Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#59676 - [grunt-cli] Package contains world-writable directories

Attached to Project: Community Packages
Opened by David (auscompgeek) - Thursday, 16 August 2018, 08:52 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 16 August 2018, 13:32 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The grunt-cli package contains a number of world-writable directories.
Among these include /usr/lib/node_modules/grunt-cli/ and various subdirectories in /usr/lib/node_modules/grunt-cli/node_modules/.

I only noticed this after I got a couple of warnings when updating the grunt-cli package today.
There are more that have apparently been there for a while...


Additional info:

pacman output:

( 7/26) upgrading grunt-cli
warning: directory permissions differ on /usr/lib/node_modules/grunt-cli/
filesystem: 755 package: 777
warning: directory permissions differ on /usr/lib/node_modules/grunt-cli/node_modules/abbrev/
filesystem: 755 package: 777
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Thursday, 16 August 2018, 13:32 GMT
Reason for closing:  Fixed
Additional comments about closing:  grunt-cli 1.3.0-2
Comment by Eli Schwartz (eschwartz) - Thursday, 16 August 2018, 13:31 GMT
npm as a technology is completely broken, see: https://github.com/npm/npm/issues/9359

It non-deterministically installs directories with world-writable permissions. :(

A fixed package has been pushed to community; ideally this should be done in all PKGBUILDs utilizing npm.

Loading...