Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

Windows installer doesn't ensure that $USERNAME\AppData\Roaming exists #8141

Closed
othiym23 opened this issue Aug 11, 2014 · 16 comments
Closed
Labels

Comments

@othiym23
Copy link

npm uses $APPDATA\npm so that non-Administrator roles have a writable place to stash global packages. Since creating that directory if it doesn't exist does require Administrator privileges, npm -g install <whatever> won't / can't work if the base directory doesn't exist (with the correct ACL) before npm is run. The installer should ensure that the whole path is set up at boot time.

Also, either the documentation needs to change, or maybe the installer, because right now, people trying to upgrade npm using npm after they've used the .msi frequently end up confused because npm -g install npm@latest doesn't actually upgrade them to the newest version of npm, because the first npm on their path is the one that was originally installed alongside node in the Administrator directory. Either the positions of AppData\roaming\npm and the Node binary directory need to be swapped in PATH, npm should be installed to AppData\roaming\npm in the first place, or the documentation should be clarified to tell Windows users exactly how to upgrade npm with the .msi-installed Node.

@ismyrnow
Copy link

I ran into this same issue doing an installation on Windows 8.1 x64 using node-v0.10.31-x64.msi. For installation, the workaround was to create the $USERNAME\AppData\Roaming\npm directory after installation.

@ciaranj
Copy link

ciaranj commented Sep 9, 2014

This doesn't help with node.js application running as windows services though :/ As those user profiles are within c:\windows\system32...blah, convincing admins to add stuff in there is a challenge!

@tjfontaine
Copy link

@joshkpeterson
Copy link

The top voted answer in the SO thread did not fix for me, nor did running as admin. Once I installed something with the -g flag, the issue was fixed. Doing npm from then on worked as normal.

It's surprising to me that this bug has persisted for so long. Seems most folks installing on windows are getting tripped up.

@xorcus
Copy link

xorcus commented Oct 20, 2014

should not be using $USERNAME\AppData\Roaming\npm
=> should be using $APPDATA\npm

@simonjosefsson
Copy link

+1, confirmed with v0.10.33-x86.msi

I installed node.js for the first time today.
Ran into this issue trying to follow a tutorial but found a solution on stackoverflow and then this issue.
Loving node.js so far but this is probably stopping some people from trying it out

@othiym23
Copy link
Author

@xorcus That's actually what the prefix is set to, so I've updated my original comment to reflect that fact.

@hex64dbg
Copy link

Just installed 10.35 x64 on Windows 8.1 and the issue is still there even with an admin command prompt. Just use the workaround from @ianchanning for now.

@Liam-Ryan
Copy link

Confirmed today as local Administrator on fresh install of server 2008 RC2. Created folder manually and ran elevated command prompt to work around it

piscisaureus pushed a commit to nodejs/node that referenced this issue Jan 12, 2015
Create the empty npm folder in Roaming\Appdata so that non-Administrator
users have a place to store global packages. This fixes the error Error:
ENOENT, stat error that occurs when a user tries to run the npm install
<package> command.

Bug: nodejs/node-v0.x-archive#8141
PR: nodejs/node-v0.x-archive#8838
Reviewed-by: Bert Belder <bertbelder@gmail.com>

Please enter the commit message for your changes. Lines starting
@aliteralmind
Copy link

" I ran into this same issue doing an installation on Windows 8.1 x64 using node-v0.10.31-x64.msi. For installation, the workaround was to create the $USERNAME\AppData\Roaming\npm directory after installation." (link)

Same here.

"It actually turned out the install had simply set the wrong PATH ENVIRONMENT VARIABLE so anything trying to run it wasn't able. It had a trailing slash...once I removed that everything worked fine. Hope that helps someone." (link)

My path had C:\applications\programming\javascript\nodejs\. I changed it to C:\applications\programming\javascript\nodejs, relogged in, and it still didn't work.

piscisaureus pushed a commit that referenced this issue Jul 1, 2015
Create the empty npm folder in Roaming\Appdata so that non-Administrator
users have a place to store global packages. This fixes the error Error:
ENOENT, stat error that occurs when a user tries to run the npm install
<package> command.

Bug: #8141
PR: #8838
Reviewed-by: Bert Belder <bertbelder@gmail.com>
piscisaureus pushed a commit that referenced this issue Jul 1, 2015
Create the empty npm folder in Roaming\Appdata so that non-Administrator
users have a place to store global packages. This fixes the error Error:
ENOENT, stat error that occurs when a user tries to run the npm install
<package> command.

Bug: #8141
PR: #8838
Reviewed-by: Bert Belder <bertbelder@gmail.com>
@BalaRavilla
Copy link

Try to find this .npmrc file in your user folder in c eg: C:\Users\baravill and make changes there as per the new instillation. Let me know if it works :)

misterdjules pushed a commit to misterdjules/node that referenced this issue Jul 16, 2015
Create the empty npm folder in Roaming\Appdata so that non-Administrator
users have a place to store global packages. This fixes the error Error:
ENOENT, stat error that occurs when a user tries to run the npm install
<package> command.

Bug: nodejs#8141
PR: nodejs#8838
Reviewed-by: Bert Belder <bertbelder@gmail.com>
@teckjon
Copy link

teckjon commented Feb 1, 2016

I have followed https://github.com/npm/npm/wiki/Troubleshooting#error-enoent-stat-cusersuserappdataroamingnpm-on-windows-7 for windows 7 installation but I still keep getting error 1909. I have created the c/users//appdata/roaming/npm and appdata/npm as other users have suggested. The installer however keeps rolling back undoing it's installation the moment it hits error 1909.

jBarz pushed a commit to ibmruntimes/node that referenced this issue Nov 4, 2016
Create the empty npm folder in Roaming\Appdata so that non-Administrator
users have a place to store global packages. This fixes the error Error:
ENOENT, stat error that occurs when a user tries to run the npm install
<package> command.

Bug: nodejs#8141
PR: nodejs#8838
Reviewed-by: Bert Belder <bertbelder@gmail.com>
@Trott Trott closed this as completed Apr 22, 2023
RafaelGSS pushed a commit to nodejs/node that referenced this issue Jun 20, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: nodejs-private/node-private#408
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-30585
denihs pushed a commit to meteor/node-v14-esm that referenced this issue Jun 22, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
denihs pushed a commit to meteor/node-v14-esm that referenced this issue Jun 22, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
denihs pushed a commit to meteor/node-v14-esm that referenced this issue Jun 22, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
erikolofsson pushed a commit to Malterlib/node that referenced this issue Jun 26, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
erikolofsson pushed a commit to Malterlib/node that referenced this issue Jun 26, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
denihs pushed a commit to meteor/node-v14-esm that referenced this issue Jun 26, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
Ceres6 pushed a commit to Ceres6/node that referenced this issue Aug 14, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-30585
Ceres6 pushed a commit to Ceres6/node that referenced this issue Aug 14, 2023
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-30585
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests