3

I'm trying to install npm and I found this solution. I run aptitude install npm and the suggested solution is

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl1.1 (= 1.1.1f-1ubuntu2) 
but 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 is installed

 Keep the following packages at their current version:



    

  1. libnode-dev [Not Installed]                        

    

    2. 

  2. libssl-dev [Not Installed]                         

    

    3. 

  3. node-gyp [Not Installed]                           

    

    4. 

  4. npm [Not Installed]                                




    

    5. 



Accept this solution? [Y/n/q/?]

It's basically suggesting to downgrade, but what impact would that have on my system if I downgrade libssl1.1 to libssl1.0?

Edit: this problem resulted after upgrading Ubuntu 18.04 to 20.04. Dan Scally's solution works and I also provided another option in the comments from launchpad where it's a bit more detailed for my particular situation.

Alex
  • 65

2 Answers2

7

It is a dependency issue

Since npm depends on node-gyp which depends on libnode-dev which depends on libssl-dev and here is the issue, libssl-dev depends on libssl1.1 versoin 1.1.1f-1ubuntu2 while you have a newer version libssl1.1 version 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

So as workaround, you can go with Dan Scally's suggestion by downgrade from g to f as below

 sudo apt install libssl1.1=1.1.1f-1ubuntu2

Then you should be able to install npm

 sudo apt install npm

It is worked with me without issues.

Hazem
  • 137
5

It looks like you have libssl installed through a PPA rather than the usual Ubuntu sources. If you do apt search --names-only libssl it should confirm that. The suggestion is to downgrade from g to f, not from 1.1 to 1.0: the changes between those versions are listed here and seem to me to fairly minor:

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. (CVE-2020-1967) [Benjamin Kaduk]

*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added when building openssl for no-asm. Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME At this time this feature is by default disabled. It will be enabled by default in 3.0. [Bernd Edlinger]

Whether you're willing to accept that degraded capability for npm is up to you.

Dan Scally
  • 548
  • 4
  • 12