Ubuntu
npm package

npm contains hardcoded certificate, so npm is not working anymore..

Bug #1760840 reported by Eero Volotinen on 2018-04-03

12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	npm (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Hi,

Looks like npm contains hardcoded ca certificates that makes it nonworkable after
ssl updates on npm registry: see http://tinyurl.com/npm-bugs

apply fix from http://tinyurl.com/npm-bugs-patch to to config-defs.js to make it workable again, without disabling ssl security features

Eero

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: npm 1.3.10~dfsg-1
ProcVersionSignature: Ubuntu 4.4.0-31.50~14.04.1-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
Date: Tue Apr 3 14:38:14 2018
InstallationDate: Installed on 2018-04-03 (0 days ago)
InstallationMedia: Ubuntu 14.04.5 LTS "Trusty Tahr" - Release amd64 (20160803)
PackageArchitecture: all
SourcePackage: npm
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Eero Volotinen (eero-volotinen) wrote on 2018-04-03:

#1

Dependencies.txt Edit (6.1 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (294 bytes, text/plain; charset="utf-8")

Revision history for this message

Eero Volotinen (eero-volotinen) wrote on 2018-04-03:

#2

bug affects on ubuntu 14.04.x that contains old npm version

Revision history for this message

Eero Volotinen (eero-volotinen) wrote on 2018-04-03:

#3

attachment.cgi?id=1416573 Edit (269.0 KiB, text/plain)

contains patch for rhel version, it might work with ubuntu :)

Revision history for this message

Eero Volotinen (eero-volotinen) wrote on 2018-04-03:

#4

npm ca update patch for rhel Edit (269.0 KiB, text/plain)

npm ca update patch for rhel. it might work on ubuntu too

Revision history for this message

Eero Volotinen (eero-volotinen) wrote on 2018-04-03:

#5

/usr/share/npm/node_modules/npmconf/config-defs.js contains code that need to be updated.

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2018-04-03:

#6

The attachment "attachment.cgi?id=1416573" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-22:

#7

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in npm (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.