Don’t Use `sudo` with `npm` …still

  • npm install and others have the ability to run arbitrary scripts. Due to how npm is set up and the fact that you can alter the registry and it can use DNS, it is possible that you will accidentally install a malicious package in general, install a malicious package masquerading as a perfectly valid package, or install a package with good intentions that may run scripts that are somehow detrimental to your system if run as root.
  • Running sudo npm install (without -g) will create a local directory that can only be altered by the root user. This can really screw things up for you if you try to do npm <something> in the same directory or project later on.
  • Even sudo npm install -g with a valid installation target can mess things up for you and make it hard to use npm without sudo under some circumstances in the future -- particularly if you change your npmconfiguration midstream. The root user can and will create files in your npm cache and potentially a file like ~/.npm/_locks, and future npm install or npm install -g will give you the dreaded EACCES error.

Avoid Global Installs

Set npm’s Prefix

Using `n` to Manage Node.js Versions


  1. brew install node, or apt-get install node or whatever you need to do to get node up on your machine. This should include executables npm and yarn.
  2. Set your prefix for global installs, e.g. npm config set prefix ~/.npm
  3. Update your PATH to include ~/.npm/bin. For example: echo 'export PATH="$HOME/.npm/bin:$PATH"' >> ~/.zshrc if you’re using zsh.
  1. Next, use yarn global add n which should create ~/.npm/bin/n.
  2. Do the equivalent of echo 'export N_PREFIX="$HOME/.n"' >> ~/.zshrc for your shell configuration




Web developer and such

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ionic4 hide header on scroll.

What is AngularJS? Architecture & Features

‘Flashup’ Your Arcade Or Website Today

VueJS Route Security and Authentication

JavaScript’s evolution into a first-class language

Javascript part 2

Javascript Variables

Things I learned using an SVG icon system in production.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrew Crites

Andrew Crites

Web developer and such

More from Medium

Introduction to Modern JavaScript.

JavaScript syntax for CRUD operations

How To Fix Object.Map Is Not A Function Error In JavaScript

Click and Hold in Javascript With React Example