cordova-docs: Docs should not encourage global npm installation

Currently the docs say to run sudo npm install -g cordova which is not great from a best practices standpoint. We should never encourage running npm with sudo because of permissions problems, and npm recommends not installing anything globally if it can be helped.

We should update our documentation to use npx cordova instead (npx requires npm >=5.2.0), and add cordova as a devDependency to our hello-world project template.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 5
  • Comments: 24 (20 by maintainers)

Most upvoted comments

Worth revisiting this issue? People have been saying for years not to use sudo for global npm installations because it can allow unknown install scripts to run as root on your dev machine (presumably for anything in the dependency tree for your install target). I was fairly surprised to see it in official cordova docs.

Even just removing sudo from instructions would be an improvement, putting aside arguments for/against npx.

+3
robations on Jul 15, 2021

I think if you locally install Cordova per project, then there is no performance overhead when using npx to run cordova command

+3
jcesarmobile on May 10, 2019

I don’t think we should be recommending npx to users because it incurs a heavy performance overhead, relaxes security, and increases the number of points of failure at each invocation of cordova.

+3
dblotsky on May 9, 2019

Worth revisiting this issue? People have been saying for years not to use sudo for global npm installations because it can allow unknown install scripts to run as root on your dev machine (presumably for anything in the dependency tree for your install target). I was fairly surprised to see it in official cordova docs.

Even just removing sudo from instructions would be an improvement, putting aside arguments for/against npx.

Agreed 100%. NPM also have guides for installing npm in a way where it doesn’t require sudo access, which we could have a note linking to on our Setup page. There is already a note on how to get sudo-less access, but links to a non-existent page currently.

+2
breautek on Jul 15, 2021

now npx asks if you want to install the package before executing the command (if it’s not already installed), so if you mistype the command it won’t run anything unless you approve to install the mistyped package

+2
jcesarmobile on Jul 15, 2021

I am also not so enthusiastic about directing people to use npx cordova for multiple reasons.

I think the Cordova CLI is a bit big for this kind of usage, especially at the stage when someone starts a new Cordova project.

The Cordova CLI behavior can change over time, major one has been what is configured in config.xml vs package.json which does not seem to be as consistently synchronized starting with Cordova 9.

Also seems to be a bit extra to type out for every operation that is done on the project.

I think it would be ideal if we could find a way to break the Cordova CLI into smaller, simpler tools. Just like someone could do create-react-app or react-native init, and then use npm package scripts to do the rest.

P.S. I would favor that we document in 1 or 2 places that the app developer can always do npx cordova in place of cordova if s/he does not want to use a global Cordova CLI installation. I think this should be pretty clear.

+2
brodybits on May 10, 2019

@janpio I usually have only a single-version node setup on my machine and use npx to test with other versions if necessary. But AFAIK nvm is completely installed to the user’s home dir by default and that’s a good thing IMHO.

But I don’t think that we should go into any detail regarding the user’s Node.js setup in our docs. I’d prefer a link to some comprehensive resource on the topic.

+2
raphinesse on Mar 24, 2019

There probably was a reason why sudo is mentioned currently?

@janpio I suppose because for most default setups you need root access to install npm packages globally. This is widely considered a bad idea though. Instead you should setup npm to install global packages to your home folder, for example. Other than that, sudo is still mainly an Ubuntu thing, or am I mistaken?

Anyway, I was suggesting the following:

Inform the user once about his options on how to install cordova:

  • global installation (maybe with a remark/link or two about running npm as root)
  • project-local installation (remark about it being preferred & reasons for that; remark that whenever the docs say run cordova you have to run npx cordova to use the local version)

Afterwards don’t worry to mention npx anywhere and everywhere but only refer to cordova.

I hope I have made myself clearer now.

+2
raphinesse on Jun 27, 2018

I’d suggest presenting both alternatives:

  • global installation (without using sudo)
  • Add to devDeps and use with npx (advertise as preferred!)

And then just keep using plain cordova throughout the docs.

+2
raphinesse on Jun 26, 2018

Closing as completed: #1313

Guide was updated and removed sudo. However, we left a brief explanation of when sudo might still be needed. At the end, we said it is recommended to use a version manager to avoid using sudo and the potential consequences associated with sudo.

+1
erisu on May 31, 2023
Read more comments on GitHub
← cordova-cli: Unable to "prepare" some projects [9.0.0]
cordova-ios: 6.1.0 and signalR not working →