Upgrading NodeRED

Tags: #<Tag:0x00007f1be03d8210>

(Brian Orpin) #1

Interesting read, thanks.

Node-Red recommends the latest LTS (v8) not nodejs latest.

Some nodes break with nodejs above LTS.


I think that the command should be without sudo. Using npm with elevated privileges can have some odd repercussions later on (but I could be wrong as I use DietPi as my base OS so I am always root).

September 18: security threat affecting node-RED (does not by default effect emonPi)
(Neil Hastings) #2

Thank you for pointing out two very important points. The command to install n does not require sudo privileges, the correct command should indeed be: npm install -g n.


(Dave Howorth) #3

Err, global install DOES require root privileges:

$ npm install -g n
npm WARN checkPermissions Missing write access to /usr/local/lib/node_modules
npm ERR! path /usr/local/lib/node_modules
npm ERR! code EACCES
npm ERR! errno -13
npm ERR! syscall access
npm ERR! Error: EACCES: permission denied, access '/usr/local/lib/node_modules'
npm ERR!  { Error: EACCES: permission denied, access '/usr/local/lib/node_modules'
npm ERR!   stack: 'Error: EACCES: permission denied, access \'/usr/local/lib/node_modules\'',
npm ERR!   errno: -13,
npm ERR!   code: 'EACCES',
npm ERR!   syscall: 'access',
npm ERR!   path: '/usr/local/lib/node_modules' }
npm ERR! 
npm ERR! Please try running this command again as root/Administrator.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/dhoworth/.npm/_logs/2019-01-06T17_21_20_796Z-debug.log

You could install locally without root privilege, of course. (i.e. no -g parameter)

(Paul Reed) #4

I would strongly recommend updating node-RED and it’s supporting packages via the official guide
If things go badly wrong, the node-RED support forum is the best place to get support.


(Brian Orpin) #5

Mmmm - it shouldn’t. Was this NR install done using the script linked to by Paul and not run as sudo (a common mistake) as per the instructions or is this the EmonSD image?

@glyn.hudson @TrystanLea - the docs suggest Node-Red is installed on the SD image via apt-get ( Is this how it is done? If so I suggest the method is changed to adopt the recommended method.

@djh this may be why you are seeing this error. You may well find adding nodes by the palette manager fails as well.

Agreed but that may not work if the SD image has been first installed via apt-get.

I note from that (NR) page the manual install command recommended is sudo apt-get install npm && sudo npm i -g npm. However, I think that installing npm by npm leaves you with npm that can be used without elevated privileges (but I could be wrong as I do not use Raspbian anymore) - I do remember having exactly the issue described above in the early days of node-red and it was traced to how I had installed it in the first place.

(Dave Howorth) #6

How do you install something globally on linux without root privileges? Where is it installed? Who owns it? And what are the permissions?

What stops any user on the machine from corrupting it?

(Brian Orpin) #7

I think you are conflating 2 issues; apt-get install adds a tool to the base OS system - this requires elevated permissions. npm is such a tool that, once added, allows you to add nodes either globally (available to all users) or locally (just one user). You shouldn’t need sudo to use npm to install nodes (either locally or globally). Note the exception is that you need elevated permissions when using npm to install npm (and no I don’t understand that either…).

Using the approved install script, I believe, Node-Red will generally be installed using npm without elevated privileges.

Interestingly, despite what the NR docs say, using the script to install NR results in NodeJS v10 being installed (according to the text in the script itself)!

(Dave Howorth) #8

I don’t think I am conflating issues, and I note that you haven’t answered my questions, which I think would make the issue clear. Once you’ve answered them, it might be worth discussing further. I’m not using apt-get because I’m not on a debian-based system.

(Brian Orpin) #9

Well I have, but to be crystal…

Running npm is not actually installing something into the OS. It is adding a node to the nodejs installation (NPM = Node Package Manager). Think of it as a command line version of the NR pallet manager (which actually is exactly what it is).

Depends whether you run npm with the -g (global) flag (and what your system has defined as the location for these nodes) or where you are running it from.

System dependent.

System dependent

Well that is far too big a question to be able to answer. Depends on what permissions the use has on that system for a starter. Remember, nodejs is not really designed to be used on a multi user system - if often complains when used by a single user (as you have discovered).

(Dave Howorth) #10

I know that. It is still installing software that can run on the machine, and is exposing it to attack via the CVEs for node.js.

Ah, you noticed. Now I said that on my system that is /usr/local/lib so DOES NEED ROOT PERMISSION as I keep saying. My question is where are YOU installing it?

No, it isn’t. It’s an absolutely fundamental question to ask and answer satisfactorily before installing any software on any machine. node.js is very much intended for use on multi-user systems - inside the browser, where it causes no end of grief.

What you’re recommending is to ignore basic security practice; not even think about it.

(Brian Orpin) #11

@djh I ignore folk who shout.

(Dave Howorth) #12

Sorry, it’s very frustrating when you keep ignoring the issue :disappointed: