`releases.$etag.json` is saved in the current path of execution in global installations

[phosphore]

In global installations performed via npm, the releases file should be saved in its corresponding global library path (see npm list -g output), not the current path of execution. Not a breaking bug, but neither something we want to keep for too long.

[jeremy]

Double checking, is this intended to go in the base dir or in the lib/ dir?

I'm seeing an attempt to write a new file in /usr/local on my macOS install, which is prohibited by System Integrity Protection:

Fetching Electron's new releases, this may take a while...
(node:6400) UnhandledPromiseRejectionWarning: Error: EACCES: permission denied, open '/usr/local/releases.b33f66280cd3ca8238cc7e6767075ed7245ca80b.json'
    at Object.openSync (fs.js:440:3)
    at Object.writeFileSync (fs.js:1265:35)
    at AvailableSecurityFixesGlobalCheck.updateReleasesList (/usr/local/lib/node_modules/@doyensec/electronegativity/dist/finder/checks/GlobalChecks/AvailableSecurityFixesGlobalCheck.js:260:22)

(Not familiar with conventions here, but is there a "blessed" place to store files like this? share/ ?)

[phosphore]

The releases file is only used for caching and we are currently saving it to the project folder. This is why you are getting the warning when SIP is enabled, since the default npm global installation directory is /usr/local/share/npm/bin on MacOS. Another solution would be simply using the npm cache (Default: ~/.npm on Posix, or %AppData%/npm-cache on Windows) or the temporary files folder (which defaults to the TMPDIR, TMP, or TEMP environment variables, or /tmp on Unix and c:\windows\temp on Windows).

I'll re-open this for now, taking a closer look at it next week. Thanks for reporting it! (PR are always super-well received!)

[phosphore]

Closing because of f9a43299b1d2418b86c51f27f0f53b8ef4c6ce14, thanks for the improvement!