
> https://hub.docker.com/r/library/node/. Choose which versions of Node and
> Debian that you want (look among the available tags); example 8.9.4 on
> stretch. To run it, really all you need to type is this:
>
> docker run -d --name nodejs node:latest sleep 7d
> docker exec -it nodejs bash
>
> You'll be at a shell prompt that includes Node.JS and npm. You can use the
> "--volume" parameter to map a working directory into the container and to map
> the modules you decide to install (/usr/local/lib/node_modules/npm), enabling
> you to edit files on your host and work with them at the container's bash
> prompt. Docker's drop-dead simple to learn, and it solves so many of these
> installation headaches.
And transfers those headaches to your security and ops teams.
There's a new RCE vulnerability against node-sprintf version
1.1.0. Where is it running? Is it safe to keep running your
containers until the weekend, or do you need to replace some
today?
You've got a display inconsistency in floating point
representation. Which of your deployed containers has it? What
libraries were they using? If it's a one-line fix, can you
insert the patched library on every container or do you need to
rebuild every container?
Your QA team tested version 10.4.2, but node:latest is pulling
in 10.4.2a since some point after your got it tested but before
you deployed. Does your deployment process guarantee the version
number that you tested is the version you deployed?
All of those problems are solved by configuration management and
deployment systems, and containers at best obfuscate them.
-dsr-
More information about the Discuss
mailing list