[Pkg-javascript-devel] Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 07/10/2013 12:11 PM, Jérémy Lal wrote: The security issue is fixed there : https://github.com/isaacs/npm/commit/f4d31693 this will eventually come to npm debian package. Thanks for the followup on this, jérémy! I confess i'm kind of amazed that node doesn't have any primitive like mkstemp(3), or if it does, that npm isn't using such a primitive. Has a CVE been requested or assigned for this yet? I'd be happy to make the request if you think that would be useful. regards, --dkg signature.asc Description: OpenPGP digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 10/07/2013 18:59, Daniel Kahn Gillmor wrote: I notice that your message was sent privately to me, ../.. feel free to post copies of it to the BTS. My mistake. On 07/10/2013 12:31 PM, Jérémy Lal wrote: On 10/07/2013 18:17, Daniel Kahn Gillmor wrote: I confess i'm kind of amazed that node doesn't have any primitive like mkstemp(3), or if it does, that npm isn't using such a primitive. Using a module : https://github.com/bruce/node-temp heh. and npm can't rely on that because the only way to install it is with npm itself, lovely :/ No, it's perfectly fine for npm to depend on a number of modules, since npm tarball contains its own node_modules. Upstream npm is relatively open to patches that separate functions in a module, and node-temp seems well maintained. Has a CVE been requested or assigned for this yet? I'd be happy to make the request if you think that would be useful. I'm going to upload latest nodejs/npm to unstable this summer, not so sure a CVE is worth it. I appreciate your staying on top of the uploads. I'm not sure how that relates to the relevance or worth of a CVE for the issue, though. I'll go ahead and request one unless there is a strong reason not to. Okay. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 08/07/2013 05:08, Shawn Landden wrote: Package: npm Version: 1.2.18~dfsg-3 Severity: normal I installed a few packages yesterday, and today realized npm was wasting 50M of my ram with copies of what it downloaded still in /tmp/npm-# folders it should clean this up, put it in /var/cache, and/or have a command to clean up Issue reproduced. As a quick workaround, you can create ~/tmp and npm will use that instead. Otherwise i believe those leftovers are a bug. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel