- Sponsor
-
Notifications
You must be signed in to change notification settings - Fork 29
help with potential security issue in chowner #113
Comments
this isn't really a bug in cacache, and I think Debian made the choice to cause its own pain in the neck with the way it packages npm, so I'm just gonna close this as Someone Else's Problem™ |
@zkat that is wishful thinking. It has nothing to do with debian, just that we found the issue and want to fix it. Are you saying bugs in the dependencies of cacache don't affect cacache? The bug is present even if installed via npmjs.com. If look at the recent comment on the original bug report isaacs/chownr#14 (comment) you will this, the bug is now actually getting fixed in nodejs itself. |
@pravi It's not that it doesn't affect cacache, but that I find it obnoxious for folks to make duplicate issues in multiple repositories when the issue is already being discussed and addressed in its intended place. I'll bump chownr when it's been fixed on that end. Otherwise, I consider this issue to be a duplicate of the one in the chownr repo |
@zkat this was a call for help |
@pravi I'm not a Debian maintainer, and there's literally nothing I'm gonna do except... tell the person who's already aware of the issue that the issue exists. I don't appreciate trying to apply additional pressure like this. |
@zkat okay noted, I won't bother you in future about any issues in any of the dependencies. Since I don't know much of JavaScript I always have to ask others who know more JavaScript than me. My intention to ask here was only because I thought you were affected as well by this bug. As I already said, this was not specific to Debian and only found in Debian. More than applying pressure, since chownr is also Free Software, you could have actually fixed it as well. In many cases I got such help were other people sent pull requests when I asked for help. The beauty of Free Software is in its power of allowing anyone to fix any issues if there is an interest. |
This was reported long back, but without a response from its original maintainer isaacs/chownr#14
It would be good if some of you can help fix this issue or at least confirm the issue is not serious as it affects cacache as well and it is blocking us from packaging cacache for debian.
The text was updated successfully, but these errors were encountered: