npm install -g —force clobbers system symlinks (e.g., ast-grep’s sg overwrites /usr/bin/sg → newgrp)
Diagnosis
npm’s --force flag overrides the EEXIST check. When a package ships a binary whose name collides with a system binary (ast-grep’s convenience sg vs system sg → newgrp switch-group command), npm silently replaces the system symlink with its own binary. No warning, no rollback. The system sg group command breaks silently until a user tries it.
Fix
Immediate fix after a —force install: run ls -la /usr/bin/<likely-collisions> and restore any overwritten symlinks (sudo rm /usr/bin/sg && sudo ln -s newgrp /usr/bin/sg). Prevention: (1) Prefer user-scope installs (npm i <pkg> without -g); (2) Install to custom prefix (npm i -g --prefix ~/.npm-global); (3) When you MUST —force, FIRST check what file will be overwritten (npm view <pkg> bin shows the binary names); (4) Use the package’s primary binary name only (e.g., ast-grep) and ignore shortcuts that collide. Verification after any —force install: grep system binaries known to have common names (sg, tr, cut, mv, test, time) against the just-installed package.
Related
- docker
- 2026-04-04-oracle-001-self-architecture-analysis
- nova-critical-learnings-consolidated
- salesforce
- openclaw
- npm-force-install-clobbers-system-symlinks-verify-after