`supwd repair` removes globally installed npm packages [help]

I just started working with npm, and I have nvm installed (if that makes any difference). I ran sudo swupd update and sudo swupd repair and it started getting rid of a bunch of files with npm in their pathname. I let the command run to completion, and then verified that my global npm root (as per npm root -g) was in fact /usr/lib/node_modules/, an OS managed area. I’m not sure what I had installed globally (fingers crossed it didn’t break my build/runtime environment) but what are some tips on how to avoid this in the future? Perhaps I can have CL ignore certain paths (man stateless mentions default whitelisted /usr/ subpaths, but doesn’t provide guidance on how to add to this list)?

More generally, I can probably fix this one problem, but how should CL go about handling tools other than swupd that might write to a designated “OS” area under stateless? I, myself, have been good about following stateless rules to avoid my files being overwritten, but the tools I use might not be as discriminating.

Installing packages globally is a bad practice from my view.

Whenever possible, install packages locally. If something is really needed by multiple users on a system, its developers should learn to ship the package via distro’s package manager.

npm global installs are actually for when you want multiple projects to share a package. In npm, the default is installation for a directory, not for a user. This is usually some sort of utility package (like I think at one point I installed one that forces a major semver bump to all deps in order to quickly resolve dependency conflicts [which is bad practice, I know, just giving an example]). Node/npm docs and how-tos say to install certain things via npm globally. I understand the reasoning behind your answer, but the reality is I don’t have control over npm's packaging philosophy and I’m kinda stuck with using it in order to build my node.js website. I’ll keep this in mind, but suppose I’m forced to install something globally using npm. What should I do in order to preserve statelessness?

Maybe try
sudo npm set prefix -g /usr/local

I haven’t tried it myself. Maybe you need to put it in ~/.npmrc so it stay effective across sessions.

another option

sudo swupd repair --picky --picky-whitelist=/usr/lib/node_modules


I’ll show you what I did for yarn:

cat ~/.npmrc
ls $HOME/npm/node_modules/yarn/bin
yarn  yarn.cmd yarn.js  yarnpkg yarnpkg.cmd
alias yarn
alias yarn='~/npm/node_modules/yarn/bin/yarn'