[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
Jérémy Lal
kapouer at melix.org
Mon Jul 8 11:55:40 UTC 2013
On 08/07/2013 12:38, Daniel Kahn Gillmor wrote:
> On 07/08/2013 03:33 AM, Jérémy Lal wrote:
>> On 08/07/2013 05:08, Shawn Landden wrote:
>>
>>> I installed a few packages yesterday, and today realized npm was wasting 50M
>>> of my ram with copies of what it downloaded still in /tmp/npm-# folders
>
>
> I haven't tried to reproduce this yet, but it sounds to me like you
> might be saying that the names of the /tmp/npm-# folders might be
> predictably named (e.g. named after the process id). Is this the case?
> If so, has anyone considered the possibility of an attack via
> predictable paths in a world-writable directory?
I am curious about how `npm install mymodule` could be a target for an attacker,
especially considering the temp directory is used only once (at (un)tar times).
>>> it should clean this up, put it in /var/cache, and/or have a command to clean up
>>
>> Issue reproduced.
>> As a quick workaround, you can create ~/tmp and npm will use that instead.
>> Otherwise i believe those leftovers are a bug.
>
> it's buggy if it doesn't clean up, regardless of which tmp directory it
This is what i meant by writing "issue reproduced".
> uses. and npm should probably be respecting $TMPDIR directly following
> the standard unix conventions, rather than just assuming that the
> magically-named ~/tmp is preferable to /tmp.
Agreed, the workaround i proposed is completely wrong,
please read what `man npm-config` says about TMPDIR instead.
Jérémy.
More information about the Pkg-javascript-devel
mailing list