[Pkg-javascript-devel] Bug#715325: [oss-security] npm uses predictable temporary filenames when unpacking tarballs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/10/2013 02:04 PM, Daniel Kahn Gillmor wrote: On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote: hi oss-sec folks-- i recently learned that npm, the node.js language-specific package manager, created predictable temporary directory names in

[Pkg-javascript-devel] Bug#715325: [oss-security] npm uses predictable temporary filenames when unpacking tarballs

On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote: hi oss-sec folks-- i recently learned that npm, the node.js language-specific package manager, created predictable temporary directory names in a world-writable filesystem (/tmp) by default when unpacking archives. It looks like this