use fs.lchown rather than fs.chown and thereby fix isaacs#14

fixes the symlinks problem isaacs#3 while not causing the TOCTOU vulnerability isaacs#14 The [patch in libuv 1.21.0](https://github.com/libuv/libuv/releases/tag/v1.21.0) that undeprecates `fs.lchown` [has been incorporated in nodejs Version 10.6.0](https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md#2018-07-04-version-1060-current-targos). So I specified the minimum nodejs version in `package.json` with the `engine` key: https://docs.npmjs.com/files/package.json#engines
simevo · Aug 10, 2018 · 3bd6861 · 3bd6861
1 parent c6c4384
commit 3bd6861
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 10 deletions.
diff --git a/chownr.js b/chownr.js
@@ -15,19 +15,12 @@ function chownr (p, uid, gid, cb) {
     , errState = null
     children.forEach(function (child) {
       var pathChild = path.resolve(p, child);
-      fs.lstat(pathChild, function(er, stats) {
-        if (er)
-          return cb(er)
-        if (!stats.isSymbolicLink())
-          chownr(pathChild, uid, gid, then)
-        else
-          then()
-        })
+      chownr(pathChild, uid, gid, then)
     })
     function then (er) {
       if (errState) return
       if (er) return cb(errState = er)
-      if (-- len === 0) return fs.chown(p, uid, gid, cb)
+      if (-- len === 0) return fs.lchown(p, uid, gid, cb)
     }
   })
 }

diff --git a/package.json b/package.json
@@ -19,5 +19,6 @@
   "scripts": {
     "test": "tap test/*.js"
   },
-  "license": "ISC"
+  "license": "ISC",
+  "engines": { "node" : ">=10.6.0" }
 }