mirror of
https://github.com/zebrajr/node.git
synced 2026-01-15 12:15:26 +00:00
0ae8bf8dbc
This effectively revertse431cae7e7due to security concerns. The directory is being created with elevated privileges but its path may depend on an unprivileged user's environment variables. Creating a directory in certain sensitive locations can cause Windows to become inoperable. Creating AppData\Roaming\npm was an intentional addition in order to resolve https://github.com/nodejs/node-v0.x-archive/issues/8141, which appears to have been a common issue for users of npm. However, this was implemented before4cfe5eb9af, which changed the MSI installation scope to perMachine. There were concerns about creating the npm directory in that PR, albeit not related to security (see https://github.com/nodejs/node-v0.x-archive/pull/25640). Refs: https://github.com/nodejs/node-v0.x-archive/issues/8141 Refs: https://github.com/nodejs/node-v0.x-archive/pull/8838 Refs: https://github.com/nodejs/node-v0.x-archive/pull/25640 PR-URL: https://github.com/nodejs-private/node-private/pull/408 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2023-30585