Commit 1004268
msi: do not create AppData\Roaming\npm
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.
Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).
Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: nodejs-private/node-private#408
Backport-PR-URL: nodejs-private/node-private#430
Reviewed-By: Rich Trott <[email protected]>
CVE-ID: CVE-2023-305851 parent b77000f commit 1004268
1 file changed
+0
-12
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
76 | 76 | | |
77 | 77 | | |
78 | 78 | | |
79 | | - | |
80 | 79 | | |
81 | 80 | | |
82 | 81 | | |
| |||
107 | 106 | | |
108 | 107 | | |
109 | 108 | | |
110 | | - | |
111 | 109 | | |
112 | 110 | | |
113 | 111 | | |
| |||
266 | 264 | | |
267 | 265 | | |
268 | 266 | | |
269 | | - | |
270 | | - | |
271 | | - | |
272 | | - | |
273 | | - | |
274 | | - | |
275 | | - | |
276 | | - | |
277 | | - | |
278 | | - | |
279 | 267 | | |
280 | 268 | | |
281 | 269 | | |
| |||
0 commit comments