This is why I will never install an npm module with sudo or globally with -g
You can get around that requirement by having a specific location set aside for global modules (I use ~/.config/node/node_modules) and then putting the node_modules/bin directory in your path. Install anything there that some bone-headed project things you should install globally (mocha, grunt, serverless, etc.)
Also, I'm not disagreeing with the post at all, but there is at least one important distinction between piping curl output into bash and that is the expectation of what will happen after running the command.
Piping the output of curl into bash can result in absolutely anything happening, just like running a script you've never looked at.
Running `npm install` or `yarn install` _should_ just install the NPM module, possibly build a native module and not much else. There's numerous cases of NPM modules doing other things they shouldn't, and I'd argue invoking a compiler to build a native module is one of them too but there is at least an intention of what will occur. NPM is not alone in this regard either.
RPMs can execute arbitrary commands too (though coming from your distribution they will be vetted and signed), so can Make, but there are some expectation around what they will and will not do. With curl/bash anything is fair game as to what to expect.
You can get around that requirement by having a specific location set aside for global modules (I use ~/.config/node/node_modules) and then putting the node_modules/bin directory in your path. Install anything there that some bone-headed project things you should install globally (mocha, grunt, serverless, etc.)
Also, I'm not disagreeing with the post at all, but there is at least one important distinction between piping curl output into bash and that is the expectation of what will happen after running the command.
Piping the output of curl into bash can result in absolutely anything happening, just like running a script you've never looked at.
Running `npm install` or `yarn install` _should_ just install the NPM module, possibly build a native module and not much else. There's numerous cases of NPM modules doing other things they shouldn't, and I'd argue invoking a compiler to build a native module is one of them too but there is at least an intention of what will occur. NPM is not alone in this regard either.
RPMs can execute arbitrary commands too (though coming from your distribution they will be vetted and signed), so can Make, but there are some expectation around what they will and will not do. With curl/bash anything is fair game as to what to expect.