On 08/07/2013 12:38, Daniel Kahn Gillmor wrote: > On 07/08/2013 03:33 AM, Jérémy Lal wrote: >> On 08/07/2013 05:08, Shawn Landden wrote: >> >>> I installed a few packages yesterday, and today realized npm was wasting 50M >>> of my ram with copies of what it downloaded still in /tmp/npm-# folders > > > I haven't tried to reproduce this yet, but it sounds to me like you > might be saying that the names of the /tmp/npm-# folders might be > predictably named (e.g. named after the process id). Is this the case? > If so, has anyone considered the possibility of an attack via > predictable paths in a world-writable directory?
I am curious about how `npm install mymodule` could be a target for an attacker, especially considering the temp directory is used only once (at (un)tar times). >>> it should clean this up, put it in /var/cache, and/or have a command to >>> clean up >> >> Issue reproduced. >> As a quick workaround, you can create ~/tmp and npm will use that instead. >> Otherwise i believe those leftovers are a bug. > > it's buggy if it doesn't clean up, regardless of which tmp directory it This is what i meant by writing "issue reproduced". > uses. and npm should probably be respecting $TMPDIR directly following > the standard unix conventions, rather than just assuming that the > magically-named ~/tmp is preferable to /tmp. Agreed, the workaround i proposed is completely wrong, please read what `man npm-config` says about TMPDIR instead. Jérémy. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
